Path: news1.ucsd.edu!ihnp4.ucsd.edu!agate!sunsite.doc.ic.ac.uk!charlie.lif.icnet.uk!europa.lif.icnet.uk!harley From: harley@europa.lif.icnet.uk (David Harley) Newsgroups: alt.comp.virus Subject: Draft FAQ vs. 2.1 Part 1 Date: 3 Jan 1996 01:24:30 GMT Organization: Imperial Cancer Research Fund Lines: 737 Message-ID: <4cclse$hpj@charlie.lif.icnet.uk> NNTP-Posting-Host: europa.lif.icnet.uk X-Newsreader: TIN [version 1.2 PL2] Something like this.... From: harley@icrf.icnet.uk Newsgroups: alt.comp.virus Subject: Frequently Asked Questions Summary: ...and even some answers. Archive-name: acv.FAQ.1 Posting-Frequency: monthly Last-modified: Tue 2nd Jan 22:30 GMT 1996 alt.comp.virus (Frequently Asked Questions) ******************************************* DRAFT Release 2.1 Part 1 of 2 ----------- This document is primarily concerned with defending the integrity of computing systems and preventing damage caused by viruses or other malicious and/or other unauthorized software. It attempts to address many of the issues which are frequently discussed on alt.comp.virus, but does not claim to represent all shades of opinion among the users of a.c.v. - in particular, it does not include information which, in my estimation, is likely to be of more help to those interested in the spreading of unauthorized and/or malicious software than to those who wish to be protected from it. The latest version of this document is available from: harley@icrf.icnet.uk Subject: request a.c.v. FAQ Message: Optional, but unlikely to be read! A number of individuals and sites have agreed to make it available via anonymous FTP and/or WWW. There'll be an update on this in due course. This version of the FAQ *********************** This alt.comp.virus FAQ is at present co-ordinated by David Harley (harley@icrf.icnet.uk), who welcomes suggestions, additions, criticisms, error reports, payola, and offers of help. Well, maybe not criticisms... At this moment, I'm most interested in eradicating out-and-out errors of fact. Additional material is welcome, whether from the AV or vx ends of the spectrum. However, I have a vested interest in limiting the spread of viruses among those who don't want or deserve to be afflicted with them, and this will obviously influence what material I actually incorporate into this FAQ. Nitpicking and philosophical debate is also welcome, but won't be addressed as quickly as errors of fact. Also, I've attempted to rationalise attribution to authors (by initial) where practical. If I've missed out a credit (or even worse, attributed wrongly) I apologise profusely and will correct as soon as you notify me. Unattributed text is generally compiled from more than one person's input. Errors are probably mine. Most of the bureaucratic bits certainly are..... ------------------------------ Preface ******* (i) What is the FAQ, and who is it for? (ii) Credits/Acknowledgements (iii) Guide to posting etiquette (iv) How to ask for help (v) Disclaimer (i) What is the FAQ, and who is it for? This FAQ is intended to make available answers to questions which are repeatedly asked on alt.comp.virus, and tries to gather the most useful information regarding this group and the issues discussed here into a relatively short document. The hope is to produce (eventually) an easily-digested document for newcomers, as a means of saving those who regularly reply to posted questions having to re-invent the wheel each time. Copyright on all contributions to this FAQ remains with the authors and all rights are reserved. It may, however, be freely distributed and quoted - accurately, and with due credit. B-) It may not be reproduced for profit or distributed in part or as originally distributed with any product for which a charge is made *without* the permission of the copyright holders. I recommend that you read the FAQ in conjunction with the comp.virus FAQ, which gives more detailed information regarding some issues which are, inevitably, covered in both FAQs, though the comp.virus FAQ has not been updated for some years (a new version is promised shortly). The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus newsgroup. The latest (Mk. 1) version is always available as: ftp://cert.org/pub/virus-l/FAQ.virus-l There appears to be a sneak preview of the Mk. 2 version available at ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip which is very long and very thorough. [If this URL gives problems, try using datafellows.fi instead of ftp.datafellows.com]. (ii) Credits/Acknowledgements The following have contributed text and/or ideas and/or proofreading to the a.c.v. FAQ. Bruce Burrell Graham Cluley Henri Delger David Harley R. Wallace Hale Matthew Holtz Mike Ramey Perry Rovers Alan Solomon Ken Stiers George Wenzel Caroline Wilson Acknowledgement is also due to the work of Ken Van Wyk, former moderator of VIRUS-L/comp.virus, and the contributors to the comp.virus FAQ (Mk.I). Despite earlier discussion on a.c.v. and elsewhere, this FAQ seems to have gained quite a few pounds without including direct quotations from either version of the c.v. FAQ, but would have taken even longer to write if it hadn't existed! Thanks also to ked@intac.com, who mailed me a copy of the FAQ he posted to a.c.v. some months ago. (iii) Guide to posting etiquette Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The newsgroup news.announce.newusers includes information on good newsgroup etiquette, or try ftp://rtfm.mit.edu/pub/usenet/news.answers However, adhering to the following guidelines would be particularly helpful: * Keep your lines short (say 72 characters per line), so that anyone who follows up doesn't have to reformat quoted text to keep it readable). * Keep it polite. It's unlikely that anyone who replies to your posting is being paid to do so, and it wouldn't excuse bad manners if they were. Of course, the cut and thrust of debate may be a different matter altogether.... * Asking for a reply by direct e-mail may be reasonable if you need an urgent solution or are using a borrowed account. It isn't reasonable if you simply can't be bothered to check newsgroups. At least try to think up a good excuse, and be prepared to offer a summary to the group. * Check that there isn't already a thread on the subject you're asking about before posting yet another 'Has anyone heard of the GOOD TIMES virus?' message. If there is, check it first: the answer to your question may already be there (if it isn't in this document!). Please remember that many people have to pay for connect time, and don't appreciate duplicate postings or uuencoded binaries. * Please don't post test messages here unless you really need to: use one of the newsgroups intended for the purpose: there is probably one local to your news server - ask your Systems Administrator, provider or local helpdesk. If you must post to the entire Internet, use misc.test - if you do, put the word IGNORE in your Subject: field, or you'll get auto-responder messages in your mail for weeks afterwards. Look through the postings in news.announce.newusers for relevant guidelines before you post. * If you get into an exchange of E-mail, please remember that not everyone can handle all forms of E-mail attachment (uuencoded, MIME format etc. - if it's text, *send* it as text. NB also that (uu)encoding text makes it longer as well as unreadable, so don't! (iv) How to ask on the alt.comp.virus newsgroup for help [AS] The more relevant information you give us, the more we can help you. It helps to tell us the following: * What you think the problem is (you might think it's a virus, but maybe it isn't) * What the symptoms are. If you ran some software that gave you a message, tell us which package, version number, and the exact wording of the message. * Please be as accurate as possible about the order in which events happened. * If just one file is infected, give the filename. * If you're running more than one anti-virus product, please list them (including version number), and say what each one said about the possible virus. * Which version of which operating system you are running. Don't take action, then ask if that was the right action - if it wasn't, it's too late. Don't just ask "I've got xyz virus, can anyone help me". (v) Disclaimer This document is an honest attempt to help individuals with computer virus-related problems and queries. It can *not* be regarded as being in any sense authoritative, and has no legal standing. The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Not all the views expressed in this document are mine, and those views which *are* mine are not necessarily shared by my employer. In fact, in the spirit of all those articles about how to write a virus, no responsibility is taken for anything whatsoever ;-) ------------------------------ Table of Contents ***************** Part 1 ====== 1) I have a virus - what do I do? 2) Minimal glossary 3) What is a virus (Trojan, Worm)? 4) How do viruses work? 5) How do viruses spread? 6) How can I avoid infection? 7) How does antivirus software work? 8) What's the best anti-virus software (and where do I get it)? Part 2 ====== 9) Where can I get further information? 10) Does anyone know about * Mac viruses? * UNIX viruses? * the xyz virus? 12) Is it true that...? 13) Favourite myths 14) What about the legal issues? 15) Miscellaneous ---------------------------------------------------------------------- Subject: (1) I have a virus problem - what do I do? [DH] The following guidelines will, one hopes, be of assistance. However, you may get better use out of them if you read the rest of this document before acting rashly... If you think you may have a virus infection, *stay calm*. Once detected, a virus will rarely cause (further) damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus actually does (and a well-documented, treatable virus might be preferable to some problems!). Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the virus. If you've been told you have something exotic, consider the possibility of a false alarm and check with a different package. If you have a good antivirus package, use it. Better still, use more than one. If there's a problem with the package, use the publisher's tech support and/or try an alternative package. If you don't have a package, get one (see section on sources below). If you're using Microsoft's package (MSAV) get something less out-of-date. Follow the guidelines below as far as is practicable and applicable to your situation. Try to get expert help *before* you do anything else. If the problem is in your office rather than at home there may be someone whose job includes responsibility for dealing with virus incidents. Follow the guidelines below as far as is practicable and applicable. * Do not attempt to continue to work with an infected system, or let other people do so. * Generally, it's considered preferable to switch an infected system off until a competent person can deal with it: don't allow other people to use it in the meantime. If possible, close down applications, Windows etc. properly and allow any caches/buffers to flush, rather than just hit the power switch. * If you have the means of checking other office machines for infection, you should do so and take appropriate steps if an infection is found. * If you are unable to check other machines, assume that all machines are infected and take all possible steps to avoid spreading infection any further. * If there are still uninfected systems in the locality, don't use floppy disks on them [except known clean write-protected DOS boot floppies] * users of infected machines should not *under any circumstances * trade disks with others until their systems and disks are cleaned. * if the infected system is connected to a Novell network, Appleshare etc., it should be logged off all remote machines unless someone knowledgeable says different. If you're not sure how to do this, contact whoever is responsible for the administration of the network. You should in any case ensure that the network administrator or other responsible and knowledgeable individual is fully aware of the situation. * No files should be exchanged between machines by any other means until it's established that this can be done safely. * Ensure that all people in your office and anyone else at risk are aware of the situation. * Get *all* floppy disks together for checking and check every one. This includes write-protected floppies and program master disks. Check all backups too (on tape or file servers as well as on floppy). ------------------------------ Subject: (2) Minimal Glossary * AV - AntiVirus. Sometimes applied as a shorthand term for anti-virus researchers/programmers/publishers - may include those whose work is not AV research, but includes virus-control (See also Vx). * BSI - Boot Sector Infector (= BSV - Boot Sector Virus) * BIOS - Basic Input Output System * CMOS - Memory used to store hardware configuration information * DBR - DOS Boot Record * DBS - DOS Boot Sector * MBR - Master Boot Record (Partition Sector) * TSR - A memory-resident DOS program, i.e one which remains in memory while other programs are running. * vx - Those who study, exchange and write viruses, not necessarily with malicious intentions (So I'm frequently told here...) B-) Why isn't it VX? Apparently because Sarah Gordon is allergic to CAPSLOCK.... * Zoo - suite of viruses used for testing. See the comp.virus FAQ for fuller definitions of some of these terms and others which aren't addressed here. Here are some commonly referred to anti-virus packages, including acronyms (hence their inclusion in this section). * AVP - AntiViral Toolkit Pro * AVTK - Dr. Solomon's AntiVirus ToolKit * CPAV - Central Point AntiVirus * The Doctor (Not Dr. Solomon!) * DSAVTK - Dr. Solomon's AntiVirus ToolKit * F-Prot * FindViru(s) - DSAVTK scanner * Invircible * MSAV - MicroSoft AntiVirus * McAfee * NAV - Norton AntiVirus * SCAN - ViruScan (McAfee's scanner) * Sweep - Scanner by Sophos * TBAV - Thunderbyte AntiVirus * VET ------------------------------ Subject: (3) What is a virus (and what are Trojans and Worms)? [DH] A (computer) virus is a program (a block of executable code) which attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the PC user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. A Trojan Horse is a program intended to perform some covert and usually malicious act which the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, though this distinction is by no means universally accepted. A dropper is a program which covertly installs a virus or Trojan. A worm is a program which spreads (usually) over network connections. Unlike a virus, it does not attach itself to a host program. In practice, worms are not normally associated with personal computer systems. ------------------------------------------------- Subject (4) How do viruses work? [DH] A file virus attaches itself to a file (but see the section below or the comp.virus FAQ on the subject of companion viruses), usually an executable application (e.g. a word processing program or a DOS program). In general, file viruses don't infect data files. However, data files can contain embedded executable code such as macros, which may be used by virus or trojan writers. Text files such as batch files, postscript files, and source code which contain commands that can be compiled or interpreted by another program are potential targets for malware (malicious software), though such malware is not at present common. Boot sector viruses alter the program that is in the first sector (boot sector) of every DOS-formatted disk. Generally, a boot sector infector executes its own code (which usually infects the boot sector or partition sector of the hard disk), then continues the PC bootup (start-up) process. In most cases, all write-enabled floppies used on that PC from then on will become infected. Multipartite viruses have some of the features of both the above types of virus. Typically, when an infected *file* is executed, it infects the hard disk boot sector or partition sector, and thus infects subsequent floppies used or formatted on the target system. The following virus types are more fully defined in the comp.virus FAQs (see preamble): * STEALTH VIRUSES - viruses that go to some length to conceal their presence from programs which might notice. * POLYMORPHIC VIRUSES - viruses that cannot be detected by searching for a simple, single sequence of bytes in a possibly-infected file, since they change with every replication. * COMPANION VIRUSES - viruses that spread via a file which runs instead of the file the user intended to run, and then runs the original file. For instance, the file MYAPP.EXE might be 'infected' by creating a file called MYAPP.COM. Because of the way DOS works, when the user types MYAPP at the C> prompt, MYAPP.COM is run instead of MYAPP.EXE. MYAPP.COM runs its infective routine, then quietly executes MYAPP.EXE. * ARMOURED VIRUSES - viruses that are specifically written to make it difficult for an antivirus researcher to find out how they work and what they do. ------------------------------ Subject: (5) How do viruses spread? [DH] A PC is infected with a boot sector virus (or partition sector virus) if it is (re-)booted (usually by accident) from an infected floppy disk in drive A. Boot Sector/MBR infectors are the most commonly found viruses, and cannot normally spread across a network. These (normally) spread by accident via floppy disks which may come from virtually any source: unsolicited demonstration disks, brand-new software (even from reputable sources), disks used on your PC by salesmen or engineers, new hardware, or repaired hardware. A file virus infects other files when the program to which it is attached is run, and so *can* spread across a network (often very quickly). They may be spread from the same sources as boot sector viruses, but also from sources such as Internet FTP sites and bulletin boards. (This applies also to Trojan Horses.) A multipartite virus infects boot sectors *and* files. Often, an infected file is used to infect the boot sector: thus, this is one case where a boot sector infector could spread across a network. ------------------------------ Subject: (6) How can I avoid infection? [DH] There is no way to guarantee that you will avoid infection. However, the potential damage can be minimized by taking the following precautions: * make sure you have a clean boot disk - test with whatever (up-to-date!) antivirus software you can get hold of and make sure it is (and stays) write-protected. Boot from it and make a couple of copies. * use reputable, up-to-date and properly-installed anti-virus software regularly. (See below) If you use a shareware package for which payment and/or registration is required, do it. Not only does it encourage the writer and make you feel virtuous, it means you can legitimately ask for technical support in a crisis. * do some reading (see below). If you're a home user, you may well get an infection sooner or later. If you're a business user, it'll be sooner. Either way you'll benefit from a little background. If you're a business user you (or your enterprise) need a policy. * don't rely *solely* on newsgroups like this to get you out of trouble: it may be a while before you get a response (especially from a moderated group like comp.virus), and the first response you act upon may not offer the most appropriate advice for your particular problem. * if you use a shareware/freeware package, make sure you have hard copy of the documentation *before* your system falls apart! * always run a memory-resident scanner to monitor disk access and executable files before they're run. * if you run Windows, a reputable anti-virus package which includes DOS *and* Windows components is likely to offer better protection than a DOS only package. If you run Windows 95, you need a proper Win95 32-bit package for full protection. * make sure your home system is protected, as well as your work PC. * check all new systems and all floppy disks when they're brought in (from *any* source) with a good virus-scanning program. * acquire software from reputable sources: 2nd-hand software is frequently unchecked and sometimes infected. Bear in mind that shrinkwrapped software isn't necessarily unused. In any case, reputable firms have shipped viruses unknowingly. * once formatted, keep floppies write-disabled except when you need to write a file to them: then write-disable them again. * make sure your data is backed up regularly and that the procedures for restoring archived data *work* properly. * scan pre-formatted diskettes before use. * if your PC can be prevented with a CMOS setting from booting with a disk in drive A, do it (and re-enable floppy booting temporarily when you need to clean-boot). CMOS settings [GC] ************* Some CMOSes come with special anti-virus settings. These are normally vague about what they do but typically they write-protect your hard disk's boot sector and partition sector (MBR). This can be some use against boot sector viruses but may false alarm when you upgrade your operating system. One sensible setting to make (if your CMOS allows) is to adjust the boot sequence of your PC. Changing the default boot-up drive order from A: C: to C: will mean that the PC will attempt to boot from drive C: even if a floppy disk has been left in drive A:. This way boot sector virus infection can often be avoided. Remember, however, to set your CMOS back temporarily if you ever *do* want to boot clean from floppy (for example, when running a cryptographical checksummer after a cold boot). ------------------------------ Subject: (7) How does antivirus software work? [DH] * Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognisable patterns ('scan strings', 'search strings', 'signatures'). * TSR scanner - a TSR (memory-resident program) that checks for viruses while other programs are running. It may have some of the characteristics of a monitor and/or behaviour blocker. * VxD scanner - a scanner that works under Windows or perhaps under Win 95, or both), which checks for viruses continuously while you work. * Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus. * Monitor/Behaviour Blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus. * Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus. * Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular checksummer. ------------------------------ Subject (8) What's the best antivirus software (and where do I get it)? [DH] [This section to be expanded, sources to be checked, and formatting to be cleaned up, as a matter of priority!] Most of the people who post here have their favourites: if you just ask which is the best, you'll generally get either a subjective "I like such and such", recommendation of a particular product by someone who works for that company, or a request to be more specific about your needs. Some of us who are heavily involved with virus control favour using more than package and keeping track of the market. Don't trust anything you read in the non-technical press. Don't accept uncritically reviews in the computing press, either: even highly-regarded IT specialists often have little understanding of virus issues, and many journalists are specialists only in skimming and misinterpreting. Magazines like Virus Bulletin and Secure Computing are much better informed and do frequent comparative reviews, and are also informative about their testing criteria, procedures and virus suites. Recently, a number of articles have been posted here by people who've run their own tests on various packages. These are often of interest, but should not be accepted uncritically. Valid testing of antivirus software requires a lot of care and thought, and not all those who undertake it have the resources, knowledge or experience to do it properly. You may get a more informed response if you specify what sort of system you have - DOS, Windows, Win95? XT, AT, 386 or better? Is the system networked, and are you asking about protecting the whole network? (What sort of network?) Are you running NT, OS/2 or Win95, any of which involve special considerations? Be aware that there is more than one way of judging the effectiveness of a package - the sheer number of viruses detected; speed; tendency to false alarms; size (can you run it from a single floppy when necessary?); types of virus detection & prevention (not at all the same thing) offered (command-line scanning, TSR scanning, behaviour blocking, checksumming, access-control, integrity shell etc.); technical support etc. DOS packages available from SimTel etc. include F-Prot AVP Lite McAfee TBAV Most Shareware/Freeware packages can be obtained from SimTel via anonymous FTP or WWW, e.g. http://www.coast.net/SimTel/msdos/virus ftp://ftp.coast.net/SimTel/msdos/virus/ Mirror sites include: USA:- ftp.cdrom.com uiarchive.cso.uiuc.edu oak.oakland.edu wuarchive.wustl.edu ftp.uoknor.edu ftp.pht.com UK:- micros.hensa.ac.uk src.doc.ic.ac.uk ftp.demon.co.uk Of course, such products can often be obtained direct from the publisher's WWW or FTP sites too. There is a shareware program for Win95 called the Doctor, for which I can't at present find the co-ordinates. [Graham Cluley points out that they have an area on Compuserve (GO NCSAVIRUS)]. Also, McAfee and Thunderbyte have Win95 programs. ftp://ftp.mcafee.com/pub/antivirus/ http://thunderbyte.com/ftp/thunderbyte/ ftp://ftp.thunderbyte.com/ Commercial ========== [vendors are invited to supply full contact details and indicate the range of platforms their product range covers. Let's not overdo the hype, though, guys.] (NB Some of these, though not shareware, can be obtained for evaluation via anon FTP or WWW) DSAVTK (Dr Solomon's Anti-Virus ToolKit) [DOS; DOS & Windows; DOS & Win95; NetWare; NT; OS/2; Unix; Mac] UK Support: support@uk.drsolomon.com US Support: support@us.drsolomon.com UK Tel: +44 (0)1296 318700 USA Tel: +1 617-273-7400 CompuServe: GO DRSOLOMON Web: http://www.drsolomon.com FTP: ftp://ftp.drsolomon.com Evaluation copy of Findvirus Dos scanner available via the Web. ************* F-Prot Pro (DOS & Windows, NetWare, Win95) The sales structure for F-Prot Pro is a bit complicated (there are two flavours). Command Software Systems Inc. 1+407-575 3200 ftp://ftp.command-hq.com (?) Data Fellows Ltd. f-prot@datafellows.fi ftp://ftp.datafellows.fi (?) http://www.DataFellows.com http://www.Europe.DataFellows.com UK: Portcullis (for Data Fellows) 44-181-868-0098 Command Software UK 44-171-259-5710 More details inc. in ORDER-2.DOC, supplied with the shareware version. ************ IBM AntiVirus: http://www.brs.ibm.com/ibmav.html 800-551-3579 (US only) 800-465-7999 fax: 800-267-5185 ************ McAfee Associates 3350 Scott Blvd, Bldg 14 Santa Clara, California 95054-3107 USA Voice (408) 988-3832 FAX (408) 970-9727 BBS (408) 988-4004 CompuServe ID: 76702,1714 or GO MCAFEE mcafee@netcom.com ftp://ftp.mcafee.com/pub/antivirus/ http://www.mcafee.com/ [DOS, Windows, Win95, NetWare] NAV (Norton AntiVirus) [DOS, Windows, Win95, Mac] http://www.symantec.com/ ftp://ftp.symantec.com US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 AVP LITE ftp: ftp.command-hq.com sub-directory: pub/command/avp file: avplite.zip Sweep http://www.sophos.com/ ftp://ftp.sophos.com Thunderbyte http://thunderbyte.com/ftp/thunderbyte/software/ ftp://ftp.thunderbyte.com (?) Invircible ftp://ftp.invircible.com ftp://ftp.datasrv.co.il/pub/usr/netz/ Microsoft (Macro Virus fixes) - http://www.microsoft.com For updates to MSAV, contact Symantec (but better to get a more up-to-date package). There is a comprehensive set of product reviews at: http://www.first.org/virus/virrevws/ and a number of reputable vendors include comparative reviews, papers on testing etc. on their WWW/FTP servers. There are links to just about every anti-virus site you ever heard of at http://www.innet.net/~ewillems/ In the event of a *real* tragedy, there are a number of firms which specialize in data recovery. In the UK, there are S&S International (see above) and Ontrack Data Recovery Europe (0800-243996). In the US, there's Ontrack Computer Systems (parent company of Ontrack ...Europe). I believe Maxtor also offer a service of this sort, but I have no details at present. .