F-PROT Professional Update Bulletins
F-PROT 2.08 Update Bulletin Copyright (c) 1993 F-Secure Ltd
CONTENTS BRIEFLY
--- The International Distribution Network for F-PROT becomes more effective
--- New Viruses and Their Descriptions
--- Trivial
--- Hitchcock.b
--- Cinderella.c
--- Hamster
--- Strike Commander Trojan on the move
--- F-PROT Support Advises: Common Questions and Answers
--- In Short
--- Michelangelo'93
--- Irresponsible activities continue: Mark Ludwig organizes a virus competition
--- PC Magazine's test astonishes
--- The 40-Hex magazine in international circulation
--- The ARCV virus group arrested
--- The Nabob Trojan Horse on CD-ROM
--- NuKE publishes its own mutation generator
--- New Macintosh Viruses Discovered
--- INIT-M
--- The INIT 17 Virus
--- Disinfectant Version 3.2 Protects Macintoshes
--- Changes in F-PROT Version 2.08
--- The functioning of Heuristic Analysis has changed
--- F-PROT 2.08 - other changes
--- Appendix: PC Professionell Antivirus Test
--- Product Version Producer Found Removed
--- AP-355 Jrgen Liskowski 1074 81
This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.08 Update Bulletin Copyright (c) 1993 F-Secure Ltd.'
F-PROT 2.08 Update Bulletin
The International Distribution Network for F-PROT becomes more effective
The international distribution of F-PROT gets more and more effective
as new agreements are signed between F-Secure Ltd. and
distributors in various countries. The latest distribution agreement
has been signed with Symbolic, Inc. of Parma, Italy. The localization
of F-PROT for the Italian market has already been successfully
finished.
The topic very near the heart of anti-virus professionals is the
success of Microsoft Anti-Virus (MSAV) which is included as a part of
the DOS 6.0. Tests are beginning to appear in the computer magazines.
We will report on the efficiency of the MSAV to you as well in an
upcoming issue.
New Viruses and Their Descriptions
Trivial
At the beginning of April a new member of the Trivial virus family was
found in Rovaniemi, Finland.
Trivial is a peculiar one as virus families go, because, aside from
having an extremely small size, its members have no common factor.
Most of these viruses take up less than one hundred bytes - it seems
that virus writers have competed on who can write the smallest
functional virus. All viruses of the Trivial family infect a single
COM file at a time, and they spread by overwriting the beginning of
their victim.
The smallest known DOS virus that still retains its functionality
(Trivial.25) is only 25 bytes long. In other words, it takes up about
as much space as the first four words of this paragraph.
The variant of Trivial discovered in Rovaniemi has a size of 45 bytes.
The actual virus code is only 29 bytes long, the rest of the virus
consisting of the message "Körtsy Rules!". From this message one can
deduce that the virus is of Finnish make.
The functioning method of the virus is extremely simple. It checks the
directory for files whose appendix starts with the letter C. If such a
file is found, the virus replaces the beginning of the victim file by
its own code. Having done this, it then terminates its execution.
The Trivial viruses do not present a threat that should be taken
seriously. They infect only COM files residing in the same directory,
and, by their infection method, damage the victim file, thus making
the infection easily recognizable.
Hitchcock.b
An initial finding of a new variant of the Hitchcock virus was made in
Joensuu, Finland. The virus was, in fact, discovered in the middle of
1992, but it took until March 1993 for a sample of it to reach
examination.
The new variant has been named Hitchcock.1238. The name refers to its
size. The original Hitchcock virus is 1247 bytes long.
No previous variants of the virus have been discovered anywhere in the
world. The native country of the original Hitchcock virus is not
known, but the freshly discovered variant may have been made in
Finland.
Hitchcock.1238 is a virus which spreads quite efficiently. The code of
the original Hitchcock virus has been modified a little - the main
purpose seems to have been to change the code to a degree where
scanner-type anti-virus programs could no longer recognize it. In any
case, the F-PROT 2.02, which is already over a year old, finds the
virus with all of its search methods. The only significant changes in
the new variant have been made to the activation routines.
The most important alterations separating the new variant from the
original Hitchcock are the decrease in size and a change in the "Are
you There" -call the virus uses. The original virus checks whether it
has already been installed in memory by calling an interrupt it
hijacks, the INT 21h / AX=4BFEh. If the virus is already resident in
memory, it recognizes the call and answers by returning the value
1234h in the AX register. The new variant functions identically, but
the interrupt it uses has been changed to INT 21h / AX=4BFFh. Neither
of these interrupts is normally used.
Examination of the virus code leads one to the conclusion that the
author of this new variant has probably had the source code of the
original virus available to him or her.
The virus stays resident in memory, of which it reserves about 3.5
kilobytes for itself. The reduction of memory can be observed by using
the MEM command, although this does not show the name of the program
that causes it. Besides the interrupt 21h, the virus hijacks also the
interrupt 1Ch for its own use.
Hitchcock.1238 checks that the version number of the computer's DOS is
at least 2.0. Otherwise it will not spread.
The virus infects every COM file that is executed, provided its size
falls between 1288 and 64000 bytes. It does not trust the file-name
appendix, but checks the program type by examining the first two
characters in the file. The virus is able to bypass a Read-only-
protection set by using the ATTRIB command, but, since it does not
install a critical-error handler, the execution of a COM file from a
write-protected diskette produces the error message "Write protect
error".
The virus does not alter the time stamp of an infected program, aside
from the 'seconds' field, into which it sets the value 20 after having
completed the infection. The virus uses this marker to indicate a file
which has already been infected, and, consequently, it does not infect
files whose 'seconds' field in the original creation date contains the
value 20. A directory listing does not show seconds at all when DOS's
DIR command is used.
The virus increases the size of infected files by 1238 bytes. This
change is visible in the directory listing - the virus does not
contain stealth routines. The viral code is placed in the beginning of
an infected file, whose first 1238 bytes are moved to the end of the
file.
The Hitchcock virus activates after having been resident in memory 4
minutes and 7 seconds. After this it begins to play the theme from the
Hitchcock television series. The song is quite easily recognizable and
lasts about thirty seconds. The music goes on endlessly, with a pause
of a couple of seconds between the finish and restart of the theme.
In the original version of the virus, the music routine was activated
only if the virus was executed during August. This check has been
removed from the new version. As a result, Hitchcock.1238 is quite
obvious and very easy to spot. Because of this it is never likely to
become very common.
The music routine functions as a part of the System Timer Tick
interrupt [1Ch], which gets a slice of processor time 18.2 times a
second. Because of this, the music is played completely on the
background, without disturbing the execution of other applications in
any way. The music routine functions even on Windows background.
The virus code contains no texts, and neither has it been encrypted in
any way. From a technical point of view, the code has been written
quite well if somewhat wastefully.
F-PROT 2.08 is able to recognize and remove the Hitchcock.1238 virus.
Cinderella.c
The first finding of a new variant of the Cinderella virus was made in
March, in Rovaniemi, Finland.
The new variant is likely to be named Cinderella.c. Three previous
versions of the Cinderella virus are known, all of which have probably
been made in Scandinavia.
The Cinderella.c virus is functionally based on the first known
version of the Cinderella virus, Cinderella.a. The virus stays
resident in memory and infects COM files. The virus does not contain
actual stealth virus features, but it does not update the time stamp
of the infected files. In addition to this, the Cinderella viruses are
able to bypass the DOS Read-Only -attribute.
The virus keeps a counter which is incremented which each keystroke
This counter triggers the activation routine which creates one zero-
length file on the hard disk and boots the computer. In the original
version of the virus the file in question was named cInDeReL.la, but
in the new variant it has been changed to CindyRul.es!. When the
directory listing is examined under MS-DOS, the names of the files are
shown capital letters.
The designer of the Cinderella.c virus has meant to change the
original viral code to the extent where scanner-type anti-virus
programs can no longer recognize it. This has been done by changing
the internal order of commands. Demonstrated in pseudo code, the
principle is as follows:
The original code: The altered code:
... ...
move the value in variable a to b add to counter d
move value 5 to variable c move value 5 to variable c
add to counter d move the value in variable a to b
add c to d add c to d
if value > 10 perform routine if value > 10 perform routine
... ...
Thus altered, the functioning of a program does not change at all, but
the outlook of a virus differs almost completely from the original.
The author of the Cinderella.c virus may not even have known the
assembler language used by Intel processors in any way approaching
perfect.
In any case, even F-PROT 2.02, which is more than a year old, finds
the new variant with any and all of its search methods. F-PROT
recognizes the virus as "Probably a new variant of Cinderella".
The presence of a Cinderella virus in a system can be detected by such
clues as reduction in the amount of available memory and a growth in
the size of COM files.
Hamster
The Hamster virus was discovered in Norway in the middle of April. The
virus seems to have spread widely in the southern Norway and has
probably already spread to other countries as well.
Hamster has quite simple functions. It infects COM files which reside
in the same directory with itself. The virus adds its own code to the
end of the host program and alters the beginning of programs so that
the virus code is executed first.
The virus infects only one file at a time, and it does not change the
time stamp of its victims. Hamster does not set limiting conditions to
its potential victims, but infects all COM files it finds if they are
not already infected. The virus examines the program type by checking
for the characters "MZ", which indicate that the program is
structurally an EXE file.
The virus stores the names of the current host program and the
previous one inside its code. This makes it possible to trace the
route it has spread along. The virus code also includes one message:
"Turbo Hamster Virus!".
F-PROT 208 is able to find and remove the Hamster virus.
Strike Commander Trojan on the move
Near the end of April, a file called SCTRNUNT.ZIP was circulating in
BBS's over the world. This program was supposed to grant endless lives
to the player of the popular game Strike Commander. It was, however,
really a wicked Trojan Horse. When the program is started, the
following message appears on screen:
By: Wayward
Welp, here it is. Strike Commander Trainer. It was relatively easy
since most of the sub-routines were in the file. Also I also found a
nasty during take-offs. It's a randomly copy protection. It was a
bitch to find it since Origin has a weird way of encrypting their
files. Just run SCTRNUNT.EXE and have approx. 2+ megs free since I
have to uncompress a couple of files. We' re sorry we didn't release
the speech pack, but get them anyways! It's worth the FP's. See you
in the next release!
Have Fun!
This will take awhile. Approx. 2 and a half mins. Go grab your
helmet!
The purpose of this text is to ease the user's suspicions, for after
the text has been shown, the hard disk begins to spin wildly. The
program does not, in fact, extract packed files, but destroys
information on the disk.
This trojan has been written with the Borland Turbo Pascal, and it
contains a destruction routine which overwrites the first 255 sectors
on the first six logical disks. After such destruction practically all
the information in the computer is lost. The damage is done by using
an absolute disk write - the information on the disk is overwritten by
random data found from memory. The program begins its sabotage at disk
H and advances from there to disk C.
The program contains a character string which cannot be seen directly,
because the Trojan has been packed with PKLITE:
HI--TC!.!!! Keith Reid, This is a trojan. Have fun taking it apart.
Later Titus Crow of Gallows Howe. I love you too!
Those who use the file services of BBS's might do well to remember an
old and tried instruction: It is not worthwhile to be the first to
test an unknown program. By waiting a couple of days before
transferring a program to one's own computer, one can be sure it won't
contain any unwelcome side effects - others will have had time to test
it before that.
F-PROT Support Advises: Common Questions and Answers
If you have questions about information security or virus prevention,
you can contact F-PROT support on the number +358-0-692 3622. You can
also address your written questions to: F-Secure Ltd., F-PROT
Support, Wavulinintie 10, SF 00210 HELSINKI, FINLAND. Questions sent
by electronic mail can be addressed directly to Mikko Hyppönen who
handles technical support; his Internet address is
mikko.hypponen@compart.fi.
I have started using DoubleSpace, the disk-doubling feature of MS-DOS
6. When using other disk packers, I have been advised to make a tool
diskette that contains the drivers the packers use, because otherwise
anti-virus programs and other tools cannot read the packed data after
I have booted the computer from a diskette. Is this the case with
DoubleSpace, also?
DoubleSpace is a built-in part of the MS-DOS operating system.
Because of this, the program does not need a separate driver.
You can access the data on the packed disk directly after
booting your computer from a diskette, as long as the diskette
has been made by using MS-DOS 6.
A new hidden system file that has appeared alongside the
familiar IO.SYS and MSDOS.SYS, the DBLSPACE.BIN, makes this
possible. DBLSPACE.BIN is loaded automatically during boot-up
whether or not the diskette contains a CONFIG.SYS file.
I was testing out the new Microsoft DOS 6.0. After having tried the
MSAV anti-virus program, I executed F-PROT, also. F-PROT reported a
Stoned virus in memory. I booted the computer from a clean diskette,
but the virus was nowhere to be found. What's up?
You have run into a false alarm caused by the Microsoft
Antivirus program. Unlike practically all other anti-virus
programs, MSAV does not clean up memory after having completed
its check. This means that MSAV leaves a trail of virus
signatures on its wake in memory. Most anti-virus programs
produce false alarms of an active virus in memory if they are
executed after MSAV.
MSAV is, in fact, a reduced version of CPAV marketed by Central
Point. CPAV, too, has this same problem. For nearly two years,
people have been complaining of this to Central Point , but the
problem has not been corrected. In fact, in their documentation
Central Point states in no uncertain terms that their product is
not compatible with any other anti-virus software. The suggested
remedy in the CPAV manual is to refrain from using any other
product than CPAV in one computer.
Also the TSR programs that come with MSAV and CPAV, VSAFE and
VWATCH, cause similar false alarms. The most common false alarms
caused by MSAV and CPAV are given of the viruses Flip, Filler,
Stoned and Telecom.
According to tests, the MSAV that comes with MS-DOS finds about
70% of known viruses.
We use the F-AUTO program to automate virus checks. For some reason
the system does not act like it is supposed to; the check is only made
on the hard disk of the user who first logs into our local network.
The check is configured to happen every day.
You have installed the F-AUTO program into a network. Whenever
F-AUTO is executed, it creates a file called F-AUTO.CFG in which
the last execution date is stored. If F-AUTO is located on a
shared disk area, the first user updates this file, and,
consequently, other users do not activate the check any more. If
you move the F-AUTO program to local hard disks on workstations
the checks will function correctly.
I updated F-PROT to its latest version, but at the same time VIRSTOP
destroyed a customized message I had installed, the purpose of which
was to guide users in the case a virus infection was found. Is there a
way to preserve the VIRSTOP message over version updates?
Unfortunately there is not. The F-PROT function Install/Install
stores the customized message of VIRSTOP to the program
VIRSTOP.EXE itself, and it is consequently lost when the program
is replaced by a newer version. Because of this, a manager has
to renew the message during each update. It is possible for a
manager to minimize the work this requires by altering VIRSTOP
before the new version is circulated in the organization. An
automatic network update will also ease the trouble this problem
causes.
How does the F-PROT automatic network updating work?
The automatic network updating means a system in which local
area networks are used in the version management of the F-PROT
program. When a new version comes out, the system manager copies
it onto the hard disk of a file server. During login to the
network, the workstations automatically check whether the server
holds a newer version of the program than the local hard disk.
If so, the local version is automatically replaced by the latest
one.
F-Secure Ltd. has developed an automatic network updating
system which functions in LAN Manager- and Novell networks as
well as in almost all other network operating systems. The
largest companies using the F-PROT update system manage updates
into over a thousand PC's at a time by using just such a system
- in such cases, manual updating would become an overwhelming
task.
For more information about the F-PROT automatic network update
system, contact F-PROT Support of F-Secure Ltd.
While I was checking a diskette with F-PROT, all of a sudden I
received the message "An active Stealth virus was found in memory".
I couldn't find this virus, however, not even after a clean booting.
What is happening here?
Cold-start the computer from a clean diskette and run the check
again. If the virus cannot be found from the hard disk or
diskettes, the situation was caused by something else than a
stealth virus.
While checking files, F-PROT also continually monitors the state
of the operating system. When F-PROT begins to examine a file,
it marks up its assumed size, and, after the file has been
searched, compares it to the actual file size. If there is a
discrepancy, it can be assumed that something is feeding the
operating system counterfeit information - something that active
stealth viruses are known to do.
A similar situation may also arise if the disk's directory
system contains corrupted data. If the disk contains two files
with the same name in a single directory, the second one cannot
be handled with any of the functions of DOS. F-PROT opens files
one by one with no regard to names, but it compares the file
length to the value DOS announces for it. When the two values do
not match, F-PROT remarks on this. Because DOS does not allow
the creation of two files with the same name in a single
directory, it can only result from an error situation or a
deliberate alteration.
The same message results also if the disk contains a file that
has been named after a device driver. Such names are, for
example, COM1, PRN, LPT1, XMS000, CON and CLOCK$, and they are
exclusively reserved for DOS's use. Through these virtual names,
data can be conducted directly to devices. DOS does not allow
files to be named after device drivers, but such a file may
result due to an error situation, or also if a diskette has been
used in some other computer environment.
In this case, F-PROT tries to compare information from a real
file and a virtual device driver. Naturally enough, the two do
not match.
Logical disk errors such as the ones described above can be
corrected by using the Norton Utilities or a similar tool
programs.
In Short
Michelangelo'93
This year, the damages caused by Michelangelo seem have stayed in
check pretty well. There have, however, been some serious individual
cases.
In Australia, the headquarters of an international company were found
to be infected a couple of days before the time of activation, the 6th
of March. Specialists who had been on site reported that they had
cleaned thousands of diskettes.
In March the 7th, a middle-sized company in Iceland announced it had
suffered serious damages because of Michelangelo. According to the
company representative Michelangelo had erased the contents of three
Novell-based servers. The monetary value of damages was not commented
upon.
A Finnish company employee found out in the morning of March the 6th
that his gigabyte-size hard disk had been completely erased. This was
first thought to be a hardware-based problem, but a further
examination revealed Michelangelo as the culprit. The virus was also
found on the company's other computers, and its source was ultimately
traced to an original diskette containing special software that had
come directly from USA.
Irresponsible activities continue: Mark Ludwig organizes a virus competition
Mark Ludwig, the US. author of The Little Black Book of Computer
Viruses, a book that deals with designing computer viruses, continues
to stir up controversy. After writing the book he has begun to publish
the Computer Virus Developments Quarterly, a magazine that contains
advice on designing viruses.
In the latest issue Ludwig announced a virus writing competition, the
purpose of which is to find the smallest functional computer virus.
This virus has to meet certain conditions. It is not allowed to spread
by overwriting its host, and it must function in a normal computer
environment under DOS. The virus must also have been completely
written by the competitor. Ludwig promises full immunity to all
competitors.
The prizes will consist of diplomas and annual volumes of the Computer
Virus Developments Quarterly.
PC Magazine's test astonishes
In the March issue of the international PC Magazine's US version there
was an extensive test of anti-virus programs. The magazine announced
Symantec Norton Antivirus and Central Point Antivirus to be winners.
24 products were included in the test. The test methods and results
gave rise to astonishment among information security professionals.
PC magazine was criticized for giving the programs' user interfaces
excessive significance compared to, for example, their speed, hit
rate, or the level of technical support available from the program's
representative. What also caused amazement was the small number of
viruses included in the test - only 12 two to three years old viruses
were included in the test set. The test did not measure the programs'
ability to find new viruses, nor their efficiency against collections
of polymorphic viruses.
The most surprising item was the discrepancy in results with the same
magazine's German version. In its January issue, the magazine PC
Professionell published its own extensive virus test made in co-
operation with the professionals of the Hamburg University Virus Test
Center. In this test, the winners of US PC Magazine took 20th and 11th
places. 23 products were included in the German test.
The 40-Hex magazine in international circulation
A so-far unknown French organization apparently considers world-wide
spreading of virus code its duty, and to this end it has included the
40-Hex magazine in its ftp-server's file collection.
Via the ftp-service, anyone connected to the world-spanning Internet
network can log into a file server that may physically be located on
the other side of the planet, and within a couple of seconds transfer
files to his own computer. Many ftp-servers allow users to log in as
anonymous.
The French ftp-server in question allows anyone to transfer issues of
the 40-Hex magazine to himself. 40-Hex is an electronic newsletter
published by the international virus group Phalcolm/Skism.
Issues of 40-Hex are usually quite extensive. They discuss topics
connected to virus writing, such as the structures of different file
types, the loopholes of DOS and the ways to bypass anti-virus
programs. In addition to this, a typical issue of 40-Hex includes hex-
dumps or documented source codes of several different viruses. The
publication is thought to have taken its name from the DOS interrupt
service 21h's subfunction number 64, which enables the writing of data
or code into an existing file. Given in a hexadecimal form, the number
64 is 40.
The ARCV virus group arrested
The January update bulletin told of a new English virus group called
ARCV. The arrogance of this group proved short-lived when an unit of
the English police that specializes in computer crimes, the New
Scotland Yard's Computer Crime Unit, raided the homes of the group
members at the beginning of February. Altogether three of the group's
nine members were arrested, and the case is still being processed. The
group, whose name comes from the words Association of Really Cruel
Viruses, managed to write over 30 viruses before being caught. The
group gained reputation by, among other things, addressing a letter
that described its activities to the editor of the biggest computer
magazine in England.
The English police are still processing the case, and they hope that
any person whose computer has been infected by an ARCV-made virus
would contact them on the matter. ARCV has written at least the
following viruses:
159 Dennis 1
199 ECU
224 Friends
240 Jo V1.01
330 Joanna Exersiser
334 (Made) Joanna V1.11
334-2 McWhale
Alpha More
Anna Nichols
ARCV '93 (ICE-9) Reaper Man
ARCV 1 Scroll
ARCV 2 Scythe
ARCV 3 Small ARVC
ARCV 4 Small EXE
ARCV 5 Solomon
ARCV 6 Spawn 1
ARCV 7 Toxic
ARCV 8 Toxic 2
ARCV 9 Toxic 3
ARCV 10 Toxic C
ARCV Sandwich Two Minutes to Midnight
ARCV Xmas X-1
Benoit X-2
Chad Zaphod
Coolboot
In Scotland Yard, inspector constable Noel Bonczoszek works on the
case. He can be contacted by phone on the number 990 44 71 230 1177.
Reports on incidents involving ARCV will be treated confidentially.
The Nabob Trojan Horse on CD-ROM
A rare discovery was made at the beginning of March: a Trojan Horse
was found on a CD-ROM diskette that was marketed internationally. The
diskette in question is called Libris Britannica and it contains all
kinds of freeware- and shareware programs. The Trojan on the disk is
called Nabob. Nabob can, however, be called more of a joke program
than an actual Trojan Horse - it claims to be the most efficient
packing program in the world, and when it is used, it does indeed pack
great volumes of data into a single one-byte file. It is indeed a pity
that Nabob cannot extract the packed files it creates...
NuKE publishes its own mutation generator
In April, a member of the international virus group NuKE informed the
public that NukE has developed its own mutation generator. The group
member, who is known by the pseudonym T*L*N, announced that the
generator will be published soon. This product of NuKE is known by the
work name NME, or NuKE Mutation Generator.
The NuKE members do not intend to make their generator into a object
module, like MtE or TPE, but will publish the source code of their
program in its entirety. That way virus writers can familiarize
themselves with the functioning of polymorphic viruses on a basic
level. According to the technical information T*L*N has given out, NME
can be compared to MtE in its complexity.
New Macintosh Viruses Discovered
Viruses are a problem for companies using Apple Computer's Macintosh
systems also. There have been quite few different viruses for the
Macintosh - 16 in all - but some of them have caused large epidemics
and continue to spread rapidly.
Two new Macintosh viruses appeared in April, 1993.
INIT-M
The INIT-M virus affects Macintosh computers running System 7. The
virus infects all kinds of files, including extensions, applications,
preference files and document files, and may severely damage file
system on infected Macintoshes.
The virus was discovered at Dartmouth College, in a file downloaded
off the Internet. It was found to rapidly spread to applications and
other files under System 7. It did not spread or activate on System 6
systems.
The virus spreads as the application files are run, and is likely to
spread extensively on an infected machine. The infection is
accomplished by altering existing program code.
The virus does extensive damage to systems running on any Friday the
13th. Files and folders are renamed to random strings, creation and
modification dates are changed to Jan. 1, 1904, and file creator and
type information is scrambled. This changes the icons associated with
the files and destroys the relationship between programs and their
documents.
In some cases, one file or folder on a disk may be renamed "Virus
MindCrime". In some very rare circumstances, the virus may also
delete a file or files. The virus, when present on an infected system,
may interfere with the proper display of some application window
operations. It will also create a file named "FSV Prefs" in the
Preferences folder.
Recovery from this damage will be very difficult or impossible.
The damage caused by the INIT-M virus is very similar to that caused
by the INIT 1984 virus. Despite this similarity, the two viruses are
very different in other respects, and should not be confused.
The INIT 17 Virus
The INIT 17 virus infects both the System file and application files.
It does not infect document files. It was discovered in New Brunswick,
Canada.
The virus displays the message "From the depths of Cyberspace" the
first time an infected Macintosh is restarted after 6:06:06 A.M. on
October 31, 1993. After this message has been displayed once, it is
not displayed again.
The virus contains many errors which can cause crashes and other
problems. In particular, it causes crashes on Macintoshes with the
68000 processor like the Macintosh Plus, SE, and Classic.
For technical reasons, the virus does not infect some applications,
and on some systems, it does not spread at all. It does, however,
spread under both System 6 and System 7.
Sources: Usenet newsgroup comp.virus; spaf@cs.purdue.edu; John
Norstad, Northwestern University, USA.
Disinfectant Version 3.2 Protects Macintoshes
Disinfectant, the leading anti-virus tool for the Macintosh has been
upgraded to version 3.2 to recognize the new Macintosh viruses that
appeared in April 1993. Disinfectant 3.2 finds and disinfects all
Macintosh viruses known to date. It can actively protect a system
against infections, so that no known virus will get into the system.
Disinfectant 3.2 is compatible with Macintoshes running System 6.0 or
newer, including System 7. F-Secure Ltd. is an authorized
distributor of the Disinfectant anti-virus toolkit. The Disinfectant
package is delivered free of charge to our registered F-PROT
customers. Contact your local F-PROT dealer for more information.
Changes in F-PROT Version 2.08
More functionality in the VIRSTOP program
The VIRSTOP program includes many new features. They are:
o automatic checking of the boot sectors on disks and diskettes
o the checking of program files when they are copied or when
other operations are performed on them
o checking the boot sector of the diskette in drive A when the
user presses Ctrl-Alt-Del
These are not default functions, and they are not normally performed
when VIRSTOP is run without parameters. VIRSTOP now recognizes the
following parameters:
/DISK
VIRSTOP stores the virus signatures on the disk, thus reducing
the program's memory requirement from 15 kilobytes to 3
kilobytes. The /DISK parameter should not be used with the
DEVICEHIGH clause. DEVICE and LOADHIGH, on the other hand, are
completely functional.
/FREEZE
if the /FREEZE-parameter is used, VIRSTOP stops the computer
when it finds a virus. VIRSTOP displays and names the virus and
brings a customized message on the screen before stopping the
computer. By using the /FREEZE-parameter, the risk of a virus
succeeding to spread is minimized - the user cannot ignore a
virus infection even if he wants to.
/BOOT
this parameter commands VIRSTOP to check the boot sectors of all
disks and diskettes when they are used. The check is made if any
operation, like, for example, directory listing, is performed on
the disk. The function can be turned off with the parameter
/NOBOOT.
When somebody attempts to use an infected diskette, VIRSTOP
brings the following message on the screen:
VIRSTOP alert! - virus on diskette
Press [ENTER] to continue.
/COPY
if the /COPY-parameter is used, VIRSTOP checks program files
when they are read. This means that if programs are copied or
edited, they are checked at the same time. This function can be
turned off with the parameter /NOCOPY.
When a virus is found, the /COPY function announces it in the
same way as when it notices an attempt to execute an infected
file:
C:\TEST.EXE is infected with the Cascade virus.
And prevents the use of the program, whereupon DOS announces,
depending of the version:
Cannot execute: TEST.EXE
Access denied: "test.exe"
Bad function
/WARM
If VIRSTOP is started with the /WARM parameter on, it checks
whether the computer's drive A contains a diskette when the user
presses Ctrl-Alt-Del. If the drive contains a diskette, its boot
sector is checked for viruses. If the diskette is clean, the
computer is rebooted, but if it contains a virus, the user is
informed of the matter and advised to remove the diskette before
booting the computer again:
VIRSTOP: Virus-checking A:
VIRSTOP alert! - virus on diskette
Press [ENTER] to continue.
Remove diskette and reboot again.
The use of /WARM parameter does not give a foolproof protection
against boot sector viruses, because it cannot prevent booting
from an infected diskette if the computer is reset by using the
reset switch or by turning off power. In addition to this, some
badly designed TSR programs hijack the Ctrl-Alt-Del -function
for their private use, in which case VIRSTOP cannot perform the
check. The check cannot be made under Windows, either.
When VIRSTOP is started without any parameters, it reports its
status. For example:
C:\F-PROT\VIRSTOP
VIRSTOP is already installed.
VIRSTOP will scan programs when they are run.
VIRSTOP will scan programs when they are run or copied.
Diskette boot sectors are scanned when the diskette is accessed.
The A: boot sector is scanned when Ctrl-Alt-Del is pressed.
The check on executed files is always performed regardless of
other parameters. VIRSTOP slows the computer down a little,
because it is a background program which activates every now and
then while the computer is used. In most cases, however, the
slowdown is not even noticeable. The following test gives some
kind of an idea of VIRSTOP's speed, though:
A group of programs was executed. Among them were normal MS-DOS
auxiliary programs, ARJ, Image Alchemy, MODE, MEM and most of
the programs of Norton Utilities. Altogether 200 programs were
executed. The programs' execution time was timed with the TIMER
function of 4DOS v4.02. The tests were performed as batch
processing without human interference.
Without anti-virus programs the batch processing took 2 minutes
19 seconds. When VIRSTOP was used, it was slowed down by three
seconds. When VIRSTOP was run with the /DISK parameter on, the
slowdown was more noticeable one minute and two seconds.
The test was performed on a 20 MHz 386 -computer with no disk
cache.
The functioning of Heuristic Analysis has changed
The Heuristic Analysis of F-PROT has been undergoing revisions for
almost two years. Its hit rate has improved constantly while the
number of false alarms has gone down. From the version 2.08 onwards,
the structure of the reports produced by the Heuristic Analysis is
simpler.
When a heuristic search is initiated, F-PROT begins to check through
files using Secure Scan using it's normal search signatures and
algorithmic methods. If a file is found to not contain a virus, it is
searched also with heuristic methods. F-PROT 2.08 no longer gives a
free-form report on the nature of the files. Instead it states either:
C:\TEST.EXE seems to be infected with an unknown virus.
Please contact F-Secure Ltd. or FSI and send us a copy for
analysis.
or:
C:\TEST.EXE contains virus-like code.
Please contact F-Secure Ltd. or FSI to check if this is a known
false alarm or send us a copy for analysis.
In addition to this, F-PROT classifies damaged program files
separately. It reports them either as:
This is an invalid executable file. It starts with an instruction
which transfers control out of the program. Any attempt to run this
program will result in a system crash.
or:
This is an invalid executable file. The entry point is outside the
program. Any attempt to run this program will result in a system
crash.
In this way, the user can easily find the potential corrupted program
files.
The Heuristic Analysis reports should be taken seriously. A file must
meet several different conditions before it is suspected of having
been infected. In the tests that F-Secure performed using the new
Heuristic Analysis, not a single false alarm was produced.
Users who still wish to use the old, free-form descriptions can start
F-PROT with the parameter
C:\F-PROT /guru
in which case traditional-style heuristics are used.
F-PROT 2.08 - other changes
At the same time when the functioning of heuristics was changed, all
the individual search- and disinfection routines for viruses were
also moved to the file SIGN.DEF. This was done to reduce the amount of
memory F-PROT needs in order to function. F-PROT 2.08 requires about
320 kilobytes of available memory, and the Heuristic Analysis needs
about 50 kilos more.
If the APPEND auxiliary program, which distorts directory information,
was loaded before VIRSTOP of F-PROT 2.07, VIRSTOP would not install
itself, but declared incompatibility instead. This problem has now
been solved.
The following false alarms have been fixed:
o "Possibly a new variant of ARCV", caused by the SPINRITE.COM
made in the year 1988
o the TPE alarms caused by certain data files
Although F-PROT did remove the following viruses, the disinfected
files were not an exact copy of the original ones. The matter has now
been taken care of.
Tula-419
Prudents
Tiny.198
Macedonia
Gotcha.C
Vbasic.B
Vbasic.C
New viruses recognized by F-PROT 2.08
F-PROT 2.08 is able to find and disinfect the following new viruses (94):
_388
_558
Arcv.Lurve
Armagedon.1074
Beer (2794)
Beer (2850)
Beer (3164)
Baobab.731
Black Jec.307
Comvirus
Creeper.476
Danish Tiny (177)
Danish Tiny (180)
Dark Avenger.1800.Quest
Diamond (444)
Diamond (465)
Diamond (594)
Diamond (602)
Diamond (606)
Diamond (607)
Diamond (608)
Diamond (620)
Diamond (621)
Diamond (624)
Diamond (626)
Diamond (891)
Diamond (1013)
Diamond (Sathanyk-1399)
Dreamer
Dutch Tiny.124.B
Frajer
Fumble.D
Gotcha.F
Hamster
Intruder (1326)
Intruder (1440)
Intruder (1967)
Intruder (1988)
Intruder (2136)
Jerusalem.Glory
July 13th.1199
Kiwi
Liquid
Marauder.860.B
Phalcon.Elvis
Pixel (Cheef)
Pixel (762)
Polish Tiny.176
Print Monster
Problem.854
Protect.2535
Russian Tiny (C.146)
Russian Tiny (C.150)
Russian Tiny (C.157)
Russian Tiny (D.129)
Russian Tiny (D.130)
Russian Tiny (D.132))
Semtex (619)
Semtex (1000.C)
Shaman
SillyCR.178
Simple 1992
Sinep
Star One (222
Star One (Cybertech.A)
Star One (Cybertech.B)
StinkFoot.2-E
SVC (1228)
SVC (5.0-C)
Timid (290)
Timid (297)
Timid (320)
Timid (371)
Timid (382)
Timid (513)
Timid (526)
Uruk-hai (300)
Uruk-hai (361)
Uruk-hai (394)
Vienna (518)
Vienna (561)
Vienna (600)
Vienna (618.B)
Vienna (648.E)
Vienna (700)
Vienna (851)
Vienna (MD.354)
Vienna (MD.498)
Vienna (MD.499)
Vienna (MD.557)
Vienna (New Years)
Vienna (Vio-lite)
Vienna (Violator.Baby))
Youth.Hannibal
F-PROT 2.08 is able to find, but not yet disinfect, the following new
viruses (6):
VCL (933)
VCL (Chuang)
VCL (Diarrhea)
X-1.570
Yankee.XPEH.4752
Zherkov.1940
F-PROT 2.08 recognizes the following new PS-MPC viruses created by the
virus generator (20):
Alien
Bamestra.1
Bamestra.2
Bamestra.3
Bamestra.4
Bamestra.5
Bamestra.6
Bamestra.7
Bamestra.8
Bamestra.9
Bamestra.10
Cinco
Demoexe
Gold
Jo.916
Jo.942
Tim.301
Tim.401
Tim.515
Warez
The version 2.08 recognizes the following new viruses (14). These
viruses cannot be disinfected because they overwrite or otherwise
damage the files they infect. They can only be removed by destroying
the infected file.
Burger.560.Liquid
Itti.Toxic
Leprosy (FVHS.1644 )
Leprosy (Surfer)
Milan.BillMe
Trivial (Wolverine)
Trivial (30-D)
Trivial (64)
Trivial (81)
VCL (408)
VCL (423)
VCL (481)
VCL (666)
VCL (Dome)
The following viruses can now be disinfected. The earlier versions of
F-PROT could only destroy the infected files.
Cascade (1703-Jojo)
Cascade (Formiche)
Ear.Ear
The capability to recognize about a hundred new viruses has also been
added to F-PROT 2.08, but these viruses have not yet been analyzed and
given actual names. F-PROT knows them by names that consist of an
underline and the size of the virus.
Appendix: PC Professionell Antivirus Test
PC Magazine's German edition, PC Professionell, tested the most
common anti-virus applications in its January 1993 issue. The products
were tested against a collection of 2791 infected files.
The products included in the test received the following scores:
Product Version Producer Found Removed
F-PROT 2.05a Frisk Software Intl 2686 1707
Antivir IV 4.04 H+BEDV Datentechnik 2618 2189
Solomon Toolkit 5.61 S&S International 2566 1301
Turbo Antivirus 8.3 Carmel Software 2444 1142
McAfee Scan 8.7V95 McAfee Associates 2429 652
Anti Viren Kit 2.18 G Data 2403 622
AntiVirus Plus 4.20 Iris 2330 1154
ViruSafe Gold 4.6 Xtree 2223 395
Virus-Police 1.31 Uti-Maco Software 2135 691
Virus-Blocker 3.2 Expert Informatik 2103 258
CPAV for DOS 1.2 Central Point Software 2006 996
Search&Destroy 1.1 Fifth Generation System 1995 478
CPAV 4 Windows 1.0 Central Point Software 1989 996
Allsafe 1.00 Xtree 1951 651
Novi 1.01 Certus 1788 341
Virus Utilities 1.60AE Ikarus Software 1757 359
TNT Lite 1.0 EPG International 1709 694
PC Rx 2.0 Trend Micro Devices 1695 287
VirusCure-Plus 2.41 McAfee / IMSI 1655 684
Norton NAV 2.0 Symantec 1622 549
PC-cillin 3.2 Trend Micro Devices 1301 186
V-Care 4.32a NSE Software 1115 731
AP-355 Jrgen Liskowski 1074 81
F-PROT was selected as editor's choice.
F-PROT 2.08 Update Bulletin Copyright (c) 1993 F-Secure Ltd
This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.08 Update Bulletin Copyright (c) 1993 F-Secure Ltd.'
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
