F-PROT Professional Update Bulletins
F-PROT Professional 2.11 Update Bulletin
CONTENTS BRIEFLY
--- CONTENTS 1/94
--- F-PROT Professional for Windows
--- Centralized Management
--- New Concepts and Capabilities
--- Benefits and Drawbacks
--- You Can't Stop Progress
--- New Viruses
--- The Olympic virus hits the news
--- Nice-virus making rounds on driver diskettes
--- Ripper
--- News In Short
--- More Windows-viruses: Cyber Riot
--- The First OS/2 Virus
--- Immortal Riot: Yet Another Virus Gang
--- Phalcon/Skism Infiltrates Internet
--- The Form Virus and Other Boot Sector Viruses
--- Boot sector viruses and different operating systems
--- Non-System Disk
--- The Functioning of the Form Virus
--- Activation
--- Disinfection
--- Common Question and Answers
--- Changes in F-PROT 2.11
--- New viruses detected by F-PROT 2.11
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.11 Update Bulletin; Copyright (c) 1994 F-Secure Ltd.
CONTENTS 1/94
F-PROT Professional for Windows
New Viruses
The Olympic virus hits the news
Nice-virus making rounds on driver diskettes
Ripper
JSB
More Windows-viruses: Cyber Riot
The First OS/2 Virus
Immortal Riot: Yet Another Virus Gang
Phalcon/Skism Infiltrates Internet
The Form Virus and Other Boot Sector Viruses
Common Question and Answers
Changes in F-PROT 2.11
F-PROT Professional for Windows
The Windows version of F-PROT Professional is ready. It combines the
anti-viral features of F-PROT for DOS with the opportunities provided
by the Windows environment.
Centralized Management
F-PROT Professional for Windows can be used equally well in single-
user machines or in a network. In a network, the programs on
individual workstations form a system which can be administered from
any workstation by a single person. With the Windows version you can
transfer scanning tasks, updates, mail and reports through the
network. Infected files can also be transferred securely to the
administrator for closer examination.
New Concepts and Capabilities
We have striven to make F-PROT for Windows as easy to use and as
efficient as possible. To that end, we have introduced new concepts
and capabilities into the program.
Scans are now arranged into tasks. Simply put, tasks are stored sets
of scan parameters. It is no longer necessary to define scan settings
over and over again, they can be launched with the click of a single
button. Tasks can be created, deleted and modified at will.
The program incorporates such capabilities as background scanning,
scheduling and automatic reporting over the network, to name a few. It
is also possible to set scans to be executed when the computer is
idle.
Benefits and Drawbacks
The Windows environment has both benefits and drawbacks for antiviral
measures. The Windows architecture makes background executions, task
scheduling and central version management possible. And since the
available memory in the Windows environment is enormous compared to
the basic DOS memory, memory-resident protection mechanisms can be
designed to be much more thorough. Thanks to the graphical user
interface, the programs are also easier to use.
On the other hand, such benefits are balanced by certain weaknesses.
In the Windows environment, security is always compromised to some
degree. This flaw is inherent, resulting from the comparably large
number of programs needed to run in order to start Windows. Since any
one of those programs may be infected, a virus may well get loose
before a Windows antivirus program can be started. To reduce the risk,
a background scanning program, such as VIRSTOP, should be active at
all times.
Under normal conditions, F-PROT Professional for Windows works well
enough on its own. However, if you have a reason to suspect a virus
infection, we recommend booting your computer from a clean diskette
and checking the hard disk with F-PROT for DOS.
You Can't Stop Progress
The development of the Windows version will continue ceaselessly.
The following functions that are present in the DOS-version of the
product are not yet included in the Windows version:
Scanning inside compressed files
The program does not yet know the full range of compression
formats that the DOS version does. Unknown types of compressed
files will only be checked for external infections.
Finding polymorphic viruses
F-PROT for Windows does not find all polymorphic viruses that
the DOS version recognizes. This will be corrected in the next
version. However, the most common polymorphic viruses (like MtE
viruses) are found.
Heuristic analysis
The Heuristic Analysis scanning method is not functional yet.
Not to worry, though; Quick Scan and Secure Scan can handle any
situation except an attack by a completely new virus. Such
occurrences are quite rare. Most viruses are modifications of
old ones.
User-defined search strings
You cannot yet define your own virus search strings. The
program's own search string database contains the search strings
of all known viruses, though. In the case of an emergency, you
can get an updated database from your local F-PROT distributor.
Active protection
In the near future a special Windows-based background protector
will be included with F-PROT Professional for Windows. This
mechanism will protect computers against known viruses by using
our Secure Scan technology - this is something that cannot be
done in the DOS environment due to memory restrictions.
Virus Descriptions
Virus descriptions are not yet included with the Windows version
of F-PROT. The descriptions will be implemented as easy-to-use
help files in the next updates.
The functions mentioned above are described in the User's and Administrator's
Guides. The instructions thereof are valid for the next update.
New Viruses
The Olympic virus hits the news
VCL.Olympic -virus received a lot of publicity in the beginning of
February. This was caused by the Olympic-theme activation routine of the
virus, and the suspicions that the virus had infected the computer
systems of the 1994 Winter Olympics in Lillehammer. In later checks this
virus was not found in Lillehammer systems.
VCL.Olympic is written by a Swedish virus writing group Immortal Riot.
This group is discussed more closely in another story in this Update
Bulletin.
The VCL.Olympic is a normal COM file infector. The method used by the
virus to search for the next file to be infected is not very
efficient, though. Once the virus has infected a large number of the
files on the hard disk, it might take half a minute for the virus to
find a new victim file. Such a slowdown is likely to make the virus
easier to spot.
The virus activates by random after the 12th of February - the 1994
Winter Olympics start on this date. At the time of activation, the
virus draws the Olympic circles to the screen and displays some
comments the Games. After this, it overwrites the first 256 sectors of
the first hard disk in system. The virus also disables Ctrl-C and Ctrl-
Break during the destruction routine. Finally, the machine is hanged.
When an infected file is executed, the virus first decrypts its code.
Then it starts to recursively search for suitable victim files,
starting from the root directory of the current drive.
When the virus finds a file to infect, it first checks it's size to
make sure the added virus code will not grow the file over the size
limit of COM files, 64KB. Then it inspects the first bytes of the
candidate file to see if it already contains a similar jump construct
that the virus is about to insert to the beginning of file. If such
structure is found, the virus considers the file to be already
infected and starts to search for another victim.
The virus does not check for the `MZ' or `ZM' markers to distinguish
EXE files. This means that the virus will corrupt EXE files that have
been renamed to have a COM extension. When such a corrupted file is
executed after infection, the virus will be able to spread further,
but is unable to transfer control back to the original program. In
most cases the machine will just crash.
The actual infection process consists of storing the original first
three bytes of the file to the end of the file and replacing them with
a jump to a decryption routine, which the virus also appends to the
end of the file. An encrypted version of the virus code is also stored
to the end of the file, before the decryption routine. The virus uses
a single pseudo-random variable key based on the infection time to
encrypt it's code.
VCL.Olympic is able to infect files which have the DOS read-only
attribute turned on. It will also restore the date and time stamps of
the infected files. However, infected files grow in size by 1440
bytes, and this is visible in the directory listing. The virus has no
directory-stealth routines, since it does not stay resident.
VCL.Olympic has a one-in-ten chance to activate if the date is equal
to or greater than the 12th of February. The current year is not
tested, so the virus will activate in the future as well. If the virus
does not activate, it will return the control back to the original
program.
A lot of the code resembles the viruses generated by the VCL virus
generator, up to the point of the standard VCL-like note; a short
message in the end of the virus, which is not displayed at all. In
this virus, the note text reads: "Olympic Aid(s) `94 (c) The
Penetrate". This virus is probably based on VCL-created code, and has
just been modified to avoid detection by some of the most popular
scanners.
F-PROT Professional 2.11 detects and disinfects VCL.Olympic.
Nice-virus making rounds on driver diskettes
The Nice virus was found for the first time in Hong Kong in January,
1994. Two weeks later a minor variant of this virus was found in
completely different part of the world, in the most northern part of
the Scandinavian Lapland. This variant was named Nice.B, and it had
arrived to Lapland with a set of video driver diskettes provided with
new video cards.
F-Secure Ltd. located the manufacturer of the video cards in
question in Hong Kong. However, the original diskettes were found to
be clean. Obviously the virus had infected the driver diskettes on the
way from Hong Kong to Lapland. So far, this infection case seems to be
of global scale.
The Nice virus will first infect three COM and EXE files in the
current directory. After that, it will do the same in C:\DOS
directory. Nice will not infect files that have the read-only
attribute set.
Nice overwrites the 277 bytes of the victim files with its own code.
This means that the infected files are irreparably damaged, and the
only way to fix them is to reinstall or to restore from backups.
After finishing its infection routine, the virus will display the text
"Bad Command or file name", and finish its execution. The virus
probably does this in order to conceal its presence a little bit, as
the user might just think the he made a mistake while typing the
programs name.
The size of the infected files will change only if the original length
is smaller than 277 bytes. The timestamp of the infected files will be
updated to infection time - this makes it easier to spot the infected
files.
The virus does not stay resident in memory and is very simple in
operation. It does not encrypt its code and does not contain any
activation mechanism.
The only way to disinfect the files is to replace them with clean
originals.
F-PROT Professional 2.11 detects all known members of the Nice virus family.
Ripper
The Ripper virus was first discovered in Norway, in November 1993.
Since then, it has also been found in USA and Canada.
Ripper is a boot sector virus. It infects the boot records of
diskettes and the Master Boot Records of hard disks. The virus can
infect a hard disk only when someone tries to boot a computer from an
infected diskette. Once the hard disk has been infected, the infection
will spread to all non-protected diskettes used in the computer.
The virus's code is two sectors long. On a hard disk, the virus
reserves the root directory's last two sectors for its own use. It
moves the original boot record to the last sector, and stores a part
of its own code on the one before that.
Unlike many other boot sector viruses, Ripper encrypts its code. It
uses a variable key to do that, which is even more unusual. Ripper is
also a stealth virus, hiding its presence in the computer while it is
active in memory.
The virus subverts disk writes by swapping two words in the write
buffer. The virus picks the writes randomly, corrupting approximately
one write in a thousand. This kind of damage is insidious and hard to
spot - both the hard disk and the backups may be corrupted before
anyone notices the virus.
Ripper's code contains two encrypted text strings: "F... 'EM UP" and
"(C)1992 Jack Ripper".
F-PROT Professional 2.11 detects and disinfects the Ripper virus.
JSB
---
The JSB or J.S.Bach virus was found in northern Europe during the last
week of 1993. The virus was reported by a computer vendor, who
suspected his merchandise had already been infected when he received
it from the computers' importer. However, this suspicion could not be
proven true.
The vendor sent a sample of suspicious files to F-Secure at the
end of December, 1993 - at this stage, the vendor did not think he was
dealing with a real infection. When F-PROT's Heuristic Analysis
reported a probable infection in the sample files, he thought he had
received a false alarm. However, a closer examination revealed the
files to be infected by a new, previously unknown virus.
JSB infects only program files with the extension COM, increasing the
size of infected files by 498 bytes. The virus infects only files in
its current directory - this means that the virus can cross between
directories only if an infected program is executed from another
directory by giving its full path name.
To demonstrate the point, let us suppose that a program is executed
from AUTOEXEC.BAT with a command like C:\DOS\MODE.COM. Since
AUTOEXEC.BAT is located in the root directory, the virus will be able
to infect files in the root directory.
Since the virus does not perform any checks on the victim file's
internal structure, it will also infect files that are structurally
EXEs, but which have been renamed COMs. Such files are damaged by the
infection, and they cannot be executed normally afterwards.
When the virus is searching for a victim file to infect, it makes the
following checks on the likely candidates:
o The file may not be already infected. The virus marks infected
files by placing characters `JSB' at the beginning of the file
(in the third offset 3 from the file's beginning)
o The file must be larger than 15 bytes
o The file must be smaller than 64513 bytes - the virus checks this
in order to keep the size of infected files smaller than the
upper size limit of COM files, which is 64 KB
When a suitable victim file turns up, the virus infects it by changing
the file's first 16 bytes and appending the actual virus code. The
infection will spread further the next time the program is executed.
Since the virus does not stay resident in memory, it will only spread
when infected files are executed. Infected files can be transferred
from one computer to another via any channel that allows the exchange
of executable programs. Such channels include floppy disks, networks
and modem connections.
J.S. Bach -virus can also infect files that have been protected with
DOS Hidden or Read-Only attributes. The virus does not update the date
or time stamps of the files. The virus contains the text `J.S. Bach by
TXQ', but does not display it.
When the virus is executed, it checks the current date. If the year is
1993, and the day is above 20th of any month, the virus activates. If
the year is not 1993 - the situation applying currently and in the
future - the virus activates on all days of the year.
When the virus activates, it installs a tiny routine to be resident in
memory. This routine will then assume control over all disk
activities.
The disk-controlling routine is installed in low DOS memory, and it
overwrites a part of the interrupt vector table. Since the routine
does not consume any DOS memory, it cannot be seen with the usual
memory mapping utilities. The BIOS disk interrupt INT 13h will be
redirected to this routine. Every time INT 13h is called, the virus
will increment a counter. One of every 200 disk access requests is
redirected to point to the first physical drive (typically floppy
drive A:) instead of the original disk. This causes the floppy drive
A: to spin occasionally when the virus is active.
The damage caused by this routine cannot be easily estimated. A likely
result is that a large amount of data on the hard disk gets corrupted.
The corruption starts when, for example, a program or DOS itself tries
to read the allocation or directory information, and the virus
redirects the read request to the floppy drive instead of the hard
disk. Later on, information that is based on this wrong data is
written on the hard disk, causing random corruption. This kind of
damage is quite fatal, since one cannot determine which data is
correct and which has been corrupted. If the virus manages to stay
unnoticed for long enough, backups will also be corrupted.
Although the structure of the virus is simple, the routines
incorporated in it are quite destructive. The virus itself can be
easily found and removed.
F-PROT Professional 2.11 detects and disinfects the JSB virus.
News In Short
More Windows-viruses: Cyber Riot
Cyber Riot is the first truly advanced Windows virus. Until now,
Windows viruses have been cumbersome, slow to spread, and technically
quite rudimentary. Cyber Riot, however, is a real threat in Windows
environment.
What makes the new virus so remarkable is that it is able to use the
Windows dynamic-linking structure and pass control smoothly to the
programs it has infected when its own execution has run through.
Previous Windows viruses have been unable to do this. Cyber Riot also
stays resident in the background when Windows is active.
Cyber Riot spreads through Windows applications. When an infected
application is run, the virus strives to strike at the Windows kernel
file. Once the kernel file is infected, the virus starts together with
Windows and infects every Windows application that is run on the
computer.
The virus activates on certain dates, displaying message boxes. After
the user clicks OK to remove the box, the virus overwrites a part of
the hard disk.
Cyber Riot infects only Windows applications and the Windows kernel
file. The virus is unable to spread under DOS. However, since many
people use only Windows in their computers, this handicap does not
necessarily slow the virus's spread to any great degree.
The First OS/2 Virus
For a long time, people have been wondering when the first OS/2 virus
will appear. Experts and laymen alike have speculated about its
potential for destruction.
Well, now it has finally happened. The first OS/2 virus has been
found. However, the virus was neither discovered in the wild, nor does
it live up to its fierce, if premature, reputation. The virus's source
code was published in the latest issue of 40Hex, the electronic
magazine distributed by the virus group Phalcon/Skism.
The virus is a simple EXE file infector. It only infects files in its
current directory. The virus can cross directory boundaries only if an
infected program is executed from some other directory. It does not
remain resident in memory.
Despite its shortcomings, the virus is a pioneer. It is completely
functional under OS/2, and able to handle the HPFS (High Performance
File System). Even if this specimen does not seem very threatening,
that is no reason to let your guard down; other, more dangerous
viruses will surely follow it.
Immortal Riot: Yet Another Virus Gang
Swedish soil seems to provide fertile ground for raising virus groups.
We remember Beta Boys, Demoralized Youth and the Funky Pack of Cyber
Punks. Now a new group, Immortal Riot, has entered the scene.
As of latest knowledge, Immortal Riot consists of four members, all of
who have some experience in writing viruses. Thus far, the group has
published and distributed about thirty viruses. Most of these viruses
are new variants of existing strains.
The viruses the group has made or modified are not examples of
technical brilliance. The opposite, in fact. Some of them crash the
computer or do something else that clearly manifests their presence to
even the uninitiated. Others are just plain crude.
The group publishes its own electronic magazine, the Insane Riot,
which contains articles by the group members themselves and their
associates, source codes of viruses, and various back-patting and -
stabbing to other members of the virus community.
Phalcon/Skism Infiltrates Internet
Phalcon/Skism is acting up again. The international virus group has
opened its own area in Internet's discussion forum, IRC. IRC is a real-
time system where participants see the comments and arguments written
by other chatters instantaneously, regardless of the talkers' physical
location in the world.
Anybody can open up a new discussion area in IRC. The areas are
temporary and will stay open as long as they have users. It is also
possible to create "robots" which keep areas open indefinitely.
Phalcon/Skism has installed such a robot in its own, virus-oriented
discussion area. The group's robot is also able to send files to
whoever requests them.
The new area is both a distribution site and a discussion forum. Since
it is public, anyone can join a discussion about latest virus-writing
techniques or just pick up some viruses. By all accounts, traffic in
the area seems lively.
The site is used for distributing viruses, viral source codes and the
40Hex magazine. The magazine is Phalcon/Skism's own publication,
containing tips about virus writing, the source codes of viruses and
articles by distinguished virus writers. 40Hex has been discussed at
length in previous Update Bulletins.
Since Phalcon/Skism changes the domain where their robot is coming
from every now and then, it has proven to be difficult to make a stop
to the action. Site administrators have been informed of the matter,
but so far the group has been allowed to continue its activities.
The Form Virus and Other Boot Sector Viruses
Form was first discovered in Zrich, Switzerland, in February 1990.
The virus remained rare for quite a long time, but in 1992 the
incidents involving Form began to increase rapidly, and at the moment
Form is the predominantly most common virus in most parts of the
world. In Great Britain, for example, one out of three virus incidents
involve Form.
To spread so quickly, the virus has probably been carried on some
original diskettes. It is likely that some preformatted diskettes have
also spread the infection somewhere along the line. Two versions of
the virus, Form.A and Form.B, have been known for some time. These two
are not functionally different from each other. They were recently
joined by a new variant, named Form II, which was discovered in a
university in Britain.
Since Form is a boot sector virus, capable of contaminating a computer
only if it is booted from an infected diskette, it cannot spread over
a network or a modem connection. When a computer is turned on, it
first tries to execute a program from the boot sector of the diskette
in drive A. If the drive is empty, the computer boots from the hard
disk.
By using Setup, most of the current computers can be set to boot
directly from the hard disk. This practice is highly recommendable.
However, while the direct hard disk boot makes a computer practically
invulnerable to boot sector viruses, it does nothing to protect it
against viruses of other kinds.
Boot sector viruses and different operating systems
Since the startup process of PC computers is handled by their own
internal BIOS, it is independent of the operating system. This makes
it possible for boot sector viruses to infect computers that do not
use DOS at all. Most of them do so indiscriminately, with no regard to
the computer's operating system. If the operating system is not DOS,
though, the viruses are usually unable to function normally.
When viruses infect a hard disk that does not contain DOS at all, they
find themselves suddenly in the middle of an unfamiliar environment.
The consequences are dependent on the virus in question: the virus may
just get stuck in the boot sector and be unable to spread further, it
may render the hard disk inaccessible, or crash the computer during
next startup.
Operating systems such as OS/2, Windows NT or the various versions of
Unix, do not offer the interrupt services the viruses need in order to
spread themselves. However, this does not prevent the virus code from
being executed every time the computer is started. For example, the
fact that the Michelangelo virus is unable to spread itself further in
an unfamiliar system does not prevent it from overwriting the hard
disk every sixth of March.
Non-System Disk
All formatted diskettes have a short program in their boot sectors.
The boot sector program contains information about the diskette's
type. When a computer is booted from a diskette, this program attempts
to execute DOS system files at the beginning of the diskette. If it
does not find the files, it displays the following message:
Non-System disk or disk error
Replace and strike any key when ready
The wording of the message varies between different DOS versions. If
the diskette has been contaminated by a boot sector virus, the virus
has already infected the hard disk by this time.
Since all diskettes contain the boot sector program, empty ones may
carry an infection as well as system diskettes. A common way for the
infection to spread is that a user forgets a contaminated diskette in
drive A when he turns the computer off. If the diskette is still in
the drive when the computer is turned back on, the virus infects the
hard disk.
The Functioning of the Form Virus
When a computer is booted from an infected diskette, the viral code in
the diskette's boot sector is executed. The virus first allocates two
kilobytes of memory in the upper part of RAM memory for itself and
loads the last two kilobytes of its code from the diskette. Having
done so, it infects the hard disk's boot sector. On the diskette, the
second part of the viral code is stored on what is supposed to be a
bad sector area. When the virus infects a diskette, it creates such an
area for the express purpose of hiding its code. If Form encounters an
error while reading the second part of its code, it usually jams the
computer. Such errors may result if, for example, the virus does not
wait long enough for the diskette drive's motor to start.
When Form infects a hard disk, it reads the partition table and boot
record and checks whether it has already infected that particular hard
disk. If the hard disk is uninfected and its sector size is the normal
512 bytes, the virus stores the second part of its code and the
original boot record at the end of the physical hard disk, usually on
the last two sectors. Having done that, Form writes the first part of
its code on the hard disk's boot sector. Once the hard disk has been
infected, the virus activates every time the computer is booted.
Form checks the boot sector offsets 136-137 to ascertain the purity of
diskettes and hard disks. If it encounters the hexadecimal numbers FE
and 01, it concludes that the diskette or hard disk is already
contaminated and does not re-infect it. Otherwise the virus copies its
code to the boot sector.
While in memory, Form monitors read operations to diskettes in drives
A and B. When the zero track is read, the virus checks whether the
diskette has already been infected . If the diskette is clean, Form
tries to infect it, but allows the reading of an already contaminated
one to proceed normally. Form infects diskettes having the sector size
of 512 bytes - that is to say, all standard diskettes. In some cases
Form fails to infect a diskette properly, and this may cause problems
when the virus is being removed.
When the virus infects a diskette, it first marks two sectors as bad
and then copies the original boot record and the second part of its
code on this area. After this, Form writes the first part of its code
on the diskette's boot sector and allows the diskette read to proceed
normally. The virus has been named after the following message, found
inside the viral code on the bad sector area: "The FORM-Virus sends
greetings to everyone who's reading this text. FORM doesn't destroy
data! Don't panic! F...ings go to Corinne."
Although Form is in no way extraordinary or unusual, it is still one
of the most common viruses.
Activation
After the virus has loaded itself into memory, it checks the date in
the computer's clock. On the 18th day of any month, the virus may
cause the computer to beep whenever a key is pressed. Some sources
claim that Form causes the beeping on 24th, but this is due to a
misunderstanding that has its roots in the difference between
hexadecimal and decimal numbering systems (18h = 24d).
The DOS KEYB keyboard driver prevents Form from beeping, because it
uses the same interrupt as the virus, the interrupt 9h, and crowds it
out. So in most systems the virus goes completely unnoticed, because
there is no visible or audible activation routine.
Disinfection
F-PROT can reliably disinfect the virus. If the virus has been unable
to infect a diskette properly, however, it cannot be removed by any
anti-virus program, since the boot sector it has deleted no longer
exists anywhere. The boot record can be restored by using DOS's SYS
command, which creates a new boot record on diskettes and hard disks.
If the command is used with DOS versions older than 5.0, it copies the
operating system on the diskette, also, so the diskette must have
enough free space to contain the hidden system files. An alternative
way to restore the boot record is to use some utility program which
overwrites the contents of the boot sector with a generic boot record
substitute - the program FIXBOOT, supplied with F-PROT Professional,
is able to do this.
If a large number of diskettes has been contaminated, the easiest way
to disinfect them is to copy the files elsewhere by using the commands
COPY or XCOPY and format the diskettes. If the operating system in use
is DOS 5.0 or 6.0, the parameter /U must be given to the FORMAT
command, because otherwise the viral code may be restored if the
UNFORMAT command is used. The DISKCOPY command cannot be used to copy
the files on the infected diskettes elsewhere, for it copies
everything on a diskette, including the virus.
The disinfection operation starts by booting the computer from a clean
diskette, because the computer's memory must be clean before the virus
can be removed. Form reinfects disks immediately after they have been
cleaned if it is allowed to remain in memory.
When Form and other boot sector viruses are being removed, special
attention must be paid to the cleaning of diskettes. Since boot sector
viruses usually infect all diskettes that are not write-protected,
they can contaminate a great number of diskettes in a short time.
Consequently, a computer runs a risk of being infected every time
somebody forgets to remove such a diskette from its drive. All
diskettes used in a contaminated computer must be checked for viruses
in order to prevent the virus from reinfecting the system.
In order to avoid new infections, the memory-resident part of F-PROT,
VIRSTOP, should be used at all times with the /BOOT parameter on.
Whenever diskettes are used in the computer while this parameter is
on, VIRSTOP checks them for boot sector viruses and gives a warning if
it finds any.
Companies might find it worthwhile to use a solution called the PC
Health Station, in which one or more computers are converted to
monitor for viruses. If all diskettes coming from outside the company
are checked in a Health Station, viruses will find it hard to infect
the organization's system.
Common Question and Answers
If you have questions about data security or antivirus issues, please
contact your local F-PROT distributor. You can also contact Data
Fellows Ltd. directly, in the number 358-0-692 3622. Written questions
can be mailed to: F-Secure Ltd, F-PROT Support, Wavulinintie 10,
00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet
is: F-PROT@DF.elma.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet,
A=mailnet C=fi.
Why can't I scan diskettes in drive A if I have executed F-PROT from a
diskette in the same drive?
The program's virus search string database and language files
are too large to be loaded into memory, because we want to keep
F-PROT's memory requirements to minimum. Since F-PROT needs
these files during scanning, it must have continuous access to
the disk where they are stored. The recommended course of action
is to execute F-PROT from the diskette, ensure that the
computer's hard disk is clean, and then install F-PROT on the
hard disk.
If you do not have the inclination or the disk space to do that,
you can by-pass the memory limitation by creating a virtual RAM
disk and installing the program on it.
I use a keyboard driver to provide national characters for my special
keyboard. However, when this utility, KEYB102.COM, is loaded,
VIRSTOP's /WARM function does not work at all.
If VIRSTOP is started with the /WARM parameter, it monitors the
keyboard to see whether the keys Ctrl-Alt-Del are pressed. When
that happens, it checks the diskette in drive A.
There are some keyboard drivers which reserve the keyboard
interrupt all to themselves. When they are loaded into memory,
they push out all other programs using the interrupt. KEYB102 is
one of those. The functioning of some programs, like VIRSTOP or
SMARTDRV, becomes impaired if the driver is loaded into memory
after them. The KEYB.COM driver provided with MS-DOS does not
produce this problem.
The problem can be solved by changing the order in which the
programs are loaded into memory. If you load KEYB102 first, it
cannot prevent the other programs from using the keyboard
interrupt.
How can I create a clean boot diskette?
Check your computer with F-PROT before you do anything else.
That way, it is more certain boot diskette really is clean.
You can create a basic DOS boot diskette by formatting a
diskette with the command FORMAT/S. The /S parameter causes the
operating system to copy system files to the diskette.
However , that is not always enough. If you use drivers that
have to be loaded into memory before the computer can be used
normally (SCSI hard disk drivers, national keyboard drivers,
network drivers, disk compression drivers and what have you),
the commands that load the drivers must be added to the boot
diskette's CONFIG.SYS and AUTOEXEC.BAT files.
Consult the manuals of the corresponding applications to find
out the needed drivers and commands. The driver programs
themselves must also be copied to the boot diskette, and all
references to them in the CONFIG.SYS and AUTOEXEC.BAT files must
point to the copies stored on the diskette - otherwise you might
be executing infected files from the hard disk during the
booting.
An additional note: due to a bug in DOS, any file the COMSPEC
environment variable points to will be copied to the diskette
and renamed COMMAND.COM when the FORMAT /S command is used. This
will cause problems only if you are using a third-party command
interpreter instead of the usual COMMAND.COM.
When I was installing DOS 6.2 on my computer, I received the warning
"Boot sector write, possible virus. Continue Y/N?". What caused the
warning? Is my computer infected?
All the newer AMI BIOSes give this warning when something tries
to make changes to the hard disk's boot sector. The warning is
justified, too, since it is able to prevent boot sector viruses
from infecting the computer.
However, the DOS 6.2 installation program must make some
legitimate changes in the boot sector. You can either ignore the
warning when you are installing the program, or turn it off for
the duration. The warning can be switched off in the computer's
Setup. Remember to turn it back on when you have completed the
installation.
Changes in F-PROT 2.11
A CMOS check has been added to F-PROT - if the SETUP information
claims that the computer does not have drive A, F-PROT aborts its
execution and requests further instructions. This is done in order to
by-pass the methods used by viruses like ExeBug. Such viruses prevent
the machine from being booted from a clean diskette by modifying the
SETUP information. If the computer really does not have drive A,
F-PROT can be started with the /NOFLOPPY parameter.
F-PROT's virus naming system now adheres to CARO's naming standards.
When, for example, F-PROT used to report an infection caused by the
Sunday.A variant of the Jerusalem virus as Jerusalem (Sunday.A), it
now reports it as Jerusalem.Sunday.A. Blanks in viruses' names have
been replaced with underscores.
If F-PROT is started from a diskette, it prevents other diskettes from
being scanned in the same drive. The program needs to be in continuous
touch with the diskette it was started from, because it requires
access to its database during scanning.
The maximum number of user-defined search strings has been raised to 20.
VIRSTOP now checks the boot sectors of floppy disks as default. In
earlier versions, this option had to be turned on separately. You can
toggle this setting checking with the /BOOT and /NOBOOT parameters.
A new file, VIRLIST.LIS, has been added to the MATERIAL-directory on
the update diskette. This file contains the names of all the viruses
detected by F-PROT - including also viruses that are not yet described
in the virus help section of the program.
A generic boot sector disinfector, FIXBOOT, has been added to the
update diskette's MATERIAL-directory. This program overwrites the
contents of boot sectors with a generic boot record substitute.
FIXBOOT can be used for repairing boot records damaged by boot sector
viruses, even when F-PROT refuses to disinfect the diskette. This
happens if the original boot sector cannot be found.
If earlier versions of F-PROT were started with the /HARD parameter,
they couldn't recognize all partitions of the hard disk if the
computer was using a Seagate disk manager or a similar product from
OnTrack. The problem has now been corrected, although it was mainly
caused by disk managers that were more or less incompatible with DOS.
When a self-modifying program called ALREADY.COM was scanned with
Heuristic Analysis, F-PROT used to report it as having been infected
by an unknown virus. This was a false alarm, and it has now been
corrected.
If F-PROT finds a file which seems to be destroyed by the
Vienna.Reboot virus (this virus inserts a reset-jump to the beginning
of some programs), it will not report anything if the file is named
REBOOT.COM or RESET.COM (in these files, the reset-command is
legitimate).
New viruses detected by F-PROT 2.11
The following 43 viruses are now identified, but can not be removed as
they overwrite or destroy infected files. Some of them were detected
by earlier versions of F-PROT, but only reported as "New or modified
variant of..."
Adams.Wednesday HLLO.3008 Milan.WWT.125.C
Burger.512 HLLO.3521 Rythem.808.A
Burger.560.M HLLO.3800 Rythem.808.B
Burger.560.X HLLO.4096 Rythem.814
Burger.560.Y HLLO.4340 Rythem.907
Burger.560.AG HLLO.4372 Rythem.1992
Burger.560.AI HLLO.4778 Tack.460
Burger.560.AJ HLLO.Harakiri.B Trivial.29.B
Burma.442.B Leprosy.570 Trivial.30.G
Burma.563 Leprosy.664.A Trivial.33
Deicide.665 Leprosy.664.B Trivial.39.B
Grog.512 Leprosy.AoD.I Trivial.45.E
Grog.1146 Leprosy.5370.A VCL.347
Grog.1207 Leprosy.5370.B VCL.409
VCL.Mindless
F-PROT can detect and remove the following 385 new viruses. Earlier
versions of the program could detect many of these viruses. Now they
are also identified accurately.
_229 Murphy.Swami.D
_343 Murphy.Tormentor.E
_377 NGV.1680.A
_397 NGV.Cousin
_495 NGV.Gomes
_512 NGV.Lurch
_977 NGV.Morticia
_948 NGV.Pugsley
_1099 NGV.Thing
_1364 NGV.Uncle
_1588 Nice.A
_2000 Nice.B
Agena Nina.D
Akuku.889.C Noon Beep.1666
Arriba.B November 17th.706
Ash.441 Npox.963.B
Ash.451 Npox.1708
Ash.737 Nympho.845
Ash.1604 Old Yankee.Enigma.B
AT.140.B Old Yankee.Enigma.C
Australian Parasite.338 Omud
Australian Parasite.369 Paola.538
Australian Parasite.377 Paola.1110
BA Paturuzu
Baobab.2304 PeaceMan
Barrotes.1310.B Phalcon.894
Barrotes.1310.C Phalcon.Maria K
Barrotes.1310.D Phoenix.800.C
Barrotes.1310.E Phx.823
Better World.B Piaf
Better World.C Piter.B
Bloody Warrior Piter.C
Breaking Pixel.251
Bupt.1220.B Pixel.AVV
Capicua Poor Man
Carioca.B Protect.1323
Cascade.1699 Prudents.B
Cascade.1701.I Prudents.C
Cascade.1701.Jojo.F PS-MPC.G2.341
Cascade.1701.M PS-MPC.344
Cascade.1702 PS-MPC.346
Cascade.1704.Q PS-MPC.348
Cascade.1704.R PS-MPC.352
Casino.B PS-MPC.361
Casino.C PS-MPC.G2.425
Chaos.G PS-MPC.G2.429
Chaos Year.1837 PS-MPC.432
Chrome PS-MPC.565
Clonewar.228 PS-MPC.569
Clonewar.246 PS-MPC.572
Clonewar.261 PS-MPC.573.A
Commando.421 PS-MPC.573.B
Commando.498 PS-MPC.574.B
Crew.2480.C PS-MPC.577.A
Crew.2480.E PS-MPC.577.B
Crew.2480.F PS-MPC.578.B
Cybercide.1307 PS-MPC.578.C
Danish Tiny.308 PS-MPC.589
Danish Tiny.311 PS-MPC.G2.598
Danish Tiny.476 PS-MPC.600
Dark Avenger.1800.J PS-MPC.603
Dark Avenger.1800.K PS-MPC.605
Dark Avenger.1800.Singapore PS-MPC.606
DataCrime II.1514.D PS-MPC.607
Dead.1362 PS-MPC.611.A
Deicide II.595 PS-MPC.611.B
Deicide II.2404 PS-MPC.927
Deicide II.2569 PS-MPC.AntiPrint
Demented PS-MPC.Deranged.490
Democracy PS-MPC.Generix
Diamond.485 PS-MPC.Seven Percent Skeleton.626
Diamond.568 PS-MPC.Swansong.1521
Diamond.584 PS-MPC.Viraxe
Diamond.609 PS-MPC.Z10.763
Diamond.614 Quadratic.981
Diamond.978 Quadratic.1285
Dlsu Quit-1992.B
Dnr.331 Rage.486
Dur.397 Red Diavolyata.830.D
Egg.833 Riihi
Egg.1000 Satyricon.348
Eight Tunes.B Sentinel.4636
Espacio Seventh Son.426
Exunt Seventh Son.428
F-You.417.B Seventh Son.473
F-soft Shark.1027
Faerie.349 Shark.1283
Family Skew.458
Feelbad Slash
Fifo Spring.640
Finnish Sprayer Stardot.682
Fission Stardot.979
Flash.688.C Stoned.Standard.Collor
Flip.2153.E Storm.1217
Flip.2365 Suriv 1.April 1st.D
Freew.718.B Suriv 2.C
Friday the 13th.417 Suriv 2.D
Frodo.4096.I Suriv 2.E
Gergana.182.B Suriv 2.F
Gippo.Earthquake Suriv 2.G
Golgi.385 Suriv 2.H
Green Caterpillar.1575.F Svc.1689.D
Green Caterpillar.1989 Svc.1689.E
Grog.495 Swedish Boys.Headache.441
Grog.547 Syslock.Syslock.E
Grog.765 Tajfun
Grog.903 Taurus
Grog.1013 Tenbytes.1451.B
Gusano Tenbytes.1451.C
Happy New Year.1560 Tenbytes.1554.B
Happy New Year.1600.B Tenbytes.1554.C)
Happy New Year.1600.C Thirteen Minutes.B
Happy New Year.1614 Tic.93.B
Helloween.1684 Tolbuhin.626
Hey You.B Tolbuhin.992.B
HLL.3678 Tolbuhin.1004.B
HLL.5602.A Traveler Jack.980.B
HLL.5602.B Trickster
HLL.5938 Troi.B
HLLC.Christmas Trojector.1561
HLLC.Globe.7705 Turn.557
Holiday Twister.451
Hymn.Hymb.B Twister.863
Hymn.Hymb.C Twister.1015
I-Revenge Twister.1767
Icelandic.642.B USSR-707.C
Icelandic.642.C Vacsina.TP-25.B
Icelandic.656.B Variable Worm.B
Icelandic.848.B Vbasic.F
Icelandic.1618.D VCL.380
Icelandic.1618.E VCL.433
Infector.608 VCL.445
Infector.676 VCL.573
Infector.692 VCL.610
Infector.695 VCL.Azrl549
Infector.752 VCL.Azrl606
Infector.962 VCL.Annoyer
Internal.1459 VCL.Dragon
Ionkin.218 VCL.Divide.554
Ionkin.300 VCL.Eddie
IVP.Angry Samoans VCL.Elena
IVP.Ozzy VCL.GGATTN
IVP.Panic VCL.Olympic
IVP.Tim VCL.Mexican
Japanese Christmas.600.F VCL.Red Team
Jerusalem.1808.suMsdos.AK VCL.Succubus
Jerusalem.1808.suMsdos.AL VCL.Teknitov
Jerusalem.1808.suMsdos.AM Vcomm.633
Jerusalem.2132 VCS.Sleeper
Jerusalem.AntiCad.3012.E VCS.Standard.Dr-No
Jerusalem.GP1.1533 VCS.Standard.Parity
Jerusalem.Mummy.2.1.B VCS.Standard.Vdv
Jerusalem.1808.Sk9 VE
Jerusalem.Suriv 3.B Victor.B
JSB Vienna.353.B
Junior.224 Vienna.435.B
Just Vienna.539
Justice Vienna.573
Kbflag Vienna.582.B
Keeper.Acid Vienna.583.C
Keeper.Enemy Vienna.637.C
Keypress.1232.J Vienna.637.D
Kode 4.282 Vienna.645.C
Kode 4.287) Vienna.645.D
Krusha Vienna.648 * 10
Leapfrog.B Vienna.662
Liberty.2857.E Vienna.670
Liberty.2857.F Vienna.833
Little Girl.949 Vienna.GhostBalls.C
Lokinator Vienna.Gipsy
Lyceum.958 Vienna.It.457
Lyceum.1086 Vienna.NTKC.B
Magnitogorsk.2560.D Vienna.W-13.534.K
Marzia.B Virdem.1336.German.B
Marzia.C VS
Massacre Warzaw
MG.5.B Wordswap.1085.B
Mgtu.273.D Wvar
Mich Yankee Doodle.TP.44.D
Michelangelo.F YB.466
Ming.491 YB.647
Ming.1017 YB.2277
Mithrandir.450 Youth.580
Mithrandir.694 Zamoy
MMIR.Extasy Zero Bug.B
MMIR.Ravage Zherkov.1023.B
Murphy.Amilia.B Zombie
Murphy.Swami.B Zulu
Murphy.Swami.C ZX-X
The following 27 new viruses can now be detected but not yet removed.
_1491 Grog.1372 Pojer.1941
_1784 Grog.2075 Pojer.1949
_1987 HLL.3677 PS-MPC.783
_2403 Ignorant PS-MPC.1706
AtomAnt Jerusalem.986 Sentinel.5115
Beer.2984 Julia.1000 Tamanna
Beer.3399 LZR Velvet.1400
Commonwealth Monika
Creator Pcbb.1800.A
Dual GTM Pcbb.1800.B
F-PROT's earlier versions could detect the following viruses. Now they
can also be removed.
Arusiek PS-MPC.ARCV.6 PS-MPC.Page.696
Little Red PS-MPC.ARCV.7 PS-MPC.Schrunch
Marzia.A PS-MPC.Eclypse PS-MPC.Walkabout
PS-MPC.ARCV.3.A PS-MPC.Kersplat PS-MPC.Z10.70
PS-MPC.ARCV.5 PS-MPC.Mimic Sentinel.5402
This material can be freely quoted, if the source is given as:
Source: F-PROT version bulletin 2.11. Copyright (c) 1994 F-Secure Ltd.
-
F-PROT Professional 2.11 Update Bulletin
This file may not be placed to be available for download in a system which
allows users to access live computer viruses, source codes for viruses, or
instructions for generating a new virus. Thank you.
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
