F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-PROT Professional Update Bulletins

F-PROT Professional 2.12 Update Bulletin
 CONTENTS BRIEFLY 

--- CONTENTS 2/94 --- New ideas in the field of anti-virus utilities --- New viruses in the wild --- Danish_Tiny.476 --- Dinamo --- Finnish Sprayer --- News In Short --- Two new Macintosh viruses discovered --- Virus Bulletin 1994 conference is coming --- Malware floating in BBSs --- Common Question and Answers --- Polymorphic Generators --- Polymorphic viruses --- Polymorphic generators --- Operating Principles --- Limitations --- Detection --- Algorithmic methods --- Checksumming --- Decryption-based detection --- What is the best solution? --- Thus far found... --- MtE (Mutation Engine) --- TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine) --- NED (NuKE Encryption Device) --- DAME (Dark Angel's Multiple Encryptor) --- DSME (Dark Slayer Mutation Engine) --- MutaGen --- GPE (Guns'n'Roses Polymorphic Engine) --- DSCE (Dark Slayer Confusion Engine) --- Ethics in Anti-Virus Toolkit Marketing --- A sad episode --- An efficient press campaign --- Changes in F-PROT Professional 2.12 --- Changes in F-PROT's DOS version --- Changes in F-PROT's Windows version --- Changes in both DOS and Windows version --- New viruses detected by F-PROT 2.12


F-Secure Ltd, Wavulinintie 10, 00210 Helsinki, Finland Tel. +358-0-692 3622, Fax +358-0-670 156, E-mail: f-prot@datafellows.fi This text may be freely used as long as the source is mentioned. F-PROT Professional 2.12 Update Bulletin; Copyright (c) 1994 F-Secure Ltd.
CONTENTS 2/94
New ideas in the field of anti-virus utilities New viruses in the wild - Quox - Danish_Tiny.476 - Misis - Dinamo - Finnish_Sprayer Two new Macintosh viruses discovered Virus Bulletin 1994 Conference is coming Malware floating in BBSs Common Questions and answers Feature: Polymorphic Generators Ethics in Anti-Virus Toolkit marketing Changes in F-PROT's DOS version Changes in F-PROT's Windows version Changes in both DOS and Windows versions New viruses detected by F-PROT Professional 2.12 New ideas in the field of anti-virus utilities
Any modern software application should adapt to different kinds of end users. The more widely an application is used within an organisation the more adaptable it should be. An anti-virus utility should be installed in all personal computers. It should thus adapt to all kinds of users. We have aimed at developing a product family which combines the best possible scanner technology with a user interface that serves all kinds of users. With this accompanying release of F-PROT for Windows we have added some interesting features for the sophisticated end user. It is now possible to start a scan by double-clicking a task file in the Program Manager or in the File Manager. F-PROT will be launched and the specified task executed. This means that icons called Scan A:, Scan B: and Scan Hard Disk can be brought to the desktop. When a scan is needed, just double-click one of them and the corresponding task will be carried out. We have also implemented something else that is, as far as we know, a first of its kind in the world. You can now drag and drop a bunch of files or folders from the File Manager on top of the F-PROT icon or window and they will be scanned with the settings given to the default task. These features are not absolutely essential in an antivirus toolkit. However, as F-PROT serves a wide variety of users, we think it is important to keep abreast with modern user interface innovations. F-PROT Professional for OS/2's 16-bit version is now ready and shipping. The 32-bit OS/2 version has just entered beta-test phase. Contact your local F-PROT Professional distributor for more information about our OS/2 virus protection solutions. New viruses in the wild
The last few months have brought little variety to the global virus situation; most of the infections reported have been caused by old, well known viruses. However, a couple of viruses have recently been able to spread to several locations - and most of these have been boot sector viruses. Quox ---- The Quox virus has been reported in the wild in several locations in Europe, Asia and USA during the last year. Quox is a relatively simple diskette and Master Boot Record infector. Quox is only able to infect a hard disk when a computer is booted from an infected diskette in drive A:. At this time, Quox infects the Main Boot Record. During later boot-ups from the hard disk, Quox will go resident in high DOS memory. Once Quox is resident in memory, it will infect practically all non- write protected diskettes used in the machine. Quox is also a stealth virus - if you try to examine an infected boot record while the virus is resident in memory, you will be shown the original, clean one instead. Quox contains no activation routines or text strings. However, it will corrupt some diskettes seriously. Due to the virus's stealth capability, the damage may not be visible as long as the virus is resident in memory. When infected diskettes are used in certain clean machines, they will prove to be unreadable and, due to a bug in DOS, may even crash the computer. The virus was found in Thailand, in July 1992. It was named "Quox" at the IBM High Integrity Labs, because, to quote David Chess of IBM, "there was no obvious good name, and we didn't have very many viruses starting with `Q'". F-PROT Professional detects the Quox virus. Danish_Tiny.476
This virus is also known as Black Wind. It was originally found in Estonia in the beginning of 1994. Afterwards, this virus has been reported to be in the wild in several Northern European countries. Like the original Danish_Tiny, this new variant is a direct action infector that targets COM files. The virus is encrypted with a variable key. Danish_Tiny.476 increases the size of infected programs by 476 bytes. It activates on the 6th day of any month, at which time it formats the hard disk's first track, overwriting the MBR code and the partition information. This makes the hard disk effectively inaccessible. After this, the virus displays the following text and hangs the computer: BLACK WIND VIRUS... Copyright (C) 1992, Destructive Technologies, Unlimited. F-PROT Professional detects the Danish_Tiny.476 virus. Misis ----- Misis is a very small boot sector virus from Russia. It is known to be in the wild in the west also - confirmed reports have been received from UK and Norway. The virus uses stealth routines, so the infected boot sectors will seem to be clean if they are inspected while the virus is resident in memory. Practically all boot sector viruses decrease the amount of available DOS memory from 640 KB and use this 'memory-hole' to store their code in. They cannot go resident by using the usual DOS calls, because they activate before DOS is even loaded. This makes most boot sector viruses easy to spot, since the user can check the amount of total DOS memory with the MEM or CHKDSK commands. Misis uses an unusual way to circumvent this symptom: it stores its code in low system memory, overwriting part of the interrupt vector table. This makes the system potentially unstable, because any program that changes the higher interrupt vectors (from 94h to FFh) will overwrite part of the resident virus code, probably causing the system to crash. One side-effect of this virus is that infected diskettes will work normally in an infected machine, but will cause read errors if accessed in a clean computer. This happens because the virus overwrites the disk parameter block which, on diskettes, is stored in the beginning of the boot sector. On infected machines this has no effect, because the virus stealths the changes it has made. Misis contains several phrases of Russian text. These are not comprehensible on machines without a Russian screen driver. Translated to English, the texts read approximately as: Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov Soft 236-25-35. "Zharinov" come!.. Database NIKA! Go away from computer! Work for programmers! Fame to Lozinsky! Were you warned by the Surgeon General?! Pray all... Lozinsky is a well-known Russian antivirus expert. The virus contains an activation routine, which causes some of the above-mentioned texts to be displayed in the upper left corner of the screen. On western machines, these messages show up as garbage. The texts are displayed in yellow blinking colour on brown background. The virus triggers every 16th time the boot sector is accessed. <MISIS.GIF> The Misis virus displays Russian comments in the upper-left corner of the screen The Misis virus was originally known as Zharinov. The name was changed when it was found out that Zharinov is the name of a professor at the MISiS, and that the virus was most likely written by one of his students. Mr. Zharinov himself obviously has nothing to do with this virus. F-PROT Professional detects the Misis virus. Dinamo
Dinamo is another Russian boot sector virus. It has been found in the wild in Europe and Asia. Reports of Dinamo have been received from Hong Kong, China and Denmark. The virus infects MBRs and diskette boot records in the same manner as the Quox and Misis viruses. Unlike them, however, Dinamo is not a stealth virus. The virus gives the only visible sign of its presence if it encounters an error while reading the boot sector. Then it will display the following text and beep the speaker three times: Dinamo(Kiev)-champion !!! This text is encrypted with a XOR BDh operation, but the virus is not otherwise encrypted. F-PROT Professional detects the Dinamo virus. Finnish Sprayer
Finnish Sprayer was first found in Finland in December 1993. Thereafter, it quickly became very widespread, emerging all over Finland. Later on, this virus has also been found in Sweden, Russia and Estonia. Finnish Sprayer operates as a normal boot sector virus, infecting floppy boot sectors and hard disk MBRs. It contains the following unencrypted text: Tks to B.B, Z-VirX ..... [Aija] Finnish Sprayer is two sectors long. It stores the original boot sector and its own code on the last sectors of the active partition. The virus will not infect a hard disk if the active partition's file system is not DOS. This means that PCs running, for example, OS/2, Novell DOS with HD password protection, Windows NT or some UNIX variant will not be infected. Finnish Sprayer uses stealth techniques, which means that it cannot be found from the MBRs of hard disks while it is active in memory. The virus activates on the 25th of March, which, in Finland, is the name day of Aija. Aija, which is a girl's name, is referenced twice in the virus code. When the virus activates, it overwrites random sectors of the active partition, changes the screen background to grey, and displays the following text: FINNISH_SPRAYER.1. Send your painting +358-0-4322019 (FAX), [Aija] This text is not visible inside the virus code, for it is encrypted with a XOR 50h operation. The phone number belongs to the Finnish House of Parliament - which received tens of faxes during this year's activation day. In Finland alone, the virus is reported to have activated on approximately two hundred PCs - and the total number of infected machines rises to several hundreds. These numbers are quite amazing, because the virus was first found only couple of months ago. The Finnish anti-virus organisations have followed the Finnish Sprayer incident very closely, and this has made it possible to compile remarkably accurate statistics of the incident. We have attached one of these statistics here: a map of Finland with markers showing the locations where this virus was found. F-PROT Professional detects the Finnish Sprayer virus. News In Short
Two new Macintosh viruses discovered
During the last months, there have been two new Macintosh virus sightings. The new viruses are INIT9403 and INIT-29-B. INIT9403 has a destructive activation mechanism: after infecting a certain number of files, it erases the disks connected to the system and attempts to destroy disk information on all connected hard drives. For finishing touches, it attempts to completely erase the boot volume. All major Macintosh antivirus products have been upgraded to handle these viruses. Contact your local F-PROT Professional support for a free copy of the Disinfectant 3.4.1 antivirus software to protect your Macintoshes. Virus Bulletin 1994 conference is coming
Virus Bulletin, an UK-based publication focusing on computer virus prevention, recognition and removal, is gearing up for its annual VB Conference. This year's conference will be held on the 8th and 9th of September in Jersey, UK. For the first time, this year's conference will feature an exhibition of anti-virus products. And as usual, a large number of experts will present their papers on current topics in antivirus field. This years speakers include: o Vesselin Bontchev (University of Hamburg, Germany) o Steve White (IBM, USA) o Jeremy Gumbley (F-PROT Support of Symbolic, Italy) o Alan Solomon (S&S International, UK) o Joe Wells (Symantec, USA) o Mikko Hypponen (F-PROT Support of F-Secure, Finland) o Jan Hruska (Sophos, UK) o Sara Gordon (Indiana University, USA) For more information, contact Virus Bulletin at +44 235 531889, e- mail: virusbtn@vax.oxford.ac.uk. Malware floating in BBSs
As usual, the BBS scene has been plagued by the occasional trojan horse or two. At least two widespread cases have occurred during the last few months. In the beginning of March, a file called NOVADEMO.ZIP was uploaded to several European BBSs. The file was described to contain "a new amazing demonstration". Amazing it was indeed. The unsuspecting users found out that, instead of showing graphical patterns, the program copied its own code over all other executable files it could find. The program was classified as an overwriting virus, and F-PROT Professional now recognizes it as HLLO.Novademo. The program also contained the following text: "This is Dangerous Messanger, and here is my message to the world". Another version of this piece of malware seems to be floating around in a file called !BBS_AD.ZIP. In the start of April 1994, another harmful program was spread via BBSs. This time an existing application, the Galaxy Music Player, was trojanized. The trojanized program claimed to be the version 2.06 of Galaxy Music Player, but it proved to be a simple trojan horse, which attempted to overwrite part of the hard disk when run. In order to gain enough time to do as complete a destruction as possible, the trojan started by displaying an initialization message. This trojan contained several texts like "Hello F...ing Rasist !!! Try your harddrive now." and "HD-VIPER BY PHROPHET PHARAKHAN OF C.O.N.E '94". The author of this trojan also showed a twisted sense of humour: a questions-and-answers text file included in the archive had been modified to contain one additional question: Q: Why i got message 'INVALID MEDIA TYPE' after running GLX ? A: Because this is fake production to nail same lamers. Coded by Phrophet Pharakhan of C.O.N.E.H '94. Common Question and Answers
If you have questions about data security or antivirus issues, please contact your local F-PROT distributor. You can also contact Data Fellows Ltd. directly, in the number 358-0-692 3622. Written questions can be mailed to: F-Secure Ltd, F-PROT Support, Wavulinintie 10, 00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet is: F-PROT@DF.elma.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi. After installing F-PROT Professional and executing VIRSTOP.EXE, I received the message "VIRSTOP.EXE has been modified - reboot from a clean disk!" What has happened? For some reason, VIRSTOP did not pass its self-check. There are two probable causes: 1) Either your diskette or diskette drive is faulty, and this has caused the VIRSTOP.EXE file to be corrupted during the copying process. Try to install the program on another computer. If that doesn't help, ask for a new floppy from your local F-PROT Professional support. Try to execute F-PROT.EXE, which is also self-checking. 2) Your computer's memory contains a virus, which has infected the VIRSTOP.EXE file either when it was copied or when it was executed. Again, see what happens if you execute F-PROT.EXE. You may also want to compare the contents and the file size of the VIRSTOP.EXE file to the same file on the write-protected distribution diskette. Boot the machine from a clean DOS diskette and execute F-PROT from the installation diskette to check your hard drive. I have a HP48 pocket computer, and I have heard that there are viruses which are able to infect them. Is this true? Yes it is. It sounds unbelievable that these little computers which look like pocket calculators could actually have a virus problem, but there are currently several different viruses which infect HP48 series. One of the HP48 viruses that has been found in the wild is called Michigan. It is probably written in USA. The original version of this virus only displayed error messages like "Defective ROM", but later variants have destructive routines added to them. There are also several different HP48 viruses which originate in France. Contact your local HP48 user group for antivirus tips and utilities. Our users like the way F-PROT Professional for Windows adds new quick- access icons to Program Manager for scanning floppies. However, on slower machines the memory test takes longer than the actual floppy scan. Is it really necessary to scan the memory every time a quick- access icon is clicked? If your users are already running scheduled checks on their local drives, it is not necessary to perform the memory check before every scan. There are two ways to by-pass the check. Your users can start the actual F-PROT for Windows application and keep it minimized. When they want to check a floppy, they can enlarge the application and click the appropriate toolbar button. F-PROT for Windows will only check the memory when the first scan is made. Another way is to directly modify the properties of the quick-access icons. Select an icon, and open its Properties dialog by choosing the command File/Properties in Program Manager. In the dialog, add the switch /NOMEM to the end of the command line. After this, the memory check is automatically by-passed when the icon is clicked. It is not recommended to disable the memory check for the Check hard drive icon, though. <Properties.GIF> Properties-dialog of a F-PROT for Windows task file Polymorphic Generators
Polymorphic viruses
The rise of polymorphic viruses can be seen as virus writers' response to the increasing expertise of virus scanners. Since properly built scanners can recognise viruses by their characteristic code, the obvious way to try to beat scanners was to design viruses that change their code, thus rendering recognition with search strings impossible. Polymorphic viruses employ code alteration and encryption to hide themselves from scanners. Their usual tactic is to encrypt the main part of their code with a variable key and leave only the decryption executor unencrypted. The decryption code is altered during every infection to prevent detection with a search string. However, it takes considerable skill to design a polymorphic virus. This kept the number of true polymorphic viruses quite small for a relatively long time. Of course, this couldn't last forever: At some stage, the heavyweights of the virus trade took notice and came to rescue their less skilled brethren by writing and distributing polymorphic generators. Polymorphic generators
Polymorphic generators are routines which can be linked to existing viruses. The generators are not viruses per se; their purpose is to hide actual viruses under the cloak of polymorphism. The first all-purpose polymorphic generator was the Mutation Engine, or MtE. Published in 1991, capable of billions of different permutations, linkable to any virus, it heralded the age of instant polymorphism. Today, there are 33 different viruses which are known to use the MtE. Other polymorphic generators followed in MtE's wake. The next two appeared late in the year 1992. They were the TridenT Polymorphic Engine (TPE) and NuKE Encryption Device (NED). TPE was written in the Netherlands. In principle it is capable of producing smaller number of different permutations than the MtE. However, it created detection problems for antivirus products because the decryptors it creates are more generic than those produced by MtE. NuKE's generator wasn't quite as advanced, but unlike most other polymorphic generators, it was distributed as readable source code instead of an object module. Other known polymorphic generators are Dark Angel's Multiple Encryptor (DAME), Darwinian Genetic Mutation Engine (DGME), Dark Slayer Mutation Engine (DSME), MutaGen, Guns'n'Roses Polymorphic Engine (GPE) and Dark Slayer Confusion Engine (DSCE). These generators are typically distributed via underground networks, virus exchange BBSs and private areas in the internet. Operating Principles
Polymorphic generators are code modules which a programmer can incorporate into a program. After this, the program can use the functions the code module contains. This process is called linking. Once a generator is linked to a virus, it becomes an intrinsic part of the said virus. The virus will thereafter carry the engine along while spreading itself. It should be noted that the generator itself does not care in which kind of a program it is linked to. The known polymorphic generators are clearly written to be linked to viruses, but in principle they could be used in other kinds of programs as well. When a virus that employs a polymorphic generator is infecting a program file (or some other object), it requests the generator to create an encrypted copy of the virus code and the generator itself. Besides performing the encryption, the generators also create a decryptor - a routine which is able to undo the encryption applied to the actual virus code. The generators often use relatively simple encryption techniques. However, they do change the encryption key during every execution. This alone makes the detection of such a virus difficult, but encrypted viruses retain one Achilles heel: the decryption routine, which must remain unencrypted if it is to be executable. Thus, the true effectiveness of a polymorphic generator is measured by its ability to mutate the decryption routine. All polymorphic generators need some kind of a randomisation routine in order to create different algorithms each time. Some of the generators allow the virus programmer to substitute his own randomisation routines instead of the original one. Polymorphic generators are able to create completely different encryption methods and a wide variety of different decryption routines for them. They modify their decryption routines by such means as shifting the commands inside the routine around, adding ineffectual commands in random places and using different processor registers and opcodes. The basic idea is to make the binary image of the decryption routine totally different between different infections. All this makes it impossible to search for the decryption routine with fixed search strings - there is no search string that could always be found in infections made by a polymorphic virus. <Polymorphic-infection.GIF> How does a virus using a polymorphic generator infect a file? 1. A clean file before the infection. We'll call this the victim file. 2. The virus starts the infection process by modifying the victim file's first commands. It replaces them with a command to jump to the end of the file. The original first bytes of the file are stored in the virus's body. 3. Next, the virus calls the polymorphic generator to create an encrypted copy of the virus code and the generator itself. The generator also creates a decryption routine, which is added to the end of the victim file. 4. The encrypted code is added to the end of the victim file. This encrypted section contains three parts: a copy of the actual virus code, the original first bytes of the victim file, and the code of the polymorphic generator. Limitations
When the first polymorphic generators were found, it was feared that there would be a huge rise in the number of polymorphic viruses. However, these generators have not proved as popular as was originally thought - only about one hundred viruses are known to use a generator. One of the reasons for this is that a generator must be linked to the program to be encrypted, and since the operation requires changes to the program itself, some programming experience is necessary. This alone places the generators out of the reach of the run-of-the-mill virus enthusiasts. Unfortunately, the generators usually come with detailed instructions on their use, so that virus aficionados with even limited experience of assembly programming can easily use them. Another limitation is the generators' size. Although the generators are quite small in themselves, they do increase the size of viruses by some amount. This makes it difficult to link them to boot sector viruses, which have limited code space. No generator-masked boot sector viruses have been found. With the exception of V-Sign (a mildly polymorphic boot sector virus), polymorphic capabilities seem to be the privilege of file viruses. Of course, the advantage that viruses get from polymorphic generators is somewhat questionable. If an anti-virus program is able to recognise the presence of a particular generator, it is usually able to detect all viruses masked by it. Detection
Despite the cunning nature of polymorphic generators, viruses masked by them can be detected by using proper tools. Antivirus programs often employ algorithmic means to recognise files infected by polymorphically hidden viruses. Another way to find such viruses is to use checksumming. It is also possible to try to solve the encryption and search for the virus underneath the encryption layer. Algorithmic methods
Algorithmic methods are based on the fact that however much a generator mutates the decryption routine, it must still contain certain programming structures which make the decryption possible. If a program file contains such structures, the antivirus program can say with sufficient certainty that the file is infected by a polymorphically cloaked virus. As polymorphic generators vary a lot, a different algorithm is needed for each generator - and in order to build such algorithm, the generator will have to be studied closely. However, the algorithmic methods have a certain weakness: they are prone to false positives. The program structures employed by polymorphic generators can be very random. This means that similar structures sometimes occur inside legitimate program code. False alarms may crop up especially if data files are also included in the search, because they typically contain data similar to the random 'garbage-code' which the generators produce. It is relatively easy to create an algorithm that will find all infections created with a polymorphic engine, but if the algorithm would also flag a large amount of clean programs as infected, it is useless. Checksumming
Checksums are comparison values calculated from the executables in a system. These values are stored in a database. When a checksum search is made, the checksums are re-calculated and compared with the original values in the database. Since this method detects all changes to a system, the mutability of polymorphically hidden viruses does them no good; a change is a change, and thus detectable. Checksumming has its drawbacks, too: checksummers suspect all changes that happen inside a system, and occasionally give warnings of ordinary programs which alter their own code. Nowadays, checksummers are usually equipped with an exclude-list and a heuristic faculty to prevent this from happening. Although theoretically able to detect all changes to a system, checksummers are vulnerable to stealth viruses. If such a virus is active in a computer's memory, it is able to hide all the changes it has made. When stealth viruses are involved, checksummers base their calculations on false data, and will consequently find everything to be in order. It should be noted that polymorphic viruses which also stealth their presence are very rare, simply because they are technically difficult to create. Decryption-based detection
The decryption-based detection of polymorphic viruses work by first reasoning whether the examined object is encrypted. If the object seems to warrant suspicion, generic decryption methods are applied to it, and a string-based search is done to the code found underneath the encryption. This method works against some polymorphic generators with great success, but is difficult to implement for others. What is the best solution?
Checksumming is the strongest method against polymorphic viruses - as long as the machine is clean when the checksummer is installed, and the virus is not falsifying the information received by the checksummer. Checksummers will also detect those polymorphic (and normal) viruses that have not yet been analysed. The algorithm-based detection mechanisms against polymorphic viruses tend to have problems with false alarms, but these can be overcome by designing the detection engine carefully. One advantage of algorithm- based detection is that, once a detection engine is able to detect a certain polymorphic generator, it will probably detect all viruses utilising it. A decryption-based detection mechanism can only detect those polymorphic viruses that have been analysed by the creator of the antivirus product, but it is very unlikely to produce false alarms. Furthermore, such a mechanism is also able to detect the exact variant of the virus in question - this is something that most algorithm-based detection methods are unable to do. Thus far found...
In the following are brief descriptions of the polymorphic generators that have been found to this date. The generators usually come with introductory notes which explain their use, and in which the authors seek to justify themselves, for example by prohibiting the use of their products in viruses, by trying to explain why polymorphic generators are beneficial, necessary and generally morally uplifting, or by giving the by now well-established lecture about free speech and freedom of expression. Since many of the generators' authors are members of well-known virus groups, these disclaimers can be seen as simple hypocrisy. MtE (Mutation Engine)
Mutation Engine was the first polymorphic generator, written by the Dark Avenger. MtE was put into circulation in 1991. It is the most widespread polymorphic generator, and has been incorporated to 33 different viruses. Though revolutionary in its time, Mutation Engine is currently somewhat outdated. Practically all anti-virus products can detect MtE-hidden viruses. Nevertheless, MtE continues to be a source of inspiration for people aspiring to write polymorphic generators - for example, almost all generators written after MtE mimic the documentation provided with MtE. MtE v0.91's size is 2048 bytes. TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine)
TPE was written in 1992 by Masud Khafir, a Dutch member of the TridenT virus group. Before and after TPE, Masud Khafir has created several advanced viruses. Among them are the first Windows virus, Win_Vir, the Cruncher virus series, and one of the most widespread viruses using MtE, the MtE.Pogue virus. TPE itself is based on the encryption routine of Masud Kafir's Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A. To date, four versions of TPE have come out. The author has implied that he considers the product finished, and will not write further versions. The later versions of TPE are highly complex, making it one the most advanced polymorphic generators in the world. TPE version 1.1 was technically advanced, but it contained bugs which made it incompatible with some processor types. Versions 1.2 and 1.3 corrected this problem. The last version, 1.4, introduced an improved, highly complex encryption method, which makes TPE-hidden viruses difficult to identify by using decryption-based detection methods. A separate, modified version of TPE has also appeared. It is known as the Darwinian Genetic Mutation Engine (DGME). DGME was published in Mark Ludwig's latest disputed book 'Computer Viruses, Artificial Life and Evolution'. TPE takes up about 1.6 KB. Presently, it is known to be linked to 10 different viruses. NED (NuKE Encryption Device)
NED, the first polymorphic generator from USA, appeared at approximately the same time as TPE. According to the generator's documentation, it was released in October, 1992. Nowhere Man is credited as being the author of this generator, but there have been suspicions that it is actually written by some other programmer. Nowhere Man is the author of NuKE's Virus Creation Laboratory, the VCL. Unlike most other polymorphic generators, NED was distributed as source code. This, of course, makes it easier for other virus creators to modify the generator, but so far only a single version of NED has been found. The generator's documentation expressly forbids its distribution outside NuKE itself, but it has obviously been in wide distribution. NED version 0.90B takes up 1355 bytes. It is known to have been linked to two different viruses. DAME (Dark Angel's Multiple Encryptor)
Naturally enough, Phalcon/SKISM didn't want to be upstaged by NuKE. In 1993, this virus group, which originates from Canada, joined the fray with Dark Angel's Multiple Encryptor, DAME. The new generator's name may have been meant as a dig at some members of the anti-virus community, who had been using the name DAME for Dark Avenger's Mutation Engine, MtE. Dark Angel published his generator during the summer of 1993 in issue 11 of Phalcon/SKISM's magazine, 40Hex. Dark Angel has also written the two virus creation toolkits published by Phalcon/SKISM, the PS-MPC and G2. Like NED, DAME was distributed as commented source code. Along with the generator, Dark Angel published an article which dealt with polymorphism and the writing of polymorphic generators in general. Dark Angel was apparently not completely satisfied with his initial product, because he introduced an improved version of DAME in the next issue of 40Hex. The first version of DAME, 0.90, took up 1574 bytes. The improved 0.91 version had grown to 1960 bytes. Dame is known to have been linked to two different viruses. DSME (Dark Slayer Mutation Engine)
DSME was the first polymorphic generator from Taiwan. It was written by a person calling himself Dark Slayer. DSME was published in the end of 1993. Interestingly, DSME contains documentation both in English and Chinese. The author sends greetings to Dark Avenger and Nowhere Man and thanks for the inspiration he received from earlier polymorphic generators. DSME is not as advanced as the generators produced before it. Dark Slayer admits this in his notes. The actual size of the generator is little over 2 kilobytes. At the moment, only one virus is known to use the DSME. MutaGen
In the beginning of 1994, a new author entered the stage. Calling himself MnemoniX, this American virus writer proudly presented a new generator called MutaGen. At the moment, there are four different versions of MutaGen in distribution. Each successive version is more complex than the previous ones. Their sizes range from 1032 bytes to 1385 bytes. In MutaGen's documentation, MnemoniX criticizes the other polymorphic generators for being too unreliable and easy to detect. MnemoniX himself has published two different viruses which utilise the MutaGen generator, but otherwise the response of the virus underground to this new generator is unknown. GPE (Guns'n'Roses Polymorphic Engine)
The Guns'n'Roses Polymorphic Engine is a newcomer, written by a person calling himself Slash Wu. Like the Dark Slayer Mutation Engine, this generator originates from Taiwan - and it only comes with Chinese documentation. In the generator's documentation, the author prohibits the use of the generator in viruses and other malicious software. He claims to have developed GPE solely for the purpose of protecting data and programs from unauthorised use. These claims are lent some credence by the fact that the author has included his apparently real name and phone number in the introductory notes. Version 1.00 of the Guns'n'Roses Polymorphic Engine was released in March 1994. So far, the generator is not known to have been linked to any virus. It's size is about two kilobytes. DSCE (Dark Slayer Confusion Engine)
There is at least one polymorphic generator which has so far eluded the antivirus researchers. The one that we know of is called DSCE, and it is written by the same author as DSME. A file that demonstrated DSCE's abilities was sent to F-PROT Professional Support during April 1994. Deductions based on this demo indicate that DSCE is a rewritten version of DSME, and capable of creating far more complicated samples. Ethics in Anti-Virus Toolkit Marketing
Anti-virus applications belong to a very special group of programs. When buying an anti-virus toolkit you might suffer a considerable loss if you purchase a second-class product. If you compare this to purchasing a word processor or a disk compression utility, the loss that results from getting a 3% smaller compression ratio or missing out on some special indexing options for long text documents is almost non-existent. This means that you need to buy one of the best anti-virus utilities. How do you choose from the multitude of available tools? There are well over one hundred different anti-virus products in the market. Even if you represent an extremely large company, you can not test the software yourself since you do not have an extensive and up-to-date virus database. Performance tests done against a large and well maintained collection of viruses give you a good idea of which toolkits are better than others. Imagine yourself distributing an inferior anti-virus application. The position is not enjoyable. You have to convince the customers to buy your products, knowing all the while that there are much better products available. Furthermore, you know that if the customer purchases your product, it is possible that he will suffer a major loss because of the choice. This has led some companies to shift from promoting their own product to badmouthing a competing product. One thing continuously claimed of F-PROT by one competitor is that the winning test results are due to a hidden test mode in F-PROT. According to them F-PROT would not find viruses as well when used normally. This is, of course, technically absurd and simply false. There are other possible tactics as well. If you already have a customer and you do not want him to swap products, you can always threaten him with legal action. According to several customers of a certain anti-virus utility, an agent for the product has threatened them with legal action if a single copy of the licensed anti-virus programs is found on their computers after their license has expired. The threat was used when the customers announced their intention to change to another product. If you have thousands of computers you have no way of guaranteeing that you can remove all copies of the software before the specified date, a fact which the agent naturally realized. As an F-PROT customer you naturally retain license rights to the last update that you have received even if the update service expires. A sad episode
We believe the extremely competitive market situation sheds some light on a recent course of events in Finland. An ex-employee of a local representative of a leading anti-virus utility was accused of hacking into the agent's BBS. Let us call the ex-employee John. According to John the charges were brought after an unresolved dispute about unpaid holiday compensations. John claims that he was told about a possible bug in the agent's BBS setup by an important customer. The customer contacted John because the BBS informed every caller that John was still responsible for technical support for the BBS. The system was originally built by John, and he decided to check whether a bug existed. He accessed the BBS using a password belonging to the managing director of the agent. As the BBS only contained files related to the anti-virus utility and even the mail feature was disabled the managing director felt safe using a password composed of three similar letters (like "XXX"). This was well known by the employees of the company. We hope that he has already changed his password. Even though John should never have used anyone else's user id, he did not stop to think about this. After all, he knew that there was nothing confidential in the system. If John has reported the chain of events fully, it makes one wonder why criminal charges were brought against him. An answer may be found in the fact that John was employed by us at the time of the alleged hacking. When we heard about the charges being brought against John and after talking with the managing director of the agent, we decided to fire John. We decided to do this even though we believed and still believe his story, because in our line of business we have to be completely secure. We also informed the agent that we had fired John. An efficient press campaign
After a few days the truth began to come out. A well orchestrated press campaign was launched and a couple of articles were printed. In these articles the managing director of the agent was quoted as saying something like: "It will be very difficult to determine the extent to which John's current employer is involved in this theft of information." These articles were also faithfully translated and sent to members of the international press to get more publicity to the suspicions. No one thought of asking the police whether they had suspicions against F-Secure. The superintendent in charge of the investigation would have been happy to reply that at no time during the investigation had F-Secure been even suspected. After all this, we saw no choice but to sue the agent for orchestrating false rumours about our involvement. At this stage it seems that, if John's story is true, the agent is happily sacrificing an innocent person's career just to get a couple of short lived punches in at us. All of this would be even more depressing if the agent were found to have actually falsified evidence to support claims about data theft. This is one of the problems in data crimes. The owner of the information still has the information after it has been stolen. This makes it difficult to prove that information has been stolen but it makes it even more difficult to prove that nothing has been stolen. If the information system has a log, it will only show that a legitimate user has visited the system (in this case the managing director has visited the BBS). It is practically impossible to specify which login is done by an impostor and which is legal if the owner of the system does not want this to be found out. Changes in F-PROT Professional 2.12
Changes in F-PROT's DOS version
VIRSTOP's behaviour has changed: it will now beep whenever it finds a virus. It will not display a separate alarm screen under Windows, but instead sound an alarm and display the alert text as in DOS. When the /ANALYSE option is used, F-PROT will no longer report 'Invalid entry point' if a file has some other extension than COM or EXE - OVL, for example. This reduces the amount of non-important messages during Heuristic Analysis. Also the operation of VIRSTOP's /DISK-parameter has been changed. When this parameter is used, two temporary, hidden files are created: _VIRSTOP.TMP and _VIRSTOP.SWP. By default, these files are stored in the root directory of drive C:. Files can be located to another disk by issuing a drive letter after the /DISK command. For example, /DISK:E stores the temprorary files to drive E: Temporary drive should be as fast as possible because it affects the speed of VIRSTOP - a RAM-drive is a good choice. Due this change, the VIRSTOP.EXE file can now be updated or deleted while VIRSTOP is resident with the /DISK- parameter. VIRSTOP 2.12 allocates 3.7KB of memory with the /DISK parameter. Changes in F-PROT's Windows version
An Update option has been added to the SETUP program. Memory check now allows multitasking at the same time. A progress bar has been added to the dialog. F-PROT could not scan all network or local drives if VIRSTOP was resident in memory. Instead, it only scanned the first available drive. This has now been corrected. The 'Stack overflow' message appeared if very deep directory structures were scanned. The problem has now been fixed. If a task with an impossible drive specification was sent over the network, F-PROT entered a loop state. Now tasks which specify invalid drives are deleted and a message about this is sent to the administrator. In some cases VIRSTOP would interfere if a diskette infected with a boot sector virus was scanned. This has been corrected. If F-PROT is started with a Taskfile's pathname as the first command line parameter, the task is automatically executed. Previously, the administrator could not delete protected tasks if they were sent from another workstation. Administrator is now able to delete all tasks. A user-defined message used to be covered by the scanning indicator dialog, so the message wasn't visible until the scanning dialog was closed. The matter has been taken care of. F-PROT can now be launched from F-Agent's system menu. F-Agent's polling interval can now be adjusted from F-PROT's Preferences. F-PROT can now install icons directly in Program Manager: Scan A:, Scan B: and Scan Hard Disk. These icons can be used to execute predefined tasks. The scanning dialog now displays some informational messages during scanning, and a summary after the scan is finished. Even when a task was distributed with the 'Prevent aborting scan' option, an end user was able to abort the scan. No more. Disinfection capabilities have been added to F-PROT for Windows. Nevertheless, we still recommend booting from a clean diskette and using F-PROT for DOS to clean infections on the local hard drive. Occasional sharing violation errors on the network drive have been eliminated. F-PROT now supports the dragging and dropping of files and directories on top of the F-PROT or F-Agent icon. The dropped objects will be scanned automatically. F-PROT now supports multitasking during the initial memory test. Changes in both DOS and Windows version
The identification of boot sector viruses has been improved significantly. F-PROT performs an exact identification of most boot sector viruses it detects. Previously, it would refuse to remove variants that differed by as little as one bit from the original virus, while other programs which did not do as good an identification would happily remove the virus. F-PROT now attempts to determine whether a new boot sector virus is sufficiently similar to a known variant for disinfection to be carried out. If a virus is damaged when the file it infects has, for one reason or other, been shortened by a few bytes, F-PROT will now report '- truncated (xxx bytes missing)', instead of reporting just 'New or modified variant of ...'. This situation is very rare under normal circumstances. However, the function may interest researchers who have corrupted samples in their collections. Previously, F-PROT would not detect all Cysta.8045-infected .SYS files. This has now been fixed. The Stoned.Angelina virus could not be identified properly on 3.5" diskettes. The problem is now corrected. Voronezh.1600-infected files were not always disinfected correctly. They are now. The following false positives do not occur any more. The 'Tamanna' false positive appeared in 2.11. The others were present in older versions of F-PROT as well, but had not been reported to us before. 'Possibly a new variant of Tamanna' in PWLICLMT.EXE (part of a beta release of DEC Pathworks). 'Possibly a new variant of Cysta' in KBDF.COM (Turkish keyboard driver). 'Possibly a new variant of SillyOR' in a program named TRAPKEY.EXE. 'Leprosy' in a program named OPENPORT.COM. This false alarm occurred only with VIRSTOP and Quick Scan. New viruses detected by F-PROT 2.12
The following 57 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." AB Abraxas.1214 Abraxas.1304 Abraxas.1508 Burger.405.D Burger.405.E Burger.405.F Burger.441 Burger.505.G Burger.505.H Burger.505.I Burger.505.J Burger.560.AK Burger.560.AL Burger.560.AM Burger.560.AN Como.1786 Doubleheart.452.B Genvir.1376 Grog.Enmity Grog.Sempre Grog.Trumpery HBT HLLO.4505 HLLO.5760 HLLO.Mission HLLO.Novademo Hot Milan.AntiNazi Milan.Naziskin.270 Milan.Naziskin.903 Milan.Sabrina Milan.Verbatim Silly_Willy-trojan Slugger Trivial.23 Trivial.24 Trivial.25.B Trivial.25.C Trivial.27.D Trivial.31.C Trivial.36.A Trivial.36.B Trivial.36.C Trivial.37 Trivial.38 Trivial.39 Trivial.42.F Trivial.42.G Trivial.42.H Trivial.43.B Trivial.43.C Trivial.59 Trivial.66 Trivial.89 Trivial.342 Trivial.Ansibomb Trivial.Vootie.B VCL.526 VCL.Mindless.423 VCL.Muu ZigZag.232 F-PROT can detect and remove the following 443 new viruses. Earlier versions of F-PROT could detect many of these viruses. Now they are also identified accurately. _241 _451 _494 _635 _638 _779 _804 _1987 _2717 Accept.3619 Accept.3773 Aiw Alexander.1843 Alexander.2104 AntiMIT.764 Arcv.Jo.912 Arcv.Ice-9.642 Armageddon.1079.E Ash 712 1586 Australian_Parasite.152 Australian_Parasite.153 Australian_Parasite.155 Australian_Parasite.187 Australian_Parasite.215 Australian_Parasite.306 Australian_Parasite.635 Australian_Parasite.AMSV Australian_Parasite.Feeble Australian_Parasite.Vga_Demo Australian_Parasite.Comic Australian_Parasite.Lipo Australian_Parasite.Gotter Baba Badsectors.3422 Baron Behaviour.Herb Berlusconi Betaboys.615 Big_Bang Billy Black_Jec.230 Black_Jec.246 Black_Jec.Sad.300 Blood_Sugar BUPT.1261 Butterfly.FJM Cascade.1699.B Cascade.1701.Jojo.G Cascade.1701.M Cascade.1701.N Cascade.1701.O Cascade.1701.P Cascade.1704.S Changsha Civil_War.281 Civil.IV Civil.568 Civil.586 Cybercide.1321 Cybercide.2256 Danish_Tiny.NC.284 Danish_Tiny.NC.286 Danish_Tiny.Wild_Thing.287 Dark_Avenger.1797 Dark_Avenger.1799 Dark_Avenger.1800.Eugen Dark_Avenger.1800.L Dark_Avenger.1800.Platina Dark_Avenger.1813 Major Datalock.828.B Datalock.828.C Deicide_II.622 Dementia Dutch_Tiny.111 Ear Job Homecoming Fax_Free.608.A Fax_Free.608.B Fax_Free.622 Fax_Free.623 Fax_Free.1024.C Fax_Free.1024.D Fax_Free.1024.E Fax_Free.1536.Lamer Fax_Free.1536.Pinniz.A Fax_Free.1536.Pinniz.B Fax_Free.1536.Pinniz.C Fax_Free.1536.Pinniz.D Fax_Free.1536.Pisello2 Flip.2153.G Flip.2153.H Friday_the_13th.416.C Friday_the_13th.416.D Frodo.Fish_6.D Ginger Gippo.JumpingJack Gotcha.605 Green_Caterpillar.1575.G Grog.1089 Grog.Gonfie Grog.IlCuoce Grog.Noncemale Grog.Ovile Grunt.529 Hates.212 Helloween.1228 Helloween.1401 Helloween.1430 HH&H.4087 Hiperion.249 HLLC.Sauna Hungarian.1409 Hungarian.Kiss.1006 Hungarian_Andromeda.1024 Hungarian_Andromeda.1536.B Icelandic.656.C Ienez Industrial Intruder.1555 Ionkin.195 IVP.351 IVP.644 IVP.Crystal IVP.Stress IVP.Taselhoff IVP.Wild_Thing.555 IVP.Wild_Thing.557 Japanese_Christmas.722 Jerusalem.2389 Jerusalem.1808.CT.SubZero.B Jerusalem.1808.SuMsDos.AN Jerusalem.Sunday.K Jerusalem.Tarapa Jerusalem.Zerotime.Australian.C Keypress.1232.L Keypress.1600 KMIT Kolumna Kommuna Kuang Lyceum.1901 March_25th.B March_25th.C Marzia.D Marzia.E Marzia.F Marzia.G Marzia.H Marzia.I Marzia.J Marzia.K Metallica.2620 Michelangelo.C Michelangelo.G Michelangelo.J Mirage MMIR.278 Murphy.1477 Murphy.1521.B Murphy.1650 Murphy.1659 Murphy.1752 Murphy.Delyrium.1788 Napalm Nipple NoFrills.840 November_17th.900.B November_17th.900.C November_17th.998 Npox.1015 PCBB.1845 Phantasm PHX.1360 Ping-Pong.Standard.G Ping-Pong.Standard.H Ping-Pong.Standard.I Pirate Pixel.761 Prague.604 Prague.Pizza Praying 579 587 Predator.1063 Proto-T.Ritzen Proto-T.Ritzen.1087 Proto-T.1050 PS-MPC.150.A PS-MPC.150.B PS-MPC.338.A PS-MPC.338.B PS-MPC.338.C PS-MPC.339.A PS-MPC.339.B PS-MPC.339.C PS-MPC.339.D PS-MPC.339E PS-MPC.343.A PS-MPC.343.B PS-MPC.343.C PS-MPC.344.B PS-MPC.344.C PS-MPC.344.D PS-MPC.344.E PS-MPC.344.F PS-MPC.346.B PS-MPC.347.A PS-MPC.347.B PS-MPC.347.C PS-MPC.347.D PS-MPC.347.E PS-MPC.347.F PS-MPC.347.G PS-MPC.347.H PS-MPC.347.I PS-MPC.347.J PS-MPC.348.B PS-MPC.348.C PS-MPC.351.A PS-MPC.351.B PS-MPC.352.B PS-MPC.352.C PS-MPC.352.D PS-MPC.352.E PS-MPC.352.F PS-MPC.352.G PS-MPC.352.H PS-MPC.352.I PS-MPC.352.J PS-MPC.352.K PS-MPC.352.L PS-MPC.353.A PS-MPC.353.B PS-MPC.357 PS-MPC.425 PS-MPC.565.B PS-MPC.565.C PS-MPC.565.D PS-MPC.569.A PS-MPC.569.B PS-MPC.569.C PS-MPC.570.B PS-MPC.570.C PS-MPC.570.D PS-MPC.572.B PS-MPC.573.C PS-MPC.573.D PS-MPC.573.E PS-MPC.573.F PS-MPC.573.G PS-MPC.573.H PS-MPC.573.I PS-MPC.574.C PS-MPC.574.D PS-MPC.577.C PS-MPC.578.D PS-MPC.578.E PS-MPC.578.F PS-MPC.578.G PS-MPC.579.A PS-MPC.579.B PS-MPC.579.C PS-MPC.594 PS-MPC.597.B PS-MPC.597.C PS-MPC.597.D PS-MPC.598.B PS-MPC.598.C PS-MPC.602.A PS-MPC.602.B PS-MPC.602.C PS-MPC.602.D PS-MPC.603.A PS-MPC.603.B PS-MPC.603.C PS-MPC.605.B PS-MPC.606.B PS-MPC.606.C PS-MPC.607.B PS-MPC.607.C PS-MPC.610.A PS-MPC.610.B PS-MPC.610.C PS-MPC.611.C PS-MPC.611.D PS-MPC.611.E PS-MPC.611.F PS-MPC.611.G PS-MPC.611.H PS-MPC.611.I PS-MPC.611.J PS-MPC.611.K PS-MPC.612.A PS-MPC.612.B PS-MPC.612.C PS-MPC.612.D PS-MPC.612.E PS-MPC.615 PS-MPC.639 PS-MPC.691 PS-MPC.739 PS-MPC.749 PS-MPC.2668 PS-MPC.Abominog PS-MPC.Actifed PS-MPC.Alchemy PS-MPC.Argent PS-MPC.Blender PS-MPC.Birthday PS-MPC.Doggy PS-MPC.Fred PS-MPC.G2.572 PS-MPC.G2.573.A PS-MPC.G2.573.B PS-MPC.G2.574 PS-MPC.G2.575.A PS-MPC.G2.575.B PS-MPC.G2.576 PS-MPC.G2.578 PS-MPC.G2.582 PS-MPC.G2.584.A PS-MPC.G2.584.B PS-MPC.G2.584.C PS-MPC.G2.585.A PS-MPC.G2.585.B PS-MPC.G2.588 PS-MPC.G2.Mudshark PS-MPC.Greetings PS-MPC.Joana.942 PS-MPC.Justice PS-MPC.Love PS-MPC.McWhale.1023 PS-MPC.McWhale.1124 PS-MPC.Mojave PS-MPC.Projekt.897 PS-MPC.Projekt.918 PS-MPC.Quest PS-MPC.Ranger PS-MPC.School PS-MPC.Schrunch.442 PS-MPC.Seven_Percent.918 PS-MPC.Shock PS-MPC.Silent PS-MPC.Skeleton.542 PS-MPC.Skeleton.550 PS-MPC.Skeleton.570 PS-MPC.Skeleton.616 PS-MPC.Skeleton.617 PS-MPC.Sorlec.597 PS-MPC.Sorlec.639 PS-MPC.Steeve.672 PS-MPC.Steeve.686 PS-MPC.SwanSong.1714 PS-MPC.SwanSong.1772 PS-MPC.Swansong.1773 PS-MPC.SwanSong.2062 PS-MPC.Walt.311 PS-MPC.Walt.355 PS-MPC.Warez.1805 PS-MPC.Weakley PS-MPC.Z10.683 PS-MPC.Z10.687 PSV.B Pysk Raptor Russian_Tiny.127 Sandy Satan.602 Shake.C Sidewinder SillyC.92 SillyC.100 SillyC.158 SillyC.207 Sparkle Steryd Stoned.Standard.F Stoned.Standard.I Stoned.Standard.J Stoned.Standard.L Stoned.Standard.M Stoned.Standard.O Stoned.Standard.P Stoned.Standard.Q Stoned.Standard.R Stoned.Standard.S Stoned.Standard.Good Stoned.Standard.Pervert Stoned.Standard.Space.B Stoned.Standard.Udos Sybille.1200 Sze.314 Taiwan.677 Taiwan.743.C Timid.298 Timid.299 Timid.301 Timid.303 Tiny_GM Tiny_family.Fred Trakia Trident.444 Trident.Nolimit2 Troi.C Troi.D Unhandled VCL.379 VCL.Angel.436 VCL.Angel.1681 VCL.Assassin VCL.Dial VCL.Julian VCL.Olympic.B VCL.Sorlec VCL.Suck VCS.Standard.Darkside VCS.Standard.Test Vienna.533 Vienna.608 Vienna.610 Vienna.660 Vienna.680 Vienna.700.A Vienna.700.C Vienna.709 Vienna.814 Vienna.Choinka.C Vienna.Feliz Vienna.Parasite.861 Vienna.Violator.716.B Vienna.Violator.716.C Vienna.Violator.803 Vienna.Violator.821 Vienna.Violator.843.B Vienna.Violator.843.C Vienna.Violator.909 Vienna.Violator.957 Vienna.Violator.5286 Vienna.W-13.318 Vienna.W-13.507.E Virdem.1336.Locked.B Wrzod Yam.3596 Yankee_Doodle.Login.3045.C YB.426 Yesterday The following 58 new viruses can now be detected but not yet removed. _592 Antitrace Appelscha Arcv.Anna.745 Austr_Term Backform Carpe_Diem Code_Zero.735 Czech_Happy Daemaen Dark_Avenger.2829 Dillinger DIR-II.M DIR-II.O DIR-II.Q DIR-II.S DIR-II.T DIR-II.W Doomsday.715 Doubleheart.649 Gippo.Blow Glith Grog.Dream Grog.Inc Grog.NTA Grog.Outwit-C Grog.Outwit-E Grog.Public Grog.Razor Grog.Wildcard Hallow Jerusalem.Vtech Konkoor LM M5-VP2 Mystic.379 PCBB.833 PCBB.1680 PCBB.1683 PHB.B Pit Predator.1154 Proto-T.694 Raubkopie.1888.B Sayha Screaming_Fist.839 Screaming_Fist.846 Screaming_Fist.855 Screaming_Fist.862 Sluknov Split_Second.1135 Split_Second.1149 SVC.3122 Sze.351 Topa V2221 Veronika Wally X-1.571 X-3A Yog F-PROT's earlier versions could detect the following viruses. Now they can also be removed. CIS Ein_Volk Jerusalem.986 PS-MPC.ARCV.2.692 PS-MPC.ARCV.2.693 PS-MPC.ARCV.8 Satanbug VCL.Chuang VCL.Diarrhea.933 VCL.Diarrhea.1222 VCL.Diogenes VCL.Mimic Warrior Weak Yeke.1076 Yeke.1204 The following viruses have been renamed in order to make F-PROT follow the CARO naming standard as closely as possible. Also, the _758 and Gemand viruses have been moved into the Hungarian_Andromeda virus family. _1068 -> Spinner _1417 -> Spanish_Fool _1441 -> Sum _1588 -> Distrust _1784 -> Three_Tunes _2000 -> Alphastrike Anticlr -> Anti-Clerical Commonwealth -> CIS Dos1 -> Dos_1 Error_412 -> Runtime Groz -> Grozny Inoc -> Inoculation Krusha -> Khrusha Micro-128 -> Micro NGV -> Genvir QMU.1513 -> QMU Quit-1992 -> Quit Satwar -> Satanic_Warrior Simple -> Simple_Minded Talking_Heads -> No_Party Tula.419 -> Tula V-1920 -> Dostepu
This text may be freely used as long as the source is mentioned F-PROT Professional 2.12 Update Bulletin - Copyright (c) 1994 F-Secure Ltd
This file may not be placed to be available for download in a system which allows users to access live computer viruses, source codes for viruses, or instructions for generating a new virus. Also, the guys in 'Immortal Riot' virus group are specifically *not* granted a right to publish any parts of this document in their own, virus-related publications. Thank you.

F-PROT Professional Support < f-prot@datafellows.fi >

. .