F-PROT Professional Update Bulletins
F-PROT Professional 2.13 Update Bulletin
CONTENTS BRIEFLY
--- CONTENTS 3/94
--- Microsoft chooses F-PROT Professional
--- News in Short
--- Electronic Support Services
--- A Virus Instruction Guide Published in France
--- Onwards the Evolution
--- New Viruses In the Wild
--- Jumper
--- Junkie
--- A Closer Look at the Global Virus Situation
--- Virus Situation in South Africa
--- Virus situation in Japan
--- Creating a Virus Prevention Strategy with F-PROT Professional
--- Scheduled F-PROT Scans In Workstations
--- Utilizing the Network
--- Alternative 1
--- Alternative 2
--- Alternative 3
--- Alternative 4
--- Automatic updating of F-PROT via a network
--- Scanning File Servers
--- Additional notes
--- Feature: False Alarms
--- Polymorphic Viruses and False Alarms
--- Boot Sector Viruses
--- Heuristics
--- Integrity Checkers
--- How to Recognize a False Alarm
--- Future
--- Dark Side of the Moon: What Motivates Virus Writers
--- In the Interests of Research
--- Limited Forums
--- Army of Darkness
--- Legalize Pot!
--- Get the Lamers!
--- Off the Beaten Path
--- Romancing the Code
--- ...Just Add Some Water...
--- Stamp Collectors
--- Benefits of Virus Writing
--- F-PROT Support informs: Common Question and Answers
--- Changes in F-PROT Professional 2.13
--- Heuristic Analysis
--- Automatic Update
--- Other Changes
--- New Viruses Detected by F-PROT 2.13
F-Secure Ltd, Wavulinintie 10, 00210 Helsinki, Finland
Tel. +358-0-692 3622, Fax +358-0-670 156, E-mail: f-prot@datafellows.fi
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.13 Update Bulletin; Copyright (c) 1994 F-Secure Ltd.
CONTENTS 3/94
Microsoft chooses F-PROT Professional
News in Short
- Electronic Support Services
- A Virus Instruction Guide Published in France
- Onwards the Evolution
New Viruses In the Wild
- Jumper
- Junkie
- SMEG
- J&M
A Closer Look at the Global Virus Situation
- Virus Situation in South Africa
- Virus situation in Japan
Creating a Virus Prevention Strategy with F-PROT Professional
Feature: False Alarms
Dark Side of the Moon: What Motivates Virus Writers
F-PROT support informs: Common Questions and Answers
Changes in Version 2.13
Microsoft chooses F-PROT Professional
F-PROT Professional's fast progress continues on all fronts. New
technical features are continuously being added to the product
family, the program keeps proving its mettle by winning tests
all over the world, and our clientele has been joined by such
interesting companies as, for example, Microsoft Corporation.
In keeping with our traditions, the current version of F-PROT
Professional can find several hundreds of viruses more than the
previous full update which was distributed to all our customers
two months ago. The Heuristic Analysis has been redesigned as
well. It can now find new, previously unknown viruses even
better than before. A detection mechanism for the new, highly
advanced polymorphic generator, SMEG, has also been added to
F-PROT.
F-PROT has again won several tests. Let us take two examples.
In a test arranged by the Swedish Windows World magazine, F-PROT
was the only product to be "Recommended by the Editorial Staff".
Software Digest in USA named F-PROT's NLM-version the Editor's
Choice.
Many well-known international companies have switched to F-PROT
Professional products. The most famous of these is probably
Microsoft Corporation, which has acquired a world-wide internal
license for F-PROT Professional and F-PROT NLM products.
Other new F-PROT users include such distinguished companies and
organizations as Goodyear and Hong Kong University of
Technology.
News in Short
Electronic Support Services
F-Secure Ltd's Internet domain name has been changed to
datafellows.fi. Our support service can now be contacted at the
address f-prot@datafellows.fi. Our X.400 address remains the
same, namely X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet
C=fi.
A Virus Instruction Guide Published in France
A French version of Mark Ludwig's notorious virus instruction
book, "The Little Black Book of Computer Viruses", has been
published after a trial. The book's publisher, Addison & Wesley
France, was sued at the end of last year to prevent the book
from reaching print. The court, however, judged the book to be
suitable for publication.
The court ordered the claimant to pay Addison & Wesley 20.000
francs for damages to reputation caused by the trial.
Some time ago, Mark Ludwig published a sequel to his Little
Black Book, called "Computer Viruses, Artificial Life and
Evolution". The book contains examples of virus code and four
functional viruses. The book's viruses could also be ordered on
diskette for additional payment.
Ludwig's latest questionable stunt has been the publication of a
CD-ROM virus disk. Ludwig's own publishing company, American
Eagle, published a CD-ROM disk which contained a great number of
different viruses, virus creation programs and other malicious
software. The disk's price was one hundred dollars.
Onwards the Evolution
A new virus, known as Evolution 2001, is on the move in Eastern
Europe. The virus was spread through BBSs in files BREAKARJ.ZIP
and ZIPCRACK.ZIP. Evolution 2001 has many exceptional
characteristics: it uses 386 commands, loads itself into upper
memory and employs polymorphic encryption. In fact, Evolution
2001 bears a strong resemblance to the Tremor virus, which is
still quite common in Germany.
New Viruses In the Wild
Jumper
The Jumper virus is known by many different names: its aliases
include French Boot, Sillybob, Neuville, Touche, EE and _2kb.
The variety of names is caused by the fact that, despite being
widely spread, the virus is quite new. It was given a different
name in each location where it was found, and no common name has
yet established itself. The official CARO name, however, is
Jumper.
Jumper was first found in France at the end of 1993, and it was
spotted in Denmark in the beginning of 1994.
Functionally, Jumper is not especially noteworthy. Being a boot
sector virus, it spreads only on infected diskettes. It infects
diskette boot sectors and hard disk MBRs. The virus infects
computers only when somebody tries to boot them from infected
diskettes. Jumper can infect the hard disk even if the boot
attempt is unsuccessful. Once the virus has infected the hard
disk, it spreads to virtually all diskettes used in the
computer.
Junkie
The Junkie virus was circulated through European BBSs at the end
of May. It travelled in a file called HV-PSPTC.ZIP. According to
the description, the file was supposed to contain a program
which would make it possible to install illegal copies of the
Pacific Strike-game directly from the hard disk instead of from
diskettes. The packet's content, PSPATCH.COM, contained only the
Junkie virus, however.
Junkie is a Swedish multipartite virus. It infects hard disk
MBRs and COM files. When an infected file is executed in a
computer for the first time, the virus overwrites the hard
disk's MBR with its own code but does nothing else. During its
next execution, the virus goes resident in memory and infects
all executed COM files.
Infected COM files grow by approximately 1035 bytes. Since the
virus infects all executed COM files, it corrupts files which
are structurally EXEs but happen to have the extension COM.
The virus code is doubly encrypted. The following message is
hidden under the second encryption layer:
Dr White - Sweden 1994
Junkie Virus - Written in Malmo...M01D
The Junkie virus can be noticed by the decrease of available
memory in the system. Some programs also display the message
"Program too big to fit in memory" when they are executed.
F-PROT is able to detect and disinfect the Junkie virus in both
files and boot sectors.
SMEG
----
Two new viruses, Pathogen and Queeg, have been found in England.
They have been produced with a utility which the author, who is
known as The Black Baron, calls Simulated Metamorphic Encryption
Generator (SMEG).
The viruses are highly polymorphic, which means that every new
infection looks completely different from previous ones.
Pathogen and Queeg are memory-resident file viruses. They infect
COM and EXE files.
Pathogen activates on Mondays between 5 and 6 p.m. It overwrites
part of the hard disk and displays the message shown below.
During May, the SMEG viruses gained a lot of publicity in
England. In practice, however, they have not been able to spread
very far.
F-PROT finds all known viruses using the SMEG encryption
utility. F-PROT performs an accurate identification, reports the
exact variant in question, and is also able to remove SMEG
viruses reliably.
J&M
---
A new boot sector virus called J&M has been reported to be in
the wild in the Czech Republic, Hungary and Poland. This virus
infects diskette boot sectors and hard disk MBRs in the usual
manner.
J&M is a destructive virus, activating on the 15th of November.
Upon activation, it enters an infinite loop and formats the
first tracks of the first hard drive.
There has also been a large-scale outbreak of J&M in Iceland.
This is quite remarkable in itself, since before this incident
no new viruses had been detected in Iceland for over two years.
The virus was probably brought into Iceland in a portable PC
which had been infected while its owner was traveling in Eastern
Europe.
F-PROT is able to detect and disinfect the J&M virus.
A Closer Look at the Global Virus Situation
Virus Situation in South Africa
The latest overseas virus to show up in South Africa is Azusa.
Azusa, which is probably written in Hong Kong, made its arrival
in March. Azusa is a memory-resident boot sector virus. It
infects diskette boot sectors and hard disk MBRs. After 32
boots, the virus activates and disables the system's COM1 and
LPT1 ports.
F-PROT is able to detect and disinfect the Azusa virus.
A couple of South African "natives", namely the original Bunny
virus and three of its variants, have also been doing their
rounds. These viruses are memory-resident boot sector infectors.
They infect diskette boot sectors and hard disk MBRs. Bunny and
its variants employ advanced stealth techniques and may damage
the data on the hard disk to some degree.
F-PROT is able to detect and disinfect the Bunny virus and its
variants.
Virus situation in Japan
There are three groups of anti-virus products in Japan:
Software supposedly used as stand-alone products
Software supposedly used on Networks
Hardware products
Among these, stand-alone software is the most widely used. This
is clear from the recovery measures section of the IPA Virus
Incidents Report. This section mentions discovery and repair
methods and time taken, only 10% of the whole paragraph deals
with means other than vaccines.
The IPA Virus Figures in Japan are:
1991 - 57 cases,
1992 - 253 cases,
1993 - 897 cases,
1994 - 527 cases so far.
Creating a Virus Prevention Strategy with F-PROT Professional
Installing a virus protection software in a corporate
environment needs to be planned. A functional virus protection
must cover all workstations and networks. Different kinds of
workstations require different prevention policies, though.
Workstations and VIRSTOP
All workstations should be protected with the memory-resident
virus prevention program, VIRSTOP. VIRSTOP checks all programs
before they are executed, and automatically scans the boot
sectors of diskettes that are used in the computer. If VIRSTOP
finds a virus, it prevents the infected file or diskette from
being used, and informs the user about the infection.
VIRSTOP can be loaded from either CONFIG.SYS or AUTOEXEC.BAT.
This can be done with the simple command:
C:\F-PROT\VIRSTOP.EXE /DISK
If VIRSTOP is started with the DISK parameter, its memory
requirements decrease significantly. The program recognizes also
other command line parameters. If you cannot prevent diskette
boots directly in BIOS Setup, use the parameter WARM. As a
consequence, VIRSTOP will scan the boot sector of the diskette
in drive A: every time Ctrl-Alt-Del is pressed.
The COPY parameter provides some extra security. It instructs
VIRSTOP to scan every program file as it is copied. The use of
this parameter slows the computer down slightly.
The command VIRSTOP /? gives you a list of all available command
line parameters.
If VIRSTOP is loaded into the computer's memory before the
workstation is logged into network, and you want to protect the
network from being infected from unprotected workstations, you
can add a command suitable for the purpose to the batch or
script file which is used for logging into the network. The file
IS_VS.BAT on the F-PROT distribution diskette provides an
example of such a command.
If a user removes the VIRSTOP command, he or she is prevented
from logging into the network. Another option is to load VIRSTOP
during login. Normal users should not be allowed to modify the
login batch or script.
Scheduled F-PROT Scans In Workstations
VIRSTOP is a good tool for preventing all typical infections,
but you won't get perfect protection by using it alone. VIRSTOP
scans only programs and diskettes that are actually used. If a
virus is hiding in a file that is seldom or never used, the user
won't know it. VIRSTOP doesn't detect as many viruses as F-
PROT's Secure Scan does, either - TSR programs must sacrifice
some abilities in order to keep memory requirements down and
execution speed up.
The workstations' hard disks should therefore be periodically
scanned with F-PROT itself. The scans should happen
automatically so that users do not need to worry about them.
The scans are easy to schedule with F-PROT Professional for
Windows. The program contains a special option, `Schedule',
which is designed for just this purpose. F-PROT for DOS can be
scheduled to perform scans by using F-AUTO. A line which runs
F-AUTO should be added to AUTOEXEC.BAT or to the login batch. As
for the scan interval, seven days is usually sufficient, if
VIRSTOP is in use. If machines are not running VIRSTOP for some
reason, set the scan interval to 0, which means that machines
are scanned once a day. The F-PROT distribution diskette
contains examples on using F-AUTO and FP.BAT.
Utilizing the Network
You can update and maintain F-PROT centrally if you have a
functional network. F-PROT can also be updated to every
workstation separately, but it is far easier to build an
automatic installation and updating system by using shared
disks.
Instead of scanning servers with F-PROT Professional for DOS or
F-PROT Professional for Windows, you can use the program's OS/2
or Novell Netware version to do that. You can use the F-CHECK
integrity checker to attain further protection. To automate
scanning or integrity checking, use F-AUTO. Some alternatives
are listed below.
Alternative 1
Install F-PROT Professional for DOS on the file server's shared
disk. The workstations can access the program through the
network. The administrator can use the same program to scan the
server's files. The program should be located in a read-only
directory.
Install VIRSTOP on every workstation and construct an automatic
updating system. VIRSTOP will protect the workstations even if
the network is down for some reason. When a user logs into the
file server, he or she can run F-PROT itself. After the initial
installation, the administrator needs only to update the copy on
the server. You can automate scanning with F-AUTO.
Alternative 2
This solution is otherwise similar to the one described above,
but the automatic updating system is configured to install and
update the whole F-PROT Professional for DOS into individual
workstations. Use F-CHECK if you think extra protection is in
order.
Once the system is installed, only the copy on the server needs
to be updated manually. After that, F-PROT is automatically
updated to individual workstations. You can automate scans and
checks with F-AUTO.
Look for examples of how to do this on the F-PROT distribution
diskette.
Alternative 3
Install F-PROT for Windows to all workstations. Install also
VIRSTOP to workstations. The Windows version includes an
automatic updating system and a scheduler. With F-PROT for
Windows, it is also possible to send scanning tasks and reports
over the network.
If you want extra protection, use the F-CHECK integrity checker.
Alternative 4
Construct the system according to one of the above-mentioned
alternatives. To protect the servers, use F-PROT Professional
for OS/2 on Lan Manager servers, and F-PROT Professional for
Novell Netware on Novell Netware servers. These programs include
tools for automating scanning tasks.
Automatic updating of F-PROT via a network
F-PROT, F-CHECK and VIRSTOP are compatible with practically all
LANs. F-PROT can be used with a network in two different ways:
Use programs from a shared disk.
Use programs from a local disk.
If you choose to use only shared disks, users must log in the
network regularly. VIRSTOP can usually be loaded only after the
shared disks are available.
Check VIRSTOP's functionality by executing the command F-TEST.
If the network connection disturbs VIRSTOP's link to DOS, F-TEST
will report it. If this is the case, you must either load
VIRSTOP after network drivers, or run VIRSTOP a second time with
the parameter REHOOK after the network connection has been
established. The REHOOK parameter does not change VIRSTOP's
memory requirements.
If you choose to use local disks, users can run F-PROT even if
the network is down. Automatic updating to workstations can be
handled in two ways:
Use the REPLACE command under DOS. This causes F-PROT to
be copied to workstations every time the users log into
the network. If the workstations connect to the network
during every boot-up, add the necessary commands to the
login batch or to AUTOEXEC.BAT .
Use the FPUPDATE.BAT batch file. It uses a special
version file to check whether a new version of the
program has been updated into the server. Updating occurs
every time the server version has been updated and the
user logs in the network. Call FPUPDATE from the login
batch or script or from AUTOEXEC.BAT.
In both cases, the new F-PROT version can be used immediately
after logging into the network. VIRSTOP can be used after the
next boot-up.
For more information on how to construct an automatic updating
system, read the files NETWORK.TXT and FPUPDATE.BAT on the F-
PROT update diskette. Both files can be found in the MATERIAL
sub directory.
Scanning File Servers
There are several ways to scan file servers:
The administrator scans the file server while logged in
with a special user name. This name should have read
rights to the whole server, but no write rights at all.
The user rights attributes should be chosen very
carefully. Although it is possible to choose a
combination of attributes that makes it impossible for
viruses to spread, it is very difficult to do (especially
when operating with a Novell network).
Scanning should be scheduled to happen at night, when the
network load is lightest. Such scheduling is easiest to do
with F-PROT's Windows or OS/2 versions.
The administrator scans the file server by using a batch
file located on a special, bootable diskette. This batch
file should contain all the commands needed for logging
into the network and for scanning the file server. The
report can be directed to a file. A special diskette is
needed because the administrator may need to log in with
a high access level to be able to scan all disks.
The diskette must include all the programs needed for booting
and for establishing the network connection. For safety
reasons, the scanning should be performed after a clean boot.
If the computer that is used for scanning harbors an active
stealth virus using fast infection techniques, the virus may
manage to infect every file in the file server during the
virus scan. This risk can be avoided by booting from a clean
diskette.
The server can be scanned directly by using either F-PROT
Professional for OS/2 or F-PROT Professional for Novell
Netware, depending on which network operating system is
used. Updating workstations without a network
On workstations that are not connected to a network, F-PROT can
be updated by using a specially prepared boot diskette. Commands
for scanning the hard disk and for copying the new version of
F-PROT to the hard disk can be added to the diskette's
AUTOEXEC.BAT. Distribute such diskettes to the users. All they
need to do is boot their workstations from the diskette.
Additional notes
Certain programs grab DOS interrupts to themselves, ousting
other TSRs that are using them - this means that VIRSTOP will
either have to be loaded after these programs or rehooked
afterwards with the command VIRSTOP /REHOOK. Some of these
situations are listed below:
NETX (Novell)
Stacker 4
DOS window under DESQview
logging in to a TOP-VIEW network
IBM AS/400 PC Support
Since the AS/400 device drivers modifies the data areas of other
TSR programs, the loading order of TSRs must to be changed. Load
VIRSTOP from CONFIG.SYS with a DEVICE or DEVICEHIGH command, and
change the loading order. The correct loading order of drivers
is:
1. DEVICE=DXMA0MOD.SYS, DXME0MOD.SYS, DXMT0MOD.SYS and other
DXMA-drivers (which are generally needed for e-mail purposes)
2. DEVICE=VIRSTOP
3. DEVICE=EIMPCS.SYS and also ECYDDX.SYS, if it is needed
Remember to test the functionality of VIRSTOP by running F-TEST.
More information on using F-PROT in a network environment can be
had from your local F-PROT distributor, or from F-Secure
Ltd's F-PROT Support.
Feature: False Alarms
Every now and then, anti-virus programs produce false alarms.
False alarms are virus alerts given of clean files. In fact, any
situation in which a user suspects a clean computer to be
infected can be construed as a false alarm, even if the alarm is
not given by some anti-virus program.
Polymorphic Viruses and False Alarms
In many cases, a false alarm occurs when an anti-virus program
thinks it has found a polymorphic virus. Data files are often
the source of such alarms.
Anti-virus programs tend to give false alarms of polymorphic
viruses because they have to search for such viruses by using
various algorithms. Every now and then, these algorithms produce
false alarms, because a data file containing random data may
sometimes look very similar to a file infected by polymorphic
virus.
Conventional viruses which do not modify themselves can be
detected by using one or more search strings. These strings are
code strips taken from the viruses themselves. A string's
purpose is to accurately identify the virus it is taken from,
which is why each string must be carefully selected from the
viral code.
Boot Sector Viruses
False boot sector virus alarms are rare. Since there is only a
limited number of legitimate boot sectors, it is simple enough
to test an anti-virus program with all of them and so make sure
that no false alarms are possible.
A boot sector is 512 bytes long. It is well within the
capabilities of anti-virus programs to analyze such a small
amount of code in its entirety. This, also, reduces the
probability of false alarms.
Heuristics
The number of false alarms may increase if files are scanned
with heuristics. When heuristic analysis is used, anti-virus
programs check the code inside files for suspicious routines
which can often be found in viruses.
If heuristics reports a possible virus infection, it is not a
case of a "normal" false alarm. The flagged file may be clean,
but it contains code typical of viruses. Since heuristic
analysis has been developed for the express purpose of detecting
this kind of code, such alarms cannot be considered false in the
way erroneous alarms given by a normal scan are.
If heuristic analysis reports that a formatting program contains
code which performs direct disk writes, it is by no means a
mistake - on the contrary, the antivirus program has obviously
reached the correct conclusion.
Heuristics is, therefore, a tool which cannot be recommended for
end users. The analysis of heuristic reports often requires some
sort of expertise. When wielded by an expert, heuristic methods
provide additional security against viruses. However, a user who
is not acquainted with such matters may only be needlessly
alarmed by the warnings given by heuristics.
Integrity Checkers
False alarms are quite common when integrity checkers, a.k.a.
checksummers are used. Integrity checkers usually give warnings
of all changes that have happened to files. Since integrity
checkers do not search for viruses per se, they do not give
alarms which announce clean files to have been infected by
viruses, either. An integrity checker only reports the changes
it has detected in the contents of a file or a boot sector.
Files may change for other reasons than virus infections,
however. This happens when a program is updated, for instance.
Some programs also alter their own code - the most famous
example is MS-DOS's SETVER.EXE. In such cases the user must be
able to distinguish false alarms from real ones.
An integrity checker's tendency to give false alarms can be
limited by adding a heuristic faculty to the program. The
checker itself can then make a rudimentary distinction between
legitimate and virus-induced changes, and give a report of its
observations. The user can then make a final judgment of the
results.
How to Recognize a False Alarm
False alarms can usually be spotted fairly easily. Some advice
on how to recognize a false alarm can be found below.
False alarms occur most often in situations where a virus's code
is read into the computer's memory, but the virus is not
executed.
This kind of a situation occurs when, for example, the contents
of a boot sector-infected diskette are listed with the DIR
command. DOS reads the boot record into memory, but does not
execute it. As a consequence, the computer's memory will contain
an image of the boot sector virus. This image will be detected
by anti-virus programs during memory scan. A similar situation
may occur when infected files are copied. These alerts, caused
by virus images, are known as ghost alarms.
In other words, if an anti-virus program finds a virus in the
computer's memory, but the virus cannot be found from the hard
disk after a clean diskette boot, it is probable that an
infected diskette has recently been used in the computer. Check
all diskettes to find the culprit.
Some skepticism is in order if an anti-virus program reports
only one, regularly used program to be infected. It may be a
false alarm - otherwise many other files would also be infected.
This kind of false alarms occur usually immediately after anti-
virus programs have been updated.
Alarms given of pure data files are almost always false ones.
Since viruses cannot spread from data files, they avoid
infecting them. An alarm given of a data file usually specifies
some polymorphic virus.
Normally, only executable program files should be checked for
viruses; even though there are some viruses which infect data
files, they infect normal program files also. There's no reason
to check all files unless an infection is actually found.
Besides, a scan goes much faster if you check only executable
files.
If an old version of some anti-virus program finds a virus which
newer versions of the same program do not seem to be able to
detect, the alarm is probably due to a bug which has been
noticed and corrected in the new versions. Since the makers of
anti-virus programs usually correct the false alarms given by
their products as soon as they are noticed, it pays to use the
latest versions of such programs.
If you use two different anti-virus programs, they may cause
false alarms in each other. Since some anti-virus programs keep
their search strings unencrypted in memory or in a file, other
such programs may mistake these strings for real viruses. This
kind of false alarms are quite usual. The problem can be avoided
by removing the program using unencrypted strings.
Future
The continuing increase in the number of viruses will be
reflected in the number of false alarms. Polymorphic viruses in
particular will cause problems.
Many anti-virus programs strive to detect new, unknown versions
of known viruses. In such cases, it is practically impossible to
totally prevent false alarms.
False negatives, on the other hand, are much more dangerous than
false alarms. A false negative means a situation where a virus
goes unnoticed. Traditional anti-virus programs based only on
search strings are virtually useless against completely new
viruses, but programs incorporating integrity checking and
heuristics can detect them with great accuracy.
Self-modifying viruses pose a special problem to anti-virus
programs. If such a virus cannot be recognized in all its
different forms, a supposedly disinfected computer may retain
unnoticed copies of the virus in some of its files. The
remaining viruses will continue to spread further.
False alarms should always be reported to the representatives or
makers of anti-virus products so that the bugs causing them can
be fixed. It is also a good way to make sure that the alarm in
question is really a false one.
Dark Side of the Moon: What Motivates Virus Writers
by Markus Salo, freelancer writer
The views expressed in this story may not necessarily reflect
the views of F-Secure Ltd.
Many of us may have wondered what motivates some people to
create viruses. At first glance, the act seems completely
irrational: there is no money to be gained, and virus writers
run the risk of being held liable for the destruction caused by
their pets.
Virus writers have their reasons, of course. Few people do
anything without a good reason, even less so these sometimes
highly intelligent programmers. A good reason need not be a
rational one, however. It need not even be conscious. We all do
some things just because - let's face it - we feel like it.
Revenge and misantrophism aside, why do some of us feel like
churning out malicious programs?
In the Interests of Research
Some people, particularly the top-class virus writers, maintain
that their interest in viruses is purely scientific. They wish
to find out everything there is to know about viruses and their
uses. Well and good. The question is, why have they picked
viruses as the search subject?
Limited Forums
For somebody interested in programming per se, but without a
formal degree and/or inclination to direct his or her talents
into some specific field, the world offers lean pickings.
Software companies are relatively insular organizations which
have trade secrets to protect. Theoretical research into
computing usually requires an university degree and a post in
some research team. What's left?
Virus groups are virtually the only organized programming forums
open to anybody interested. They offer support, programming
tips, camaraderie and few limitations. Group members can count
on advice from other members, and they are free to pursue any
subject that catches their fancy. Since the groups are more or
less hobby organizations, members need not fear that somebody
will cut off their funding or publishing avenues.
Army of Darkness
Why must such groups be especially virus groups? We haven't seen
much in the way of games, utility programs or word processor
groups. Even if such groups have been formed, they haven't
survived, whereas virus groups have. Virus groups have drive.
Virus writing is in itself a powerful cohesive force. It places
the programmer outside conventional rules of acceptable
behavior. In return for relinquishing a place in ordered
society, a virus writer gains the membership of a shadow
society, a virus group. That the transition is largely imaginary
is not important. It's the image that counts.
The image must, of course, be upheld. Look at all the
paraphernalia associated with virus groups and writers. Handles
with Dark this and Dark that. Fire and brimstone. Heavy metal
citations. Weird bits.
The more sophisticated virus writers will no doubt argue that
such things are pure self-irony. After all, no one could take
such adolescent foolishness seriously. Indeed? The one thing
that tends to characterize virus publications is a dreadful lack
of humor. Most of these guys are dead set on their chosen roles.
Got you, lamer! Ha-ha.
It must be noted, though, that most secretive societies display
similar characteristics. The idea of freemasonry does not strike
me as particularly mature, either.
Legalize Pot!
Somewhat out of keeping with their secret-society image, virus
groups are trying to gain legitimacy for their activities. This
can be partly seen as a response to toughening legislation.
These groups definitely do not want to be shut down by
governmental agencies. Official harassment might scare away
prospective members, too.
The groups have been cleaning up their act by limiting public
access to the viruses, polymorphic generators etc. they create.
Moreover, many group members almost routinely equip their
creations with notes which forbid them to be used for
destructive purposes. This, they feel, gives them moral
superiority. Legislative anti-virus measures must be seen as
censorship. Freedom of expression must be protected at any cost.
These claims may well have certain validity. However, as long as
the groups keep turning out software which is either potentially
or actually harmful, such arguments are either outright
hypocritical or at least morally one-sided.
More interesting, though, is what legitimacy would mean to the
groups themselves. Virus groups exist to create and distribute
viruses and other malicious software. If they stop doing that,
or are brought under official control, they lose their reason
for existence. A legitimate, official virus group would have
very little cohesive force. Who would wish to join?
Do these guys know what they are doing to themselves?
Get the Lamers!
There are some talented virus writers outside the established
virus groups. It is often among them that the most widely spread
and destructive viruses originate.
These people are not in viruses for anything like research. They
are out to catch lamers. In this context, a lamer is anybody who
hasn't protected his or her system well enough. And why should
lamers be caught? Well...why rip wings off a fly...stomp
faggots...climb a mountain (because it's there, and you can).
Off the Beaten Path
These people seem to want two things: thrills and reputation.
They are not necessarily nerds, as has often been conjectured,
but they are obviously not satisfied with their occupation
and/or social life. Most of them also seem to be adolescent and
male.
It is from this group that terrorists most often recruit, also.
Make no mistake: this kind of virus writers can often be very
intelligent. They do not create destructive viruses because they
lack appreciation of the consequences, but to satisfy emotional
needs. The viruses themselves do not really matter. They are
just a vehicle for negative self-expression. A means to
establish a place in the world. Something to brag about (or
something to drop hints of: F-Secure has received letters in
which virus writers deliberately gave clues about their
identity).
Fortunately, few of these virus writers persist long in the
adolescent stage. Usually they either get seriously interested
in viruses and join an established virus group, or find
something more profitable to occupy their time.
Romancing the Code
Finally, there are people who do not necessarily know the first
thing about assembly language or virus programming. They are
into viruses because it's cool. Viruses, polymorphic generators
and trojan horses have a certain somber lustre about them. Who
knows, maybe some of it will rub off if one hangs around them
long enough.
...Just Add Some Water...
This is the target group for virus creation kits, polymorphic
generators, documented source code and other goodies that virus
groups keep churning out. It does not take very much programming
experience to operate a menu-based virus generator, for example.
This kind of virus writers tend to be more interested in
claiming the title than in actually writing viruses. However,
after practicing long enough some of them do graduate into more
rarefied spheres.
For this kind of writers, the most fundamental reasons for
creating viruses may be the sense of belonging, and of
accomplishment. Viruses have also an attractive, outlaw air
about them. So does scrawling tags on buildings, for that
matter. However, the additional sense of intellectual
accomplishment may well give viruses an edge over graffiti.
Stamp Collectors
Some people collect viruses like others do stamps or coins. They
are not usually particularly interested in using these viruses
for anything. They do not necessarily even understand how their
collection items work. Well, how many collectors do?
But hey, it's great to have a big collection!
Benefits of Virus Writing
Virus writers often rationalize their work. Some arguments claim
that certain viruses can be beneficial, some defend the freedom
of expression, still others emphasize new programming techniques
to be learned...what nonsense. Viruses, be they of the computer
persuasion or otherwise, are basically parasites. About the only
thing to be learned from them is how to make better parasites.
Useless creatures, really, unless you are working for the
military...which is a thing that should not be forgotten,
either.
However, computer viruses have had one beneficial side effect:
they have made people more security conscious. Viruses are a
highly visible threat, but by no means the only one. If the
virus threat persuades users and administrators to improve the
security of their systems, there may be some justification for
the existence of viruses after all. Sort of.
F-PROT Support informs: Common Question and Answers
If you have questions about data security or antivirus issues, please
contact your local F-PROT distributor. You can also contact Data
Fellows Ltd. directly, in the number 358-0-692 3622. Written questions
can be mailed to: F-Secure Ltd, F-PROT Support, Wavulinintie 10,
00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet
is: f-prot@datafellows.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet,
A=mailnet C=fi.
Our company has some old PCs which can only read 5.25" 360 kB
diskettes. I would like to scan these computers after a clean
diskette boot, but the F-PROT files do not fit into one
diskette.
F-PROT for DOS does fit into a 360 kB diskette in a
stripped form. This means including only the absolutely
necessary files. Copy the files F-PROT.EXE, SIGN.DEF and
ENGLISH.TX0 into a diskette. Boot the computer from a
clean DOS diskette, insert the F-PROT diskette and run
the scan.
I use PC-Tools for Windows 2.0. When I try to run scans by
dragging folders from PC-Tools's File Manager and dropping them
on top of F-Agent's icon, I receive an error message.
PC-Tools's File Manager is not wholly compatible with the
Windows File Manager. It is actually possible to drag
files from PC-Tools's File Manager, but only from the
right-hand window. Do so.
MS-DOS 6 multiconfig commands and VIRSTOP.
With MS-DOS 6, it is possible to use several different
configuration files. This is done with the commands
menuitem and goto %config%. If the multiconfig option is
used, VIRSTOP's loading command must be added either to
each subsection separately, or to the common section.
This way, VIRSTOP is loaded regardless of the
configuration option.
Changes in F-PROT Professional 2.13
Heuristic Analysis
F-PROT's Heuristic Analysis has changed significantly. To sum it up:
- The detection of new viruses has been greatly improved
- Known false alarms have been eliminated.
- When the /GURU option is used, the report is significantly
more comprehensive than before.
In version 2.13, the heuristics alarm threshold has been lowered
considerably. This means that F-PROT will detect a greater
portion of new viruses than before. However, it also means that
heuristic will every now and then give warnings of files which
are not infected.
F-PROT 2.13 heuristics may give warnings of files which, though
clean, contain nonstandard or suspicious routines.
Don't be unduly alarmed if you receive warnings of files which
previous F-PROT versions did not consider suspicious.
If you want a comprehensive report about what has caused an
alarm, use the command F-PROT C:\DIR /ANALYZE /GURU. You can
also send the file to us for closer analysis.
The changes in heuristics do not affect Secure Scan.
Automatic Update
Two new files, NETWORK.TXT and FPUPDATE.BAT, have been added to
the F-PROT update diskette's MATERIAL directory. NETWORK.TXT
gives detailed instructions on the network usage of F-PROT for
DOS. FPUPDATE.BAT is one example of a batch file which
automatically updates new versions of the program to
workstations connected to a network.
Other Changes
Boot sector virus disinfection has been improved. Viruses that
do not preserve the original boot record can now be removed by
overwriting the boot sector with a generic boot record
substitute. The same method can also be used to remove boot
sector viruses for which virus-specific disinfection has not
been implemented yet.
The French Boot virus has been renamed Jumper.
F-PROT can now also remove the LZR virus.
Many viruses created with the VCL code generator have been
renamed.
The following false alarms have been eliminated:
`Possibly a new variant of Civil_Defense' given of the
file CSP.SYS, which was included on Sound Blaster AWE32
driver diskettes
`Possibly a new variant of AntiCMOS' given of hard disks
which were partitioned by using MITAC's utility program
published in 1987
A Jerusalem warning given of the file WIN31.EXE, which is
part of MS-Chigago's beta version (only when scanned with
Quick Scan or VIRSTOP)
"Possibly a new variant of Wisconsin" given of the file
SURPRISE.COM
"Possibly a new variant of Pit" given of the file
BLOCKCUR.COM
"Possibly a new variant of Civil_Defense" given of the
file PALETTE.COM
The following Cossiga virus has been renamed to Grazie in order to make
F-PROT follow the CARO naming standard as closely as possible.
New Viruses Detected by F-PROT 2.13
The following 44 viruses are now identified, but can not be
removed as they overwrite or destroy infected files. Some of
them were detected by earlier versions of F-PROT, but only
reported as "New or modified variant of..."
Bad_Brains.554.A HLLO.3816
Bad_Brains.554.B HLLO.Gov
Bad_Brains.570 HLLO.Orion
Budo.B HLLO.Shadowgard
Burger.505.K Jasmine
Burger.505.L Leprosy.Sandra
Burger.505.M Leprosy.Seneca.381
Burger.505.N Leprosy.Seneca.483
Burger.512.B Lockjaw.Flagyll.316
Burger.560.AO Lockjaw.Flagyll.369
Burger.560.AP Mayhem
Burger.560.AQ Morrison
Burger.560.AR Orchid.120
Burger.560.AS Taiwan.752.C
Fasolo.176 Trivial.Infernal
Faulkner VCL.356
Grog.Aver_Torto VCL.418
Grog.Bruchetto VCL.509
Grog.Delirious VCL.541
Grog.Hop VCL.Cockroach
Grog.Il_Mostro VCL.Jam
Vienna.526
Vienna.561.B
F-PROT can detect and remove the following 225 new viruses.
Earlier versions of F-PROT could detect many of these viruses.
Now they are also identified accurately.
AntiCMOS.B Mayberry.402
Arale Mayberry.409
Ash.449 Mayberry.475
Australian_Parasite.1024 Mayberry.496
Australian_Parasite.1050 Mayberry.502
Australian_Parasite.1179 Mayberry.609
Australian_Parasite.118.A Mayberry.687
Australian_Parasite.118.B Mayberry.732
Australian_Parasite.122.A Mayberry.747
Australian_Parasite.122.B Mayberry.758
Australian_Parasite.213 Mayberry.799
Australian_Parasite.217 Mayberry.828
Australian_Parasite.221 Morrison
Australian_Parasite.229 MP1024
Australian_Parasite.440 No_of_the_Beast.BG
Australian_Parasite.482 Nympho.230
Australian_Parasite.588 Old_Yankee.1961.A
Australian_Parasite.591 Old_Yankee.1961.B
Australian_Parasite.726 Old_Yankee.1961.C
Australian_Parasite.784 Phalcon.Cloud.1110
Australian_Parasite.784 Phalcon.Cloud.1117
Australian_Parasite.AMSV PHB.4461
Australian_Parasite.Gotter Phunnie
Australian_Parasite.Lipo Pixel.1268
Better_World.E Pixel.739
Budo.B Pixel.846.B
Burger.505.K Pixel.851
Burger.505.L Polifemo
Burger.505.M PS-MPC.G2.573.C
Burger.505.N PS-MPC.Page.780
Burger.512.B PS-MPC.Pikninny
Burger.560.AO PS-MPC.Powermen
Burger.560.AP PS-MPC.Small_ARCV.B
Burger.560.AQ PS-MPV.212
Burger.560.AR PS-MPV.606.D
Cascade.1701.Q PS-MPV.Arcv-1.731
Cascade.1701.R PS-MPV.G2.573.C
Cascade.1704.T PS-MPV.Pikninny
Cascade.1704.U PS-MPV.Powermen.717
Chaos.H PS-MPV.Powermen.718
Chaos_Year.2005 PS-MPV.Small_ARCV.B
Creeper.472 PS-MPV.Tim.405
Curse_IV PS-MPV.Tim.500
Dark_Avenger.1800.Satan Quadratic.986
Diamond.1050 Rape.1882
Doom_II.1249 Rape.2887
Ear.Ear.B RedStar
Ear.Ear.C Screaminf_Fist.927
Espacio.8444 Screen+1.1624
Espacio.8458 Screen+1.919
Espacio.8486 SillyCR.397
Espacio.8491 Skater.1021
Espacio.8498 Skater.699
Fasolo.176 Skater.977
Faulkner SMEG.Pathogen
Fax_Free.1024.Abstract SMEG.Queeg
Fax_Free.1024.F Stoned.Standard.Null.C
Fax_Free.1024.G Storm.1219
Fax_Free.1024.H Storyteller
Fax_Free.1536.Darkover.A Suriv_2.I
Fax_Free.1536.Darkover.B SVC.3241
Fax_Free.1536.Darkover.C SysLock.Syslock.G
Fax_Free.1536.Mecojoni.A Taiwan.752.C
Fax_Free.1536.Mecojoni.B Taiwan_Over.2770
Fax_Free.1536.Mecojoni.C Tankard.542
Fax_Free.1536.Pinniz.E The MzBoot family
Fax_Free.2766 The _484 family
Fax_Free.Mecojoni Totoro.B
Freddy_Soft Totoro.C
Frodo.Fish_6.E Traveling_Jack.1008
Fumble.867.F Trident.914
Genesis Tuawan_Over.2944
Genvir.1440 VCL.2750
Grog.Danzerino VCL.3243
Grog.Enmity_2_0 VCL.514
Grog.Enmity_2_1 VCL.534
Grog.Joemetafora VCL.604
Grog.Joe_Anthro VCL.660
HLL.7940 VCL.Dial.671
HLLO.3816 VCL.Diarrhea.1221
IMI.A VCL.Heevahava.516
IMI.B VCL.Mimic.4863
IMI.C VCL.Pro-Choice
IMI.D VCL.Reptoid
IMI.E VCS.Standard.Bad_Poem
IMI.F VCS.Standard.Bad_Poem
Infector.847.A Vic.399
Infector.847.B Vienna.526
Ionkin.212 Vienna.561.A
Ionkin.2372 Vienna.561.B
Jerusalem.1506 Vienna.608.B
Jerusalem.1808.Execute Vienna.Violator.707
Jerusalem.1808.Frere.I Vienna.Violator.779
Jerusalem.1808.Standard.AO Virdem.1336.Killer.C
Jerusalem.AntiCad.2454 VS.2790
Jerusalem.AntiCad.26256 Wave.454
Jerusalem.AntiCad.2646 Wildfire
Jerusalem.Pipi.1536 Xak
Jerusalem.Pipi.1552 _339
Jerusalem.PSQR.Satan _641
Jerusalem.Smile
Jerusalem.Solano.Dyslexia.Satan
Jerusalem.Sunday.Nai-Tai
Jerusalem.Sunday.Satan
Jerusalem.Sunday_II.B
Jerusalem.Tarapa.B
Jihuu.686
Julia.1027
Junkie
Keeper.Lemming
Leprosy.Sandra
Leprosy.Seneca.381
Leprosy.Seneca.483
Lesson_I.306
Lockjaw.894
Lockjaw.Flagyll.316
Lockjaw.Flagyll.369
Lyceum.1950
Maaike.164
Maaike.250
Maaike.757
Marked-X
Marzia.L
Marzia.M
Max
The following 24 new viruses can now be detected but not yet be
removed.
_484
Alien
ARCV.255
Australian_Parasite.440
Mike
Moonlite
MzBoot
Number_of_the_Beast.BG
PS-MPC.Page.780
Rape.1182
Rape.2887
Rubbit.681
Rubbit.1018
Rubbit.2060.A
Rubbit.2060.B
Rubbit.3811
Rubbit.3839.A
Rubbit.3839.B
Screen+1.919
Screen+1.1624
Skater.664
Skynet
Svc.3241
Variable_Worm.C
F-PROT's earlier versions could detect the following 7 viruses.
Now they can also be removed.
Bravo
Gippo.Bumpy
Gippo.Epidemic
Gippo.Stunning
LZR
Reverse A
Reverse B
This text may be freely used as long as the source is mentioned
F-PROT Professional 2.13 Update Bulletin
-
Copyright (c) 1994 F-Secure Ltd
This file may not be placed to be available for download in a system which
allows users to access live computer viruses, source codes for viruses, or
instructions for generating a new virus. Thank you.
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
