F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-PROT Professional Update Bulletins

F-PROT Professional 2.16 Update Bulletin
 CONTENTS BRIEFLY 

--- Contents 1/95 --- F-PROT Gatekeeper Closes the Gaps in Virus Protection --- F-Secure Acquires the Status of a Microsoft Solution Provider --- The Global Virus Situation --- Mange-Tout.1099 on New Diskettes --- HDKiller in Spain --- Neuroquila in Germany --- The Good Times Incident in Internet --- News in Short --- RETROVIRUSES - How Viruses Fight Back, part 2 --- F-PROT Support Informs: Common Questions and Answers --- Changes in Version 2.16 --- Changes in F-PROT for Windows --- Changes in F-PROT for DOS --- Changes Common to F-PROT for DOS, Windows and OS/2 --- The following false alarms have been fixed: --- New Viruses Detected by F-PROT 2.16


F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi This text may be freely used as long as the source is mentioned. F-PROT Professional 2.16 Update Bulletin; Copyright (c) 1995 F-Secure Ltd.
Contents 1/95
F-PROT Gatekeeper Closes the Gaps in Virus Protection F-Secure Acquires the Status of a Microsoft Solution Provider The Global Virus Situation Mange-Tout.1099 on New Diskettes Sampo HDKiller in Spain Neuroquila in Germany The Good Times Incident in Internet News in Short RETROVIRUSES - How Viruses Fight Back, part 2 F-PROT Support Informs: Common Questions and Answers Changes in Version 2.16 F-PROT Gatekeeper Closes the Gaps in Virus Protection
F-Secure has published a new kind of an anti-virus program. F-PROT Gatekeeper is the first active anti-virus program which is also capable of detecting polymorphic and self-encrypting viruses. F-PROT Gatekeeper functions in the background in Windows environment, and it finds the viruses in all copied or executed programs both in Windows and in DOS boxes run under Windows. Before the end of January, we will publish a free, time- limited pre-release version of F-PROT Gatekeeper. This pre- release version will be distributed via Internet among other distribution channels. The purpose of the free distribution is to persuade as many people as possible to try out the new technology we have developed. The program is time-limited, however, and updates will not be available After the pre-release phase, F-PROT Gatekeeper will become a part of the F-PROT Professional for Windows package. The product will be distributed to our customers as a part of the program update. Why Gatekeeper? What are the makings of a good virus protection? The following things can be found at the top of our customers' wish list: secure, does not interfere with work, does not require anti-virus expertise from the end user, easy to install and maintain. It is easy to understand the requirement for automation and transparency for the end user. For the end user and the organization, it is not profitable to use good work time in anti-virus operations. If all end users have to learn the use of an anti-virus program, the collective work effort diverted from more profitable uses will become significant. A good anti-virus system should require the end user's active participation only when a virus is actually found. The security requirement is divided into two parts. To begin with, an anti-virus program should be able to find a sufficient number of viruses, with emphasis on the viruses that are actually circulating in the wild. Secondly, the efficiency of an anti-virus program is enhanced if the protection works actively. Active virus protection means a program which checks all opened programs and stops them from being executed or copied if it finds a virus. Active virus protection is usually provided with a DOS TSR software. The final wish concerned the ease of installation and maintenance. F-PROT Gatekeeper can be installed centrally to all the workstations in a network. The program can likewise be updated from a single workstation. To facilitate the administrator's work, F-PROT Gatekeeper can be configured to automatically send the administrator a message when it finds a virus in some of the network's workstations. The administrator will always have access to an up-to-date log of all the detected virus incidents in the network. DOS TSR Programs Cannot Detect All Viruses The most important reason behind the development of F-PROT Gatekeeper are the difficulties in maintaining the detection capability of TSR-type anti-virus programs. These difficulties are mainly caused by memory requirements. Current anti-virus TSRs cannot find polymorphic viruses. It was the increase of polymorphic viruses which two years ago persuaded us to stop licensing VIRSTOP (the TSR component of F-PROT) separately. The increasing number of polymorphic viruses continues to undermine the security of TSR-type protection. This risk can be decreased by checking hard disks at regular intervals with scheduled virus checks, executed by the separately run component of the anti-virus software. For example, such viruses as Tremor, different Mutation Engine viruses and SMEG escape the notice of even the best anti-virus TSRs. This makes F-PROT Gatekeeper the first active anti-virus program capable of detecting practically all viruses. F-Secure Acquires the Status of a Microsoft Solution Provider
F-Secure Ltd. and Microsoft Ltd. have signed the Solution Provider -agreement. The Global Virus Situation
Mange-Tout.1099 on New Diskettes
F-Secure Ltd. has received several reports of infected preformatted diskettes in the Nordic countries. Since the beginning of this year, several vendors have been found to have sold preformatted 3.5" diskettes which contained a file called DE.EXE. Since DE.EXE is actually a simple, German diskette formatting program, the file's existence on the diskettes is apparently due to a human error on the diskette factory. Unfortunately, on some of the diskettes this program has been infected by a virus called Mange-Tout.1099. We have seen preformatted diskettes infected with boot sector viruses in the past, but the fact that Mange- Tout.1099 is a file virus makes the matter more serious; users seldom boot their computers from empty diskettes, but they may well find a file on a supposedly empty diskette intriguing, and run it just to find out what it does. The Mange-Tout virus was first found in Hong Kong at spring 1994. Soon after that, the virus was also discovered in China. The first European incident took place in August 1994, when a couple of VGA driver diskettes infected by Mange-Tout were discovered in Norway. The diskettes had been imported to Norway from Hong Kong, and the virus is believed to have spread elsewhere in Europe at the same time as well. Mange-Tout keeps itself encrypted all the time, even when it is resident in memory. When the virus is started, it decrypts itself by calling a complexly protected decryption routine. While in memory, Mange-Tout calls this routine when certain interrupt calls take place. The virus also contains traps for debug programs, and this makes it quite difficult to examine. When Mange-Tout is resident in memory, it hijacks the interrupts 08h, 09h and 21h (clock, keyboard and DOS). It infects COM and EXE files which grow by 1099 bytes. The virus activates when a computer's keyboard has been left untouched for one hour. It tries to erase the computer's CMOS memory and main boot record, but fails more often than not and only manages to crash the computer. The words Mange and Tout are French; the viruse's name can be roughly translated as 'omnivorous'. A 1091-byte-long variant of Mange-Tout is also known to exist. F-PROT can detect and remove the Mange-Tout virus. Sampo ----- The Sampo virus, also known as '69', seem to come originally from the Philippines. This boot sector virus was discovered in England and Norway in November 1994. After that, it has been reported in Hong Kong, Singapore, Australia, Finland and Belgium. Sampo can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Main Boot Record. The virus goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Sampo infects all non-write protected diskettes used in the computer. Sampo takes hold of the interrupts 08h, 09h and 13h (clock, keyboard and disk operations). It uses a complex activation mechanism, which is based on the date, time and the keys pressed. When the virus activates, it displays a blue box on the screen's upper corner. In the box, Sampo prints in cyan the following text : S A M P O, "Project X", Copyright (c)1991 by the SAMPO X-Team, All rights reserved, University Of The East Manila Sampo incorporates also one peculiarity; it carries the old Kampana virus with it, and sometimes spreads Kampana's code instead of its own. F-PROT can detect and remove both the Sampo and Kampana viruses. HDKiller in Spain
HDKiller is a relatively simple virus which infects diskette boot sectors and hard disk MBRs. The virus was discovered in Spain in November 1994. HDKiller, which is also known as Coru¤a, spreads itself like any other boot sector virus. If a computer is booted from an infected diskette, the virus redirects the boot to the hard disk and the 'Non-system disk' error message is not shown. This makes the virus harder to spot than usual. When a computer is booted from a diskette infected by the HDKiller virus, the virus reserves one kilobyte of memory for itself. However, when the computer is next booted from the infected hard disk, the amount of available memory stays normal. This is due to a programming error in the viruses code; the virus loads itself to the top of conventional memory, but does not mark this memory area as reserved. As a consequence, other programs may try to write to the same area. If this happens, the computer crashes immediately. Therefore, a HDKiller infection makes a computer very unstable. HDKiller is a destructive virus. When it infects a hard disk, it stores the current date inside its own code. During subsequent boots, it compares the infection date to the system's date and activates after a month has passed. If, for example, the infection has occurred on 15th of January, the virus activates on the 14th of any month. When the virus activates, it overwrites some of the data on the hard disk. HDKiller contains the following unencrypted text: HDKiller By Rasek. 0UT Meilan! HDKiller does not store the original boot sector when it infects a disk. Instead, the functionalities of a diskette boot sector and a hard disk MBR have been incorporated into the viruse's code. In spite of this, the HDKiller virus can be removed by overwriting its code because it does not move or encrypt the partition table. F-PROT can detect and remove the HDKiller virus. Neuroquila in Germany
This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot. On diskettes, the virus formats an additional track on which its stores its code. Neuroquila, which is also known by the names Neuro.Havoc and Wedding, tries to load its code to the upper memory area. If there is no upper memory area available, the virus enlarges the stack memory area (STACKS) and places its code there. Neuroquila uses tunneling techniques to by-pass anti-virus programs Neuroquila is a polymorphic virus. It contains a complex polymorphic engine which is capable of creating several different decryption modules. The variation of the decryption routines is based on the system's clock. While in memory, the virus employs versatile stealth virus techniques to hide the changes it has made to the boot sectors and files. When infected files are examined in a clean environment, they can be seen to have grown by 4644-4675 bytes. Neuroquila is also a retrovirus. It mounts attacks against several anti-virus programs. If VIRSTOP> or DOSDATA.SYS (a QEMM utility program) are loaded from CONFIG.SYS, the virus prevents them from being started. Neuroquila tries to modify the programs TBDRIVER, TBDISK, VSAFE and -D while they are in memory, and alters the partition protection created by the TBUTIL program. In addition to this, the virus is able to by-pass the error message Windows gives of a 32-bit disk operation mode, a stumbling block of many other boot sector viruses. After Neuroquila has resided in a computer for some months, it displays the message: AVOC by Neurobasher'93/Germany -GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART- Neuroquila resembles the Tremor virus in many ways, and it has apparently been written by the same author. F-PROT can detect and remove the Neuroquila virus. The Good Times Incident in Internet
A rare 'worm', known as Good Times, slithered its way through Internet news groups and various e-mail systems during December 1994. Good Times was not a virus as the word is commonly understood; more accurately, it was an efficient chain letter. Instead of spreading from one computer to another by itself, Good Times relied on people to pass it along The idea behind Good Times works somewhat like this: the originator puts into circulation an e-mail message which has the text 'Good Times' as its subject. The message itself contains a warning of a dangerous virus called Good Times which spreads itself through e-mail systems and activates when the message in which it hides is read. The message goes on to explain that such a dangerous message can be recognized by its subject, which is, of course, 'Good Times'. According to the warning, a 'Good Times' message must never be read, but destroyed on the spot instead. Many users don't realize that this warning is a hoax - no public e-mail system supports the execution of programs while the accompanying message is read. However, since the message is written in a very sincere tone, people copy it and send it along to their friends; in fact, the warning explicitly encourages them to do so. Sooner or later, what goes around comes around, and a user who has sent the message along receives it as a warning from a friend's friend or more distant relation. The first thing the user sees is that he or she has received a message which has 'Good Times' as its subject. Believing himself under attack by the terrible virus, the user destroys the message without reading it. The message, of course, contains only the original warning. After this near escape, the user probably sends out still more 'Good Times' warnings. The Good Times warning spread like a wildfire for several weeks, until messages concerning the viruse's nonexistence finally took hold. The Good Times warning-virus came in several different versions, one of which is shown below: Subject: Good Times Date: 12/2/94 11:59 AM Thought you might like to know... Apparently , a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality. What makes this virus so terrifying is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail systems of the InterNet. Luckily, there is one sure means of detecting what is now known as the "Good Times" virus. It always travels to new computers the same way - in a text e-mail message with the subject line reading simply "Good Times". Avoiding infection is easy once the file has been received - not reading it. The act of loading the file into the mail server's ASCII buffer causes the "Good Times" mainline program to initialize and execute. The program is highly intelligent - it will send copies of itself to everyone whose e-mail address is contained in a received-mail file or a sent-mail file, if it can find one. It will then proceed to trash the computer it is running on. The bottom line here is - if you receive a file with the subject line "Good TImes", delete it immediately! Do not read it! Rest assured that whoever's name was on the "From:" line was surely struck by the virus. Warn your friends and local system users of this newest threat to the InterNet! It could save them a lot of time and money. News in Short
Due to a mistake, we gave erroneous contact information for the Virus Bulletin magazine in our previous Update Bulletin. The magazine's correct telephone number is +44 1235 555139, fax +44 1235 531889. F-PROT has again proved itself in international tests; in December, F-PROT was proclaimed the winner of a large anti- virus product review published by the PC Professional magazine in Denmark and PC Week in Norway, and in January, the British magazine SECURE Computing awarded F-PROT the title 'Recommended'. RETROVIRUSES - How Viruses Fight Back, part 2
Mikko Hypponen, who works in F-Secure Ltd's F-PROT- support, presented the following paper in the Virus Bulletin '94 conference. The treatise is published in two parts. The first part was published in F-PROT 2.15 Update Bulletin. 6. Attacks against disinfectors A retrovirus can attack programs that try to disinfect boot sectors and files. The purpose of such an attack might be to cause the disinfector to damage the host files while disinfecting. If a disinfection program does not do an exact identification on a virus before disinfecting it, any virus that contains a known search string for another virus can cause such damage during the disinfection process. 6.1 Cleaning the clean There even exists a virus called Mirror, which is the exact opposite of a stealth-virus: when Mirror is resident in memory, it makes all programs look like they have been infected by it. This can be potentially dangerous when disinfection is attempted, but this technique poses no danger if the disinfection is done in a proper way, ie. after a clean boot. 6.2 Complicating the recovery The recovery process of an infected machine can be severely complicated if the virus denies access to the hard drive. Several MBR-viruses (for example, members of the Monkey family) do this by modifying the partition data in such a way that no logical DOS drives can be found when the machine is booted from a clean floppy. A recovery attempt done by overwriting the MBR code with the FDISK /MBR or a similar command will not return access to the hard drive. The ExeBug virus family uses another way to make it difficult to boot up an infected machine from a clean diskette. The virus modifies the BIOS Setup information to indicate that the machine does not have A: drive at all. Such machine will always boot up from the hard drive. Once the booting has started and the virus code is executed, the virus will check if there is a diskette in drive A:. If so, it will continue the booting from there. In most cases the user is unable to notice this, and thinks that the machine has been booted clean when the virus is already resident. Yet another way to complicate the recovery process is to set the BIOS boot-up password on with a random password during an activation routine. The method of doing this is documented on most new BIOS brands. Some integrity checkers are capable of performing a generic disinfection. This means that they try to restore the original file according to the information the checker has previously saved (typically length, checksum, first and last bytes). Such generic routines won't work if a virus makes extensive changes to the program files, for example by encrypting the host file during infection. 6.3 Attacking heuristic cleaners Viruses use a different kind of an attack against heuristic disinfection programs. A heuristic cleaner works by loading the infected file to memory and emulating the program code. It uses a combination of disassembly, emulation and sometimes execution to trace the flow of the virus and to emulate what the virus is normally doing. When the virus restores the original first instructions of the host file and jumps back to the original entry point, the cleaner stops the emulation. The repaired start of the program is copied back to the program file on disk, and the part of the program that was 'executed' will be removed. [Veldman] The inherent risk of heuristic cleaning is that if the cleaner tries to emulate everything, the virus may assume control inside the emulated environment and finally escape from it - after which it can propagate further or trigger a destructive retaliation routine. There are documented cases of at least one virus doing this, see below. 7. Attacks against integrity checkers The operation of integrity checking programs varies between vendors but they almost always rely upon some form of a database which contains details of objects (typically files and boot sectors) to be checked. 7.1 Deleting the database Several viruses have attacked integrity checkers by locating the integrity database and deleting it. In some cases, the result of deleting the database files is that the integrity checker will blindly assume that the original checksums have not been calculated yet, and proceeds to initialise the database without informing the user that something might be amiss. This was exactly the case with the Peach virus. Peach attacked an integrity checker which worked by creating a checksum file, containing checksums of all executable programs. Peach attacked by deleting this file. After the database was deleted and the checker was executed again, it recreated the file, calculating new checksums from the infected files and failing to report any changes in the system [VB1]. It should be noted that the Peach virus will not be successful against newer versions of this integrity checker, as the name of the checksum file has been changed in newer versions of the product. Similar types of attack still seem to be possible, though. Even if a checksumming package did report to the user that the database has been deleted without approval, it would be difficult to find the affected files if no recent backup of the database exists. 7.2 Making checked unchecked A similar attack works also against programs that do not store the integrity data in a separate database, but add it to the end of the executable files themselves. Since there is no info about which files have been checksummed, a virus can just remove the validation data without any side effects - and the checker will not complain that the file has changed. Several generic attack methods against integrity checkers are discussed in length in [Bontchev]. 8. Real world retroviruses When we look at viruses that attack specific anti-virus products directly, we notice that they mostly seem to target McAfee Associate's ViruScan (SCAN.EXE), Microsoft Anti-virus from MS-DOS 6 (MSAV.EXE), Central Point Antivirus (CPAV.EXE) and the resident parts of these applications (VSHIELD and VSAFE). This is not surprising, as these are some of the most popular anti-virus products, and thus good targets for retroviruses. Here are some examples of known viruses that incorporate retro-routines: CPW virus family: tries to delete programs called TOOLKIT, GUARD, CHKVIRUS, SCAN, CLEAN, CPAV and VSAFE deletes CHKLIST.CPS files created by CPAV Cybertech: deletes CHKLIST.CPS files removes the validation information added by SCAN and CPAV Firefly: uninstalls VSAFE from CPAV or MSAV contains a segment of nested loops to confuse F-PROT's heuristic scanning deletes files called IM, VIRX, PCRX, VIRSTOP, MSAV, NAV, SCAN, CLEAN, TBAV, TBCSCAN, TBCLEAN, TBCHECK, TBMEM, TBSCANX, TBFILE, VC, and VCHECK GoldBug: by-passes VSAFE.COM and DISKMON.EXE deletes or stops the execution of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV - and deletes the contents of CMOS memory at the same time specifically by-passes the TBAV boot-sector check deletes CHKLIST.* files, by-passing CPAV and MSAV Lemming: disables TBDriver from TBAV by patching it in memory when TBScan is executed, adds the command-line parameter 'co', which will allow the stealth routines of the virus to operate patches text strings inside TBScan's code to make the operation of the program look like it has been started without the 'co' switch Lockjaw virus family: deletes F-PROT, SCAN, IM, CPAV uninstalls VSAFE MtE.Groove and MtE.Encroacher: tries to delete files belonging to the following products: Central Point Anti-Virus, Certus Novi, Fifth Generation Systems Untouchable, Norton Anti-Virus, Dr. Solomon's Antivirus Toolkit and VDS Virus Secure. November_17th.890: overwrites the first 256 sectors of first hard disk whenever SCAN is run Peach: deletes CHKLIST.CPS files Sandra: tries to delete files belonging to CPAV, NAV, Untouchable, Dr. Solomon's Antivirus Toolkit and Integrity Master will not infect if FluShot is installed Satanbug: tries to remove the validation codes added by SCAN guards its own are-you-there interrupt call to make it difficult to detect the virus in memory with it [CM-Base] Tequila: deletes files that have validation codes added by SCAN does not infect EXE-files which have the letters SC or V in their names Tremor: hooks INT 13h via a VSAFE back-door modifies its own memory allocation when F-PROT is executed [VB2] Varicella: tries to escape and go resident during the cleaning process of TBClean 9. Is there a real problem with retroviruses? Do retroviruses pose a realistic threat to current anti- virus products? The most popular anti-virus tool nowadays is a stand-alone scanner, which by itself is almost always helpless against any new virus. Are there any special risks in a virus that, in addition to being a new one, also specifically tries to by-pass a product? 9.1 Dangers of optimised virus analysis systems If a retrovirus exploits a specific flaw or the back door of a product, it cannot be considered a very special case, as the detection of a new virus requires usually an update to the product anyway. At the same time, it is possible to upgrade the product so that the attack method used by the virus can be circumvented or made obsolete. The main problem in this case is whether the anti-virus vendor notices what the virus is trying to do. Today, when several new viruses are found every day, there is a limited time in which to analyse any single virus. Virus analysis systems are automated as much as possible, and a virus typically only gets a cursory look - which is usually enough to add detection, identification and disinfection. Such ana- lysis will not reveal any special features the virus may contain. This also explains why there are no anti-virus products which can provide detailed information about each and every virus. If a retrovirus is run through a standard analysis system, and the product is tested by running it against a sample that is not resident in memory, the retro-features of a virus may not become known until they are observed directly in the real world - after which the virus will certainly get more attention, but this might already be a bit too late. The virus may also start its attack behaviours only after a certain latency time. 9.2 Opening the door to other viruses It should also be noted that a virus which disables an anti- virus product in some way may also make the system vulnerable to other viruses, which the product might otherwise have handled fine. In many cases this is the only benefit a retrovirus gains from unloading a resident scanner. The scanner can't be unloaded before it is resident. If the virus is known to the scanning engine, a resident scanner will not let the virus run. If the virus is unknown to the scanner, it can operate even when the scanner is resident. The case is different with behaviour blockers, as they are not trying to find known viruses. There is very little a product can do against an attack which consists of deleting or replacing the program file itself - if the virus gets control before the anti-virus, the virus makes the rules. 10. How should an anti-virus product protect itself? It is obvious that viruses can utilise a variety of tricks against anti-virus products. However, anti-virus programs can fight back just as efficiently. 10.1 Making the program difficult to locate First of all, the anti-virus program itself should be renameable by the user. This alone would make it a lot harder for a virus to locate its enemy. Unfortunately, many anti-virus products refuse to run if they find that their program files have been renamed. As the virus can try to locate the anti-virus program by its contents as well as by name, the structure or contents of the program file should change with each update. The best way to make sure that no retrovirus is making its tricks is the old, well-known recipe: boot from a clean diskette and run a fresh copy of the anti-virus program from diskette. 10.2 Self-checks Since many attack routines work by modifying an anti-virus program, it is imperative that all anti-virus programs make thorough checks on their own code. A cursory check against modifications that would result from an infection is not enough: if the code is not protected internally against patching, the integrity of the whole program code should be checked during start-up. It is not enough to ensure that the program code has not been changed. As demonstrated earlier in this paper, it is enough for a retrovirus to modify the texts or configuration info belonging to the application. Even though the size of an anti-virus application probably changes during every update, a clever retro-virus can still locate the code it wants to patch by using a search string. This can be overcame by encrypting the application. The protection will be even better if the encryption method or key is changed with every update. Another, easier way to achieve the same results is to provide the executable in packed form, as the packing algorithm will invalidate search strings between different versions of the same program. 10.3 Resident security Since it is often much easier to patch a program in memory rather than on disk, an anti-virus application should make checksum checks on its memory image to ensure that no unwanted changes have taken place. This is especially important with resident anti-virus utilities. The communication channels to a resident part of an anti- virus program should be carefully thought out. If the TSR needs to have an uninstallation routine, it should be implemented so that other programs will find it difficult to request the uninstallation without the user noticing it. 10.4 Prohibiting disassembly It can be expected that determined virus writers will try to disassemble anti-virus products in order to find out what makes them tick. Thus, some anti-debug and armouring code to protect the application might be a good idea - although nothing will stop a dedicated cracker. At least three different scanners are known to have been analysed by crackers, up to the point of extracting all search strings of the program. Such attack can be harmful in several ways: the virus writers get to see exactly what they will have to change in a virus to make a new, undetectable variant, and well-chosen search strings are also closely guarded trade secrets. Popular, easy-to-get programs are the most probable targets for attack routines. This makes commercial products theoretically more safe than shareware or freeware products. 11. Conclusions Retroviruses are nothing new - the first ones were found in the late 1980's. There are several attack methods that will certainly be used in future viruses - and some of these can be quite efficient. Therefore, extreme care should be taken by producers of anti-virus software to avoid the possible pitfalls. It's time to make sure your anti-virus product is not vulnerable to an attack it could avoid. References [CM-Base] Virus Test Center, University of Hamburg, CM-Base v3.0, March 1994, Satanbug entry by Padgett Peterson [Veldman] Frans Veldman, Combating Viruses Heuristically, Proceedings, 3rd International Virus Bulletin Conference, September 1993, pp. 67-76 [Bontchev] Vesselin Bontchev, Possible Virus Attacks Against Integrity Programs And How To Prevent Them, Proceedings, 2nd International Virus Bulletin Conference, September 1992, pp. 131-141 [VB1] Virus Bulletin, Peach Virus Targets Central Point, Virus Bulletin May 1992, pp. 17-18 [VB2] Virus Bulletin, Tremor - A Shaky Start for DOS 6?, Virus Bulletin March 1993, pp. 10-11 [Fellows] F-Secure Ltd, F-PROT Professional User Guide rev 4.21 [Siilasmaa] Risto Siilasmaa, Building a Corporate Security Strategy - Coping With Computer Viruses, Proceedings, Cope'IT Conference 1993 F-PROT Support Informs: Common Questions and Answers
If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact F-Secure directly in the number 358-0-478 444. Written questions can be mailed to: F-Secure Ltd., F- PROT Support, Paivantaite 8, FIN-02210 ESPOO, FINLAND. Questions can also be sent by electronic mail to: Internet: f-prot@datafellows.fi; X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi Can VIRSTOP be installed in such a way that it automatically scans diskettes which are inserted in the computer, before any read or write operations take place? I have seen such systems used in Macintosh computers. No. PC computers do not have a mechanism which tells the operating system that a diskette has been inserted in the diskette drive. The only way to construct such a system would be by instructing VIRSTOP to keep the diskette drive's motor spinning constantly, and this would place an undue burden on the computer's hardware. Although the diskettes used in a computer are not examined automatically when they are inserted in the diskette drive, this does not in itself cause a security risk as long as VIRSTOP is up and running. A diskette's boot sector is examined immediately when a disk operation is performed on the diskette, and the programs on a diskette are likewise examined automatically when they are used. The Budo virus was found in our organization. Instead of disinfecting the virus, F-PROT simply destroyed the infected files. Why? Some viruses damage irreparably the files they infect. In some cases, this is due to programming errors in the viruses' code, but certain viruses actually spread by overwriting the contents of their host files with their own code. In either case, F-PROT can only delete the infected files. When the virus has been removed from the system, the deleted programs should be either re-installed or restored from back-up copies. If the F-CHECK integrity checker software has been installed in the computer, it may be able to restore partially damaged files. However, even F-CHECK is helpless in the face of more extensive damage. In such cases, it is best to restore the system from a back-up copy. F-PROT can disinfect about 80-90% of the viruses which can be disinfected at all. Changes in Version 2.16
Changes in F-PROT for Windows
F-PROT for Windows and VIRSTOP sometimes conflicted when scanning infected boot sectors. This has been fixed. A warning message about possible active users is displayed when a new version is updated. F-PROT for Windows now gets updated also when a scheduled task is activated and a new version of is available in the update directory. F-PROT can now be maximized also when the memory scan is in progress as an icon. One GPF problem (GPF in BC30RTL.DLL at 0001:4DAD) has been fixed. This error happened if Windows was unable to allocate DOS memory at all. The memory scan has been rewritten. Old versions of F-PROT for Windows logged an error message when they encountered directories with hidden or read-only attributes. This version of F-PROT for Windows has more descriptive messages for communication errors. If a user attempts to close F-PROT without aborting a scan in progress, an error message is displayed. If a virus is detected during the memory scan, its name is now shown in the warning message. The name used to be shown only in the title bar, a place where it wasn't obviously visible. Changes in F-PROT for DOS
VIRSTOP 2.15 was found to be incompatible with a program called PC-CONFIG. This has been fixed. VIRSTOP 2.15 flagged the boot sectors of diskettes protected with the RINGFENCE and DISKLOCK products as infected. This has been corrected. Changes Common to F-PROT for DOS, Windows and OS/2
All COM files infected with the Jerusalem.Pipi.1536 and KMIT viruses were incorrectly reported as being first generation samples. These are compiled virus programs, not program files which have been contaminated through infection. The Bengal virus was only found in COM files, not EXEs. This has been fixed. F-PROT 2.15 missed a very small number of files infected by One_Half.3544 and Neuroquila. The program should now be able detect all occurrences of these viruses. The reporting of boot sector viruses has been changed slightly. F-PROT now reports " (?)" instead of " - unknown" when it detects a boot sector virus for which it has no identification information. The following false alarms have been fixed:
the file NUAGE!.COM from the Assembly'94 demo-collection was reported as "Possibly a new variant of Reklama". VIRSTOP reported the file SPEED.COM as having been infected by the Phalcon virus. New Viruses Detected by F-PROT 2.16
The following 10 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of...". Abraxas.1518 Maaike.164.B Burger.542 Milan.Demon.270 Burger.560.AV Leprosy,Skism.808.D Cavaco Leprosy.Skism.1992.C Dev_X VCL.423.Mindless.B F-PROT can detect and remove the following 218 new viruses. Earlier versions of F-PROT could detect many of these viruses. Now they are also identified accurately. _132.127 Kode4.281 _307.329 Lemming.2144 _468 Leningrad_II.1499 _500 Leningrad_II.2000.B _500_2 Little_Red.B _656 Lockjaw.499 _872 Loook _1395 Lurid _1536.B Mag.239 _2828 Mag.254.A Acid.674 Mag.254.B Arusiek.691 Marzia.O Arusiek.692 MMIR.411 Australian_Parasite.Middle.491 MMIR.423 Australian_Parasite.Middle.1041 Mne.1173 Australian_Parasite.Middle.1169 Moonlite.366 Baba.356 Msu Barrotes.1194 November_17th.522 Beer.2473 Nygus.278 Beer.2620 and Peasant Beer.3307 Phx.1289 BigX.610 Phx.1295 Bobo.427 Pixel.124 Bootexe.394 Pixel.200 Bootexe.443 Pixel.852.B BW.525 Pixel.1577 BW.556 Pixel.1686 BW.756 Pose.1155 Caca Pose.1164 Carzy.B PS-MPC.338.D Cascade.1701.Y PS-MPC.520 Cascade.1701.Z PS-MPC.565.E Cascade.1701.Yap.C PS-MPC.565.F Cascade.1701.AA PS-MPC.569.B Cascade.1701.AB PS-MPC.565.G Cascade.1704.Z PS-MPC.565.H Chaos.1181.J PS-MPC.569.E Chaos.1181.K PS-MPC.570.E CLME.1528 PS-MPC.570.F Clonewar.923.B PS-MPC.570.G Clonewar.923.C PS-MPC.573.J Clonewar.923.E PS-MPC.573.K Clonewar.923.F PS-MPC.578.I Clonewar.923.G PS-MPC.578.J Clonewar.923.H PS-MPC.578.K Collor PS-MPC.578.L Danish_Tiny.163.C PS-MPC.578.M Dark_Avenger.1800.M PS-MPC.579.D Datalock.920.L PS-MPC.Dangler Denied.B PS-MPC.Happy_Day Enterprise Sauron Error_Inc.260 Scity.678 Error_Inc.393 Scity.713 Fax_Free.1024.Mosquito.B Semtex.1000.D Fax_Free.1024.Mosquito.C SIC.325 Fax_Free.1536.Topo.B SIC.456 FFFF.432 SillyC.162 FFFF.440 SillyC.163 Fin SillyC.547 Flash.688.D SillyC.657 Freak.604 Smegdemo Galeo Star GameF.1053 Sterculius.440.B GameF.1065 Suriv_1.April_1st.F Geliyor Surprise.1282 Heja SVC.1064.B HLL.Vova.8896 SVC.1064.C HLL.Vova.9904 Sveta HLLC.4768.A Sword.B HLLC.4867.B Tai_Pan.666 HLLC.Captain Teraz.4004 HLLC.W_A Timid.313 HS.982 Traven Hymn.Sverdlov.C Troi.F Ieronim.1020 TU.2500 Ieronim.1024 Unc.1039 Ieronim.1082 Unc.1377 IMI.2304 Unc.1410 Infector.469 Userlist.1178 Infector.875 Vacsina.Grog.1082 Int_FF VCL.420 Intruder.1355 VCL.551 Ironfist VCL.634 Istanbul.1312 VCL.Anston Istambul.1349 VCL.Rat IVP.Angry_Samoans.B Vienna.435.C Jerusalem.1808.Dashes Vienna.435.D Jerusalem.1808.Exciter.A Vienna.435.E Jerusalem.1808.Exciter.B Vienna.435.F Jerusalem.1808.Exciter.C Vienna.435.G Jerusalem.1808.Exciter.D Vienna.435.H Jerusalem.1808.Frere.J Vienna.435.I Jerusalem.1808.sumsdos.AP Vienna.435.J Jerusalem.1808.sumsdos.AQ Vienna.435.K Jerusalem.1808.New Vienna.520 Jerusalem.Tarapa.D Vienna.565 Junkie.B Vienna.641 KA Vienna.680.B Kela.2002 Vienna.1006 Kela.2010 Vienna.Violator.821.B Kela.2099 Vienna.Violator.821.C Keykap.923 Void.1886 Keykap.1074 Wildfire.2371 Keykap.1077 Wordswap.1503.B Keypress WVP.352 Killerwhale.750 Yankee_Doodle.2433 Kiwi.1000.A Yankee_Doodle.3561 Kiwi.1000.B Zol Kiwi.1000.C The following 35 new viruses can now be detected but not yet removed. _257.258 Pollution.381 4On Pollution.378 Astra.927.B Pollution.390 Cantanto Pollution.565 Crepate.1944 Predator.1055 Estonia Problem.845 Eternity.565 Radyum.509 Eternity.600 Rider Grog.2825 SIC.651 Hello.547 SIC.736 Keykap.685 SmartC Moonlite.417 Talon.1894 NED.Itshard Topa.2456 NED.Tester Twisted.292 Nigh Twisted.298 No_Smoking VCL.Renegade.5738 NRLG.826 Xuxa Nympho.666 F-PROT's earlier versions could detect the following 13 viruses. Now they can also be removed. Acvt Creator Beer.2794 June_12th Beer.2850 Screaming_Fist.II.652 Beer.3164 Spinner Beer.3192 WXYC.A Beer.3490 WXYC.B The following viruses have been renamed in order to make F- PROT follow the CARO naming standard as closely as possible. JH ->> Error_vir Rythem.* ->> Leprosy.Skism.*
F-PROT Professional 2.16 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi This text may be freely used as long as the source is mentioned. F-PROT Professional 2.16 Update Bulletin; Copyright (c) 1995 F-Secure Ltd.

F-PROT Professional Support < f-prot@datafellows.fi >

. .