F-PROT Professional Update Bulletins
F-PROT Professional 2.16 Update Bulletin
CONTENTS BRIEFLY
--- Contents 1/95
--- F-PROT Gatekeeper Closes the Gaps in Virus Protection
--- F-Secure Acquires the Status of a Microsoft Solution Provider
--- The Global Virus Situation
--- Mange-Tout.1099 on New Diskettes
--- HDKiller in Spain
--- Neuroquila in Germany
--- The Good Times Incident in Internet
--- News in Short
--- RETROVIRUSES - How Viruses Fight Back, part 2
--- F-PROT Support Informs: Common Questions and Answers
--- Changes in Version 2.16
--- Changes in F-PROT for Windows
--- Changes in F-PROT for DOS
--- Changes Common to F-PROT for DOS, Windows and OS/2
--- The following false alarms have been fixed:
--- New Viruses Detected by F-PROT 2.16
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.16 Update Bulletin; Copyright (c) 1995 F-Secure Ltd.
Contents 1/95
F-PROT Gatekeeper Closes the Gaps in Virus Protection
F-Secure Acquires the Status of a Microsoft Solution
Provider
The Global Virus Situation
Mange-Tout.1099 on New Diskettes
Sampo
HDKiller in Spain
Neuroquila in Germany
The Good Times Incident in Internet
News in Short
RETROVIRUSES - How Viruses Fight Back, part 2
F-PROT Support Informs: Common Questions and Answers
Changes in Version 2.16
F-PROT Gatekeeper Closes the Gaps in Virus Protection
F-Secure has published a new kind of an anti-virus
program. F-PROT Gatekeeper is the first active anti-virus
program which is also capable of detecting polymorphic and
self-encrypting viruses.
F-PROT Gatekeeper functions in the background in Windows
environment, and it finds the viruses in all copied or
executed programs both in Windows and in DOS boxes run under
Windows.
Before the end of January, we will publish a free, time-
limited pre-release version of F-PROT Gatekeeper. This pre-
release version will be distributed via Internet among other
distribution channels.
The purpose of the free distribution is to persuade as many
people as possible to try out the new technology we have
developed. The program is time-limited, however, and updates
will not be available
After the pre-release phase, F-PROT Gatekeeper will become a
part of the F-PROT Professional for Windows package. The
product will be distributed to our customers as a part of
the program update.
Why Gatekeeper?
What are the makings of a good virus protection? The
following things can be found at the top of our customers'
wish list: secure, does not interfere with work, does not
require anti-virus expertise from the end user, easy to
install and maintain.
It is easy to understand the requirement for automation and
transparency for the end user. For the end user and the
organization, it is not profitable to use good work time in
anti-virus operations. If all end users have to learn the
use of an anti-virus program, the collective work effort
diverted from more profitable uses will become significant.
A good anti-virus system should require the end user's
active participation only when a virus is actually found.
The security requirement is divided into two parts. To begin
with, an anti-virus program should be able to find a
sufficient number of viruses, with emphasis on the viruses
that are actually circulating in the wild. Secondly, the
efficiency of an anti-virus program is enhanced if the
protection works actively.
Active virus protection means a program which checks all
opened programs and stops them from being executed or copied
if it finds a virus. Active virus protection is usually
provided with a DOS TSR software.
The final wish concerned the ease of installation and
maintenance. F-PROT Gatekeeper can be installed centrally to
all the workstations in a network. The program can likewise
be updated from a single workstation.
To facilitate the administrator's work, F-PROT Gatekeeper
can be configured to automatically send the administrator a
message when it finds a virus in some of the network's
workstations. The administrator will always have access to
an up-to-date log of all the detected virus incidents in the
network.
DOS TSR Programs Cannot Detect All Viruses
The most important reason behind the development of F-PROT
Gatekeeper are the difficulties in maintaining the detection
capability of TSR-type anti-virus programs. These
difficulties are mainly caused by memory requirements.
Current anti-virus TSRs cannot find polymorphic viruses. It
was the increase of polymorphic viruses which two years ago
persuaded us to stop licensing VIRSTOP (the TSR component of
F-PROT) separately.
The increasing number of polymorphic viruses continues to
undermine the security of TSR-type protection. This risk can
be decreased by checking hard disks at regular intervals
with scheduled virus checks, executed by the separately run
component of the anti-virus software.
For example, such viruses as Tremor, different Mutation
Engine viruses and SMEG escape the notice of even the best
anti-virus TSRs. This makes F-PROT Gatekeeper the first
active anti-virus program capable of detecting practically
all viruses.
F-Secure Acquires the Status of a Microsoft Solution Provider
F-Secure Ltd. and Microsoft Ltd. have signed the
Solution Provider -agreement.
The Global Virus Situation
Mange-Tout.1099 on New Diskettes
F-Secure Ltd. has received several reports of infected
preformatted diskettes in the Nordic countries. Since the
beginning of this year, several vendors have been found to
have sold preformatted 3.5" diskettes which contained a file
called DE.EXE. Since DE.EXE is actually a simple, German
diskette formatting program, the file's existence on the
diskettes is apparently due to a human error on the diskette
factory. Unfortunately, on some of the diskettes this
program has been infected by a virus called Mange-Tout.1099.
We have seen preformatted diskettes infected with boot
sector viruses in the past, but the fact that Mange-
Tout.1099 is a file virus makes the matter more serious;
users seldom boot their computers from empty diskettes, but
they may well find a file on a supposedly empty diskette
intriguing, and run it just to find out what it does.
The Mange-Tout virus was first found in Hong Kong at spring
1994. Soon after that, the virus was also discovered in
China. The first European incident took place in August
1994, when a couple of VGA driver diskettes infected by
Mange-Tout were discovered in Norway. The diskettes had been
imported to Norway from Hong Kong, and the virus is believed
to have spread elsewhere in Europe at the same time as well.
Mange-Tout keeps itself encrypted all the time, even when it
is resident in memory. When the virus is started, it
decrypts itself by calling a complexly protected decryption
routine. While in memory, Mange-Tout calls this routine when
certain interrupt calls take place. The virus also contains
traps for debug programs, and this makes it quite difficult
to examine.
When Mange-Tout is resident in memory, it hijacks the
interrupts 08h, 09h and 21h (clock, keyboard and DOS). It
infects COM and EXE files which grow by 1099 bytes. The
virus activates when a computer's keyboard has been left
untouched for one hour. It tries to erase the computer's
CMOS memory and main boot record, but fails more often than
not and only manages to crash the computer.
The words Mange and Tout are French; the viruse's name can
be roughly translated as 'omnivorous'. A 1091-byte-long
variant of Mange-Tout is also known to exist.
F-PROT can detect and remove the Mange-Tout virus.
Sampo
-----
The Sampo virus, also known as '69', seem to come originally
from the Philippines. This boot sector virus was discovered
in England and Norway in November 1994. After that, it has
been reported in Hong Kong, Singapore, Australia, Finland
and Belgium.
Sampo can infect a computer's hard disk only if the computer
is booted from an infected diskette, in which case the virus
infects the hard disk's Main Boot Record. The virus goes
resident in memory the next time the computer is booted from
the hard disk. Once in memory, Sampo infects all non-write
protected diskettes used in the computer.
Sampo takes hold of the interrupts 08h, 09h and 13h (clock,
keyboard and disk operations). It uses a complex activation
mechanism, which is based on the date, time and the keys
pressed. When the virus activates, it displays a blue box on
the screen's upper corner. In the box, Sampo prints in cyan
the following text :
S A M P O, "Project X", Copyright (c)1991
by the SAMPO X-Team, All rights reserved,
University Of The East Manila
Sampo incorporates also one peculiarity; it carries the old
Kampana virus with it, and sometimes spreads Kampana's code
instead of its own.
F-PROT can detect and remove both the Sampo and Kampana
viruses.
HDKiller in Spain
HDKiller is a relatively simple virus which infects diskette
boot sectors and hard disk MBRs. The virus was discovered in
Spain in November 1994.
HDKiller, which is also known as Coru¤a, spreads itself like
any other boot sector virus.
If a computer is booted from an infected diskette, the virus
redirects the boot to the hard disk and the 'Non-system
disk' error message is not shown. This makes the virus
harder to spot than usual.
When a computer is booted from a diskette infected by the
HDKiller virus, the virus reserves one kilobyte of memory
for itself. However, when the computer is next booted from
the infected hard disk, the amount of available memory stays
normal. This is due to a programming error in the viruses
code; the virus loads itself to the top of conventional
memory, but does not mark this memory area as reserved. As a
consequence, other programs may try to write to the same
area. If this happens, the computer crashes immediately.
Therefore, a HDKiller infection makes a computer very
unstable.
HDKiller is a destructive virus. When it infects a hard
disk, it stores the current date inside its own code. During
subsequent boots, it compares the infection date to the
system's date and activates after a month has passed. If,
for example, the infection has occurred on 15th of January,
the virus activates on the 14th of any month. When the virus
activates, it overwrites some of the data on the hard disk.
HDKiller contains the following unencrypted text:
HDKiller By Rasek.
0UT Meilan!
HDKiller does not store the original boot sector when it
infects a disk. Instead, the functionalities of a diskette
boot sector and a hard disk MBR have been incorporated into
the viruse's code. In spite of this, the HDKiller virus can
be removed by overwriting its code because it does not move
or encrypt the partition table.
F-PROT can detect and remove the HDKiller virus.
Neuroquila in Germany
This complex virus infects EXE files, hard disk MBRs and
diskette boot sectors. On hard disks, the virus encrypts the
original MBR and moves it to a different part of the disk,
writing its own code in its place. Since the new MBR of an
infected hard disk does not contain partition data, the hard
disk cannot be seen after a clean diskette boot. On
diskettes, the virus formats an additional track on which
its stores its code.
Neuroquila, which is also known by the names Neuro.Havoc and
Wedding, tries to load its code to the upper memory area. If
there is no upper memory area available, the virus enlarges
the stack memory area (STACKS) and places its code there.
Neuroquila uses tunneling techniques to by-pass anti-virus
programs
Neuroquila is a polymorphic virus. It contains a complex
polymorphic engine which is capable of creating several
different decryption modules. The variation of the
decryption routines is based on the system's clock. While in
memory, the virus employs versatile stealth virus techniques
to hide the changes it has made to the boot sectors and
files. When infected files are examined in a clean
environment, they can be seen to have grown by 4644-4675
bytes.
Neuroquila is also a retrovirus. It mounts attacks against
several anti-virus programs. If VIRSTOP> or DOSDATA.SYS (a
QEMM utility program) are loaded from CONFIG.SYS, the virus
prevents them from being started. Neuroquila tries to modify
the programs TBDRIVER, TBDISK, VSAFE and -D while they are
in memory, and alters the partition protection created by
the TBUTIL program. In addition to this, the virus is able
to by-pass the error message Windows gives of a 32-bit disk
operation mode, a stumbling block of many other boot sector
viruses.
After Neuroquila has resided in a computer for some months,
it displays the message:
AVOC by Neurobasher'93/Germany
-GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-
Neuroquila resembles the Tremor virus in many ways, and it
has apparently been written by the same author.
F-PROT can detect and remove the Neuroquila virus.
The Good Times Incident in Internet
A rare 'worm', known as Good Times, slithered its way
through Internet news groups and various e-mail systems
during December 1994. Good Times was not a virus as the word
is commonly understood; more accurately, it was an efficient
chain letter. Instead of spreading from one computer to
another by itself, Good Times relied on people to pass it
along
The idea behind Good Times works somewhat like this: the
originator puts into circulation an e-mail message which has
the text 'Good Times' as its subject. The message itself
contains a warning of a dangerous virus called Good Times
which spreads itself through e-mail systems and activates
when the message in which it hides is read. The message goes
on to explain that such a dangerous message can be
recognized by its subject, which is, of course, 'Good
Times'. According to the warning, a 'Good Times' message
must never be read, but destroyed on the spot instead.
Many users don't realize that this warning is a hoax - no
public e-mail system supports the execution of programs
while the accompanying message is read. However, since the
message is written in a very sincere tone, people copy it
and send it along to their friends; in fact, the warning
explicitly encourages them to do so.
Sooner or later, what goes around comes around, and a user
who has sent the message along receives it as a warning from
a friend's friend or more distant relation. The first thing
the user sees is that he or she has received a message which
has 'Good Times' as its subject. Believing himself under
attack by the terrible virus, the user destroys the message
without reading it. The message, of course, contains only
the original warning. After this near escape, the user
probably sends out still more 'Good Times' warnings.
The Good Times warning spread like a wildfire for several
weeks, until messages concerning the viruse's nonexistence
finally took hold.
The Good Times warning-virus came in several different
versions, one of which is shown below:
Subject: Good Times
Date: 12/2/94 11:59 AM
Thought you might like to know...
Apparently , a new computer virus has been engineered by a
user of America Online that is unparalleled in its
destructive capability. Other, more well-known viruses such
as Stoned, Airwolf, and Michaelangelo pale in comparison to
the prospects of this newest creation by a warped mentality.
What makes this virus so terrifying is the fact that no
program needs to be exchanged for a new computer to be
infected. It can be spread through the existing e-mail
systems of the InterNet.
Luckily, there is one sure means of detecting what is now
known as the "Good Times" virus. It always travels to new
computers the same way - in a text e-mail message with the
subject line reading simply "Good Times". Avoiding infection
is easy once the file has been received - not reading it.
The act of loading the file into the mail server's ASCII
buffer causes the "Good Times" mainline program to
initialize and execute.
The program is highly intelligent - it will send copies of
itself to everyone whose e-mail address is contained in a
received-mail file or a sent-mail file, if it can find one.
It will then proceed to trash the computer it is running on.
The bottom line here is - if you receive a file with the
subject line "Good TImes", delete it immediately! Do not
read it! Rest assured that whoever's name was on the
"From:" line was surely struck by the virus. Warn your
friends and local system users of this newest threat to the
InterNet! It could save them a lot of time and money.
News in Short
Due to a mistake, we gave erroneous contact information for
the Virus Bulletin magazine in our previous Update Bulletin.
The magazine's correct telephone number is +44 1235 555139,
fax +44 1235 531889.
F-PROT has again proved itself in international tests; in
December, F-PROT was proclaimed the winner of a large anti-
virus product review published by the PC Professional
magazine in Denmark and PC Week in Norway, and in January,
the British magazine SECURE Computing awarded F-PROT the
title 'Recommended'.
RETROVIRUSES - How Viruses Fight Back, part 2
Mikko Hypponen, who works in F-Secure Ltd's F-PROT-
support, presented the following paper in the Virus Bulletin
'94 conference. The treatise is published in two parts. The
first part was published in F-PROT 2.15 Update Bulletin.
6. Attacks against disinfectors
A retrovirus can attack programs that try to disinfect boot
sectors and files. The purpose of such an attack might be to
cause the disinfector to damage the host files while
disinfecting. If a disinfection program does not do an exact
identification on a virus before disinfecting it, any virus
that contains a known search string for another virus can
cause such damage during the disinfection process.
6.1 Cleaning the clean
There even exists a virus called Mirror, which is the exact
opposite of a stealth-virus: when Mirror is resident in
memory, it makes all programs look like they have been
infected by it. This can be potentially dangerous when
disinfection is attempted, but this technique poses no
danger if the disinfection is done in a proper way, ie.
after a clean boot.
6.2 Complicating the recovery
The recovery process of an infected machine can be severely
complicated if the virus denies access to the hard drive.
Several MBR-viruses (for example, members of the Monkey
family) do this by modifying the partition data in such a
way that no logical DOS drives can be found when the machine
is booted from a clean floppy. A recovery attempt done by
overwriting the MBR code with the FDISK /MBR or a similar
command will not return access to the hard drive.
The ExeBug virus family uses another way to make it
difficult to boot up an infected machine from a clean
diskette. The virus modifies the BIOS Setup information to
indicate that the machine does not have A: drive at all.
Such machine will always boot up from the hard drive. Once
the booting has started and the virus code is executed, the
virus will check if there is a diskette in drive A:. If so,
it will continue the booting from there. In most cases the
user is unable to notice this, and thinks that the machine
has been booted clean when the virus is already resident.
Yet another way to complicate the recovery process is to set
the BIOS boot-up password on with a random password during
an activation routine. The method of doing this is
documented on most new BIOS brands.
Some integrity checkers are capable of performing a generic
disinfection. This means that they try to restore the
original file according to the information the checker has
previously saved (typically length, checksum, first and last
bytes). Such generic routines won't work if a virus makes
extensive changes to the program files, for example by
encrypting the host file during infection.
6.3 Attacking heuristic cleaners
Viruses use a different kind of an attack against heuristic
disinfection programs. A heuristic cleaner works by loading
the infected file to memory and emulating the program code.
It uses a combination of disassembly, emulation and
sometimes execution to trace the flow of the virus and to
emulate what the virus is normally doing. When the virus
restores the original first instructions of the host file
and jumps back to the original entry point, the cleaner
stops the emulation. The repaired start of the program is
copied back to the program file on disk, and the part of the
program that was 'executed' will be removed. [Veldman]
The inherent risk of heuristic cleaning is that if the
cleaner tries to emulate everything, the virus may assume
control inside the emulated environment and finally escape
from it - after which it can propagate further or trigger a
destructive retaliation routine. There are documented cases
of at least one virus doing this, see below.
7. Attacks against integrity checkers
The operation of integrity checking programs varies between
vendors but they almost always rely upon some form of a
database which contains details of objects (typically files
and boot sectors) to be checked.
7.1 Deleting the database
Several viruses have attacked integrity checkers by locating
the integrity database and deleting it. In some cases, the
result of deleting the database files is that the integrity
checker will blindly assume that the original checksums have
not been calculated yet, and proceeds to initialise the
database without informing the user that something might be
amiss. This was exactly the case with the Peach virus.
Peach attacked an integrity checker which worked by creating
a checksum file, containing checksums of all executable
programs. Peach attacked by deleting this file. After the
database was deleted and the checker was executed again, it
recreated the file, calculating new checksums from the
infected files and failing to report any changes in the
system [VB1].
It should be noted that the Peach virus will not be
successful against newer versions of this integrity checker,
as the name of the checksum file has been changed in newer
versions of the product. Similar types of attack still seem
to be possible, though.
Even if a checksumming package did report to the user that
the database has been deleted without approval, it would be
difficult to find the affected files if no recent backup of
the database exists.
7.2 Making checked unchecked
A similar attack works also against programs that do not
store the integrity data in a separate database, but add it
to the end of the executable files themselves. Since there
is no info about which files have been checksummed, a virus
can just remove the validation data without any side effects
- and the checker will not complain that the file has
changed.
Several generic attack methods against integrity checkers
are discussed in length in [Bontchev].
8. Real world retroviruses
When we look at viruses that attack specific anti-virus
products directly, we notice that they mostly seem to target
McAfee Associate's ViruScan (SCAN.EXE), Microsoft Anti-virus
from MS-DOS 6 (MSAV.EXE), Central Point Antivirus (CPAV.EXE)
and the resident parts of these applications (VSHIELD and
VSAFE). This is not surprising, as these are some of the
most popular anti-virus products, and thus good targets for
retroviruses.
Here are some examples of known viruses that incorporate
retro-routines:
CPW virus family:
tries to delete programs called TOOLKIT, GUARD, CHKVIRUS,
SCAN, CLEAN, CPAV and VSAFE
deletes CHKLIST.CPS files created by CPAV
Cybertech:
deletes CHKLIST.CPS files
removes the validation information added by SCAN and CPAV
Firefly:
uninstalls VSAFE from CPAV or MSAV
contains a segment of nested loops to confuse F-PROT's
heuristic scanning
deletes files called IM, VIRX, PCRX, VIRSTOP, MSAV, NAV,
SCAN, CLEAN, TBAV, TBCSCAN, TBCLEAN, TBCHECK, TBMEM,
TBSCANX, TBFILE, VC, and VCHECK
GoldBug:
by-passes VSAFE.COM and DISKMON.EXE
deletes or stops the execution of programs called SCAN,
CLEAN, NETSCAN, CPAV, MSAV, TNTAV - and deletes the
contents of CMOS memory at the same time
specifically by-passes the TBAV boot-sector check
deletes CHKLIST.* files, by-passing CPAV and MSAV
Lemming:
disables TBDriver from TBAV by patching it in memory
when TBScan is executed, adds the command-line parameter
'co', which will allow the stealth routines of the virus
to operate
patches text strings inside TBScan's code to make the
operation of the program look like it has been started
without the 'co' switch
Lockjaw virus family:
deletes F-PROT, SCAN, IM, CPAV
uninstalls VSAFE
MtE.Groove and MtE.Encroacher:
tries to delete files belonging to the following products:
Central Point Anti-Virus, Certus Novi, Fifth Generation
Systems Untouchable, Norton Anti-Virus, Dr. Solomon's
Antivirus Toolkit and VDS Virus Secure.
November_17th.890:
overwrites the first 256 sectors of first hard disk
whenever SCAN is run
Peach:
deletes CHKLIST.CPS files
Sandra:
tries to delete files belonging to CPAV, NAV, Untouchable,
Dr. Solomon's Antivirus Toolkit and Integrity Master
will not infect if FluShot is installed
Satanbug:
tries to remove the validation codes added by SCAN
guards its own are-you-there interrupt call to make it
difficult to detect the virus in memory with it [CM-Base]
Tequila:
deletes files that have validation codes added by SCAN
does not infect EXE-files which have the letters SC or V
in their names
Tremor:
hooks INT 13h via a VSAFE back-door
modifies its own memory allocation when F-PROT is executed
[VB2]
Varicella:
tries to escape and go resident during the cleaning
process of TBClean
9. Is there a real problem with retroviruses?
Do retroviruses pose a realistic threat to current anti-
virus products? The most popular anti-virus tool nowadays is
a stand-alone scanner, which by itself is almost always
helpless against any new virus. Are there any special risks
in a virus that, in addition to being a new one, also
specifically tries to by-pass a product?
9.1 Dangers of optimised virus analysis systems
If a retrovirus exploits a specific flaw or the back door of
a product, it cannot be considered a very special case, as
the detection of a new virus requires usually an update to
the product anyway. At the same time, it is possible to
upgrade the product so that the attack method used by the
virus can be circumvented or made obsolete.
The main problem in this case is whether the anti-virus
vendor notices what the virus is trying to do. Today, when
several new viruses are found every day, there is a limited
time in which to analyse any single virus. Virus analysis
systems are automated as much as possible, and a virus
typically only gets a cursory look - which is usually enough
to add detection, identification and disinfection. Such ana-
lysis will not reveal any special features the virus may
contain. This also explains why there are no anti-virus
products which can provide detailed information about each
and every virus.
If a retrovirus is run through a standard analysis system,
and the product is tested by running it against a sample
that is not resident in memory, the retro-features of a
virus may not become known until they are observed directly
in the real world - after which the virus will certainly get
more attention, but this might already be a bit too late.
The virus may also start its attack behaviours only after a
certain latency time.
9.2 Opening the door to other viruses
It should also be noted that a virus which disables an anti-
virus product in some way may also make the system
vulnerable to other viruses, which the product might
otherwise have handled fine.
In many cases this is the only benefit a retrovirus gains
from unloading a resident scanner. The scanner can't be
unloaded before it is resident. If the virus is known to the
scanning engine, a resident scanner will not let the virus
run. If the virus is unknown to the scanner, it can operate
even when the scanner is resident. The case is different
with behaviour blockers, as they are not trying to find
known viruses.
There is very little a product can do against an attack
which consists of deleting or replacing the program file
itself - if the virus gets control before the anti-virus,
the virus makes the rules.
10. How should an anti-virus product protect itself?
It is obvious that viruses can utilise a variety of tricks
against anti-virus products. However, anti-virus programs
can fight back just as efficiently.
10.1 Making the program difficult to locate
First of all, the anti-virus program itself should be
renameable by the user. This alone would make it a lot
harder for a virus to locate its enemy. Unfortunately, many
anti-virus products refuse to run if they find that their
program files have been renamed.
As the virus can try to locate the anti-virus program by its
contents as well as by name, the structure or contents of
the program file should change with each update.
The best way to make sure that no retrovirus is making its
tricks is the old, well-known recipe: boot from a clean
diskette and run a fresh copy of the anti-virus program from
diskette.
10.2 Self-checks
Since many attack routines work by modifying an anti-virus
program, it is imperative that all anti-virus programs make
thorough checks on their own code. A cursory check against
modifications that would result from an infection is not
enough: if the code is not protected internally against
patching, the integrity of the whole program code should be
checked during start-up.
It is not enough to ensure that the program code has not
been changed. As demonstrated earlier in this paper, it is
enough for a retrovirus to modify the texts or configuration
info belonging to the application.
Even though the size of an anti-virus application probably
changes during every update, a clever retro-virus can still
locate the code it wants to patch by using a search string.
This can be overcame by encrypting the application. The
protection will be even better if the encryption method or
key is changed with every update. Another, easier way to
achieve the same results is to provide the executable in
packed form, as the packing algorithm will invalidate search
strings between different versions of the same program.
10.3 Resident security
Since it is often much easier to patch a program in memory
rather than on disk, an anti-virus application should make
checksum checks on its memory image to ensure that no
unwanted changes have taken place. This is especially
important with resident anti-virus utilities.
The communication channels to a resident part of an anti-
virus program should be carefully thought out. If the TSR
needs to have an uninstallation routine, it should be
implemented so that other programs will find it difficult to
request the uninstallation without the user noticing it.
10.4 Prohibiting disassembly
It can be expected that determined virus writers will try to
disassemble anti-virus products in order to find out what
makes them tick. Thus, some anti-debug and armouring code to
protect the application might be a good idea - although
nothing will stop a dedicated cracker.
At least three different scanners are known to have been
analysed by crackers, up to the point of extracting all
search strings of the program. Such attack can be harmful in
several ways: the virus writers get to see exactly what they
will have to change in a virus to make a new, undetectable
variant, and well-chosen search strings are also closely
guarded trade secrets.
Popular, easy-to-get programs are the most probable targets
for attack routines. This makes commercial products
theoretically more safe than shareware or freeware products.
11. Conclusions
Retroviruses are nothing new - the first ones were found in
the late 1980's. There are several attack methods that will
certainly be used in future viruses - and some of these can
be quite efficient. Therefore, extreme care should be taken
by producers of anti-virus software to avoid the possible
pitfalls.
It's time to make sure your anti-virus product is not
vulnerable to an attack it could avoid.
References
[CM-Base] Virus Test Center, University of Hamburg, CM-Base
v3.0, March 1994, Satanbug entry by Padgett Peterson
[Veldman] Frans Veldman, Combating Viruses Heuristically,
Proceedings, 3rd International Virus Bulletin
Conference, September 1993, pp. 67-76
[Bontchev] Vesselin Bontchev, Possible Virus Attacks Against
Integrity Programs And How To Prevent Them,
Proceedings, 2nd International Virus Bulletin
Conference, September 1992, pp. 131-141
[VB1] Virus Bulletin, Peach Virus Targets Central Point,
Virus Bulletin May 1992, pp. 17-18
[VB2] Virus Bulletin, Tremor - A Shaky Start for DOS 6?,
Virus Bulletin March 1993, pp. 10-11
[Fellows] F-Secure Ltd, F-PROT Professional User Guide rev
4.21
[Siilasmaa] Risto Siilasmaa, Building a Corporate Security
Strategy - Coping With Computer Viruses,
Proceedings, Cope'IT Conference 1993
F-PROT Support Informs: Common Questions and Answers
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can
also contact F-Secure directly in the number 358-0-478
444.
Written questions can be mailed to: F-Secure Ltd., F-
PROT Support, Paivantaite 8, FIN-02210 ESPOO, FINLAND.
Questions can also be sent by electronic mail to: Internet:
f-prot@datafellows.fi; X.400: S=F-PROT, OU1=DF, O=elma,
P=inet, A=mailnet C=fi
Can VIRSTOP be installed in such a way that it automatically
scans diskettes which are inserted in the computer, before
any read or write operations take place? I have seen such
systems used in Macintosh computers.
No. PC computers do not have a mechanism which tells the
operating system that a diskette has been inserted in the
diskette drive. The only way to construct such a system
would be by instructing VIRSTOP to keep the diskette
drive's motor spinning constantly, and this would place
an undue burden on the computer's hardware.
Although the diskettes used in a computer are not
examined automatically when they are inserted in the
diskette drive, this does not in itself cause a security
risk as long as VIRSTOP is up and running. A diskette's
boot sector is examined immediately when a disk operation
is performed on the diskette, and the programs on a
diskette are likewise examined automatically when they
are used.
The Budo virus was found in our organization. Instead of
disinfecting the virus, F-PROT simply destroyed the infected
files. Why?
Some viruses damage irreparably the files they infect. In
some cases, this is due to programming errors in the
viruses' code, but certain viruses actually spread by
overwriting the contents of their host files with their
own code. In either case, F-PROT can only delete the
infected files. When the virus has been removed from the
system, the deleted programs should be either
re-installed or restored from back-up copies.
If the F-CHECK integrity checker software has been
installed in the computer, it may be able to restore
partially damaged files. However, even F-CHECK is
helpless in the face of more extensive damage. In such
cases, it is best to restore the system from a back-up
copy.
F-PROT can disinfect about 80-90% of the viruses which
can be disinfected at all.
Changes in Version 2.16
Changes in F-PROT for Windows
F-PROT for Windows and VIRSTOP sometimes conflicted when
scanning infected boot sectors. This has been fixed.
A warning message about possible active users is displayed
when a new version is updated.
F-PROT for Windows now gets updated also when a scheduled
task is activated and a new version of is available in the
update directory.
F-PROT can now be maximized also when the memory scan is in
progress as an icon.
One GPF problem (GPF in BC30RTL.DLL at 0001:4DAD) has been
fixed. This error happened if Windows was unable to allocate
DOS memory at all.
The memory scan has been rewritten.
Old versions of F-PROT for Windows logged an error message
when they encountered directories with hidden or read-only
attributes.
This version of F-PROT for Windows has more descriptive
messages for communication errors.
If a user attempts to close F-PROT without aborting a scan
in progress, an error message is displayed.
If a virus is detected during the memory scan, its name is
now shown in the warning message. The name used to be shown
only in the title bar, a place where it wasn't obviously
visible.
Changes in F-PROT for DOS
VIRSTOP 2.15 was found to be incompatible with a program
called PC-CONFIG. This has been fixed.
VIRSTOP 2.15 flagged the boot sectors of diskettes protected
with the RINGFENCE and DISKLOCK products as infected. This
has been corrected.
Changes Common to F-PROT for DOS, Windows and OS/2
All COM files infected with the Jerusalem.Pipi.1536 and KMIT
viruses were incorrectly reported as being first generation
samples. These are compiled virus programs, not program
files which have been contaminated through infection.
The Bengal virus was only found in COM files, not EXEs. This
has been fixed.
F-PROT 2.15 missed a very small number of files infected by
One_Half.3544 and Neuroquila. The program should now be able
detect all occurrences of these viruses.
The reporting of boot sector viruses has been changed
slightly. F-PROT now reports " (?)" instead of " - unknown"
when it detects a boot sector virus for which it has no
identification information.
The following false alarms have been fixed:
the file NUAGE!.COM from the Assembly'94 demo-collection was
reported as "Possibly a new variant of Reklama".
VIRSTOP reported the file SPEED.COM as having been infected by
the Phalcon virus.
New Viruses Detected by F-PROT 2.16
The following 10 viruses are now identified, but can not be
removed as they overwrite or destroy infected files. Some of
them were detected by earlier versions of F-PROT, but only
reported as "New or modified variant of...".
Abraxas.1518 Maaike.164.B
Burger.542 Milan.Demon.270
Burger.560.AV Leprosy,Skism.808.D
Cavaco Leprosy.Skism.1992.C
Dev_X VCL.423.Mindless.B
F-PROT can detect and remove the following 218 new viruses.
Earlier versions of F-PROT could detect many of these
viruses. Now they are also identified accurately.
_132.127 Kode4.281
_307.329 Lemming.2144
_468 Leningrad_II.1499
_500 Leningrad_II.2000.B
_500_2 Little_Red.B
_656 Lockjaw.499
_872 Loook
_1395 Lurid
_1536.B Mag.239
_2828 Mag.254.A
Acid.674 Mag.254.B
Arusiek.691 Marzia.O
Arusiek.692 MMIR.411
Australian_Parasite.Middle.491 MMIR.423
Australian_Parasite.Middle.1041 Mne.1173
Australian_Parasite.Middle.1169 Moonlite.366
Baba.356 Msu
Barrotes.1194 November_17th.522
Beer.2473 Nygus.278
Beer.2620 and Peasant
Beer.3307 Phx.1289
BigX.610 Phx.1295
Bobo.427 Pixel.124
Bootexe.394 Pixel.200
Bootexe.443 Pixel.852.B
BW.525 Pixel.1577
BW.556 Pixel.1686
BW.756 Pose.1155
Caca Pose.1164
Carzy.B PS-MPC.338.D
Cascade.1701.Y PS-MPC.520
Cascade.1701.Z PS-MPC.565.E
Cascade.1701.Yap.C PS-MPC.565.F
Cascade.1701.AA PS-MPC.569.B
Cascade.1701.AB PS-MPC.565.G
Cascade.1704.Z PS-MPC.565.H
Chaos.1181.J PS-MPC.569.E
Chaos.1181.K PS-MPC.570.E
CLME.1528 PS-MPC.570.F
Clonewar.923.B PS-MPC.570.G
Clonewar.923.C PS-MPC.573.J
Clonewar.923.E PS-MPC.573.K
Clonewar.923.F PS-MPC.578.I
Clonewar.923.G PS-MPC.578.J
Clonewar.923.H PS-MPC.578.K
Collor PS-MPC.578.L
Danish_Tiny.163.C PS-MPC.578.M
Dark_Avenger.1800.M PS-MPC.579.D
Datalock.920.L PS-MPC.Dangler
Denied.B PS-MPC.Happy_Day
Enterprise Sauron
Error_Inc.260 Scity.678
Error_Inc.393 Scity.713
Fax_Free.1024.Mosquito.B Semtex.1000.D
Fax_Free.1024.Mosquito.C SIC.325
Fax_Free.1536.Topo.B SIC.456
FFFF.432 SillyC.162
FFFF.440 SillyC.163
Fin SillyC.547
Flash.688.D SillyC.657
Freak.604 Smegdemo
Galeo Star
GameF.1053 Sterculius.440.B
GameF.1065 Suriv_1.April_1st.F
Geliyor Surprise.1282
Heja SVC.1064.B
HLL.Vova.8896 SVC.1064.C
HLL.Vova.9904 Sveta
HLLC.4768.A Sword.B
HLLC.4867.B Tai_Pan.666
HLLC.Captain Teraz.4004
HLLC.W_A Timid.313
HS.982 Traven
Hymn.Sverdlov.C Troi.F
Ieronim.1020 TU.2500
Ieronim.1024 Unc.1039
Ieronim.1082 Unc.1377
IMI.2304 Unc.1410
Infector.469 Userlist.1178
Infector.875 Vacsina.Grog.1082
Int_FF VCL.420
Intruder.1355 VCL.551
Ironfist VCL.634
Istanbul.1312 VCL.Anston
Istambul.1349 VCL.Rat
IVP.Angry_Samoans.B Vienna.435.C
Jerusalem.1808.Dashes Vienna.435.D
Jerusalem.1808.Exciter.A Vienna.435.E
Jerusalem.1808.Exciter.B Vienna.435.F
Jerusalem.1808.Exciter.C Vienna.435.G
Jerusalem.1808.Exciter.D Vienna.435.H
Jerusalem.1808.Frere.J Vienna.435.I
Jerusalem.1808.sumsdos.AP Vienna.435.J
Jerusalem.1808.sumsdos.AQ Vienna.435.K
Jerusalem.1808.New Vienna.520
Jerusalem.Tarapa.D Vienna.565
Junkie.B Vienna.641
KA Vienna.680.B
Kela.2002 Vienna.1006
Kela.2010 Vienna.Violator.821.B
Kela.2099 Vienna.Violator.821.C
Keykap.923 Void.1886
Keykap.1074 Wildfire.2371
Keykap.1077 Wordswap.1503.B
Keypress WVP.352
Killerwhale.750 Yankee_Doodle.2433
Kiwi.1000.A Yankee_Doodle.3561
Kiwi.1000.B Zol
Kiwi.1000.C
The following 35 new viruses can now be detected but not yet
removed.
_257.258 Pollution.381
4On Pollution.378
Astra.927.B Pollution.390
Cantanto Pollution.565
Crepate.1944 Predator.1055
Estonia Problem.845
Eternity.565 Radyum.509
Eternity.600 Rider
Grog.2825 SIC.651
Hello.547 SIC.736
Keykap.685 SmartC
Moonlite.417 Talon.1894
NED.Itshard Topa.2456
NED.Tester Twisted.292
Nigh Twisted.298
No_Smoking VCL.Renegade.5738
NRLG.826 Xuxa
Nympho.666
F-PROT's earlier versions could detect the following 13
viruses. Now they can also be removed.
Acvt Creator
Beer.2794 June_12th
Beer.2850 Screaming_Fist.II.652
Beer.3164 Spinner
Beer.3192 WXYC.A
Beer.3490 WXYC.B
The following viruses have been renamed in order to make F-
PROT follow the CARO naming standard as closely as possible.
JH ->> Error_vir
Rythem.* ->> Leprosy.Skism.*
F-PROT Professional 2.16 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.16 Update Bulletin; Copyright (c) 1995 F-Secure Ltd.
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
