F-PROT Professional Update Bulletins
F-PROT Professional 2.19 Update Bulletin
CONTENTS BRIEFLY
--- Contents 4/95
--- Is the Increase of Viruses Slowing Down?
--- Correction
--- Viruses and Windows NT
--- Viruses and Windows 95
--- The Global Virus Situation
--- Buptboot
--- Crazyboot
--- Tai-Pan.438.B
--- Vienna.Bua
--- Zarm
--- Byway
--- News in Short
--- Michelangelo.A on Driver Diskettes
--- PKZIP-Trojans on the Move
--- Common Questions and Answers
--- Changes in F-PROT Professional version 2.19
--- Changes in F-PROT for DOS
--- The following false alarms have been fixed:
--- Minor Improvements and Changes
--- Changes in F-PROT for Windows
--- New Viruses Detected by F-PROT
--- Voodoo -> HLL.Voodoo
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.19 is mentioned.
Is the Increase of Viruses Slowing Down?
Correction
Viruses and Windows NT
Viruses and Windows 95
The Global Virus Situation
Buptboot
Crazyboot
Tai-Pan.438.B
Vienna.Bua
Zarm
Byway
News in Short
Michelangelo.A on Driver Diskettes
PKZIP-Trojans on the Move
Common Questions and Answers
Changes in F-PROT Professional version 2.19
For almost ten years, people have been predicting the imminent
demise and disappearance of DOS. At the end of the eighties,
OS/2 was supposed to replace DOS in two or three years, maximum.
In the nineties, Windows inherited the DOS-killer mantle.
Nowadays, the nomination has passed to Windows 95, Windows NT
and OS/2 Warp.
When estimating the life-span of DOS, one must consider the
existing computer equipment and new sales separately. In the new
sales department, DOS will undoubtedly lose ground quite
rapidly. However, when it comes to existing equipment, it is
unlikely that DOS will go anywhere in the next 5-10 years.
Consider, for instance, that many companies are still using
equipment and software obtained during the first half of the
eighties, over ten years ago. To balance that, there are, of
course, fields of business - and whole countries, for that
matter - where getting the latest hardware is all the rage.
The switch into new operating systems moves along many different
channels. In Germany, OS/2 Warp has proved distinctly more
popular than in the rest of Europe. In Japan, companies clearly
favor Windows NT. At this point, it is hard to say anything
about Windows 95 - Microsoft predicts that 20% of Windows users
will switch to 95 during the first six months after the
publication.
People who write viruses do it on quite ordinary microcomputers.
They buy their computers from the same shops as those users who
walk the straight and narrow, and design their viruses to
function under the same operating systems they themselves use.
It is, therefore, easy to predict a rapid increase of non-DOS
viruses in the future. At the moment, there are only a handful
of Windows and OS/2 viruses.
New operating systems make it possible to create viruses that
function in completely novel ways. It is, therefore, fortunate
that the new development environments and tools - not to mention
the operating systems themselves - are so much more complex than
their counterparts in DOS that the work of a virus writer
becomes quite difficult. Because of this, it can be hoped that
the increase in the number of new viruses will slow down as the
new operating systems gradually take over the market.
F-PROT Professional will keep up with the new operating systems.
The Windows 95, Windows NT and OS/2 Warp versions of F-PROT
Professional are currently undergoing their last tests, and
working fine. They will become globally available inside the
next couple of weeks.
In the F-PROT 2.18 Update Bulletin, we mistakenly told you about
an F-PROT review published by the Slovenian version of the
international Monitor Magazine. To set matters straight, we wish
to clarify that Monitor Magazine is independent, not part of any
international magazine having the same name. Furthermore,
Monitor has not published a comparative review of different
anti-virus products - the review in the April issue discussed
only F-PROT Gatekeeper.
Most of the DOS file viruses are able to function quite normally
also under Windows NT. The viruses can load themselves into
memory in DOS windows and infect the files the user has write
rights to. The viruses cannot spread outside the DOS windows in
which they have been started, so a user may have both clean and
infected DOS windows open at the same time.
Windows NT supports a multitude of various user levels and
rights. These serve to curb file viruses' spreading quite
efficiently, but in a normal environment it is impossible to
prevent it altogether - a user usually has write rights to his
or her home directory and to some shared directories.
Windows NT prevents direct disk operations. This makes it
impossible for multipartite viruses to infect hard disk boot
sectors, and at the same time it prevents many multipartite
viruses from operating at all.
Current file viruses can be disinfected in Windows NT by opening
a DOS windows and then removing them as in DOS.
If a computer is booted from a diskette infected by a boot
sector virus, the virus usually manages to infect either the
hard disk's Main Boot Record or the boot sector of a disk
partition. Some viruses which check the hard disk type - among
them the Finnish_Sprayer virus - won't infect an NT disk at all.
Most viruses, however, do not check the disk type before
infecting it. In such cases, the differences between DOS and
Windows NT usually lead to Windows NT crashing when the computer
is booted from the infected hard disk. If this happens, the
computer should be booted from a clean DOS boot diskette and
disinfected from DOS - it is good idea to retain a clean DOS
boot diskette even if the computer is mainly used with Windows
NT.
After the computer has booted, infections in the Main Boot
Record can be removed normally either with F-PROT for DOS or
with the command FDISK/MBR (assuming that the virus has not
altered the partition table in any way). If the virus is of a
type that infects the boot sectors of disk partitions - such as
Form - the disinfection may prove difficult.
If the hard disk contains a DOS partition and the virus has
infected its boot sector, the disinfection can normally be
executed with the DOS version of an anti-virus program. The DOS
command SYS C: should not be used in disinfection - it creates a
new boot sector and system files, but these are different from
the ones used by Windows NT.
If the virus has infected the boot sector of a partition using
the NTFS file system, it must be disinfected manually. A disk
editor, such as Norton Disk Editor, may prove a valuable aid in
the process. With such an editor, it is possible to write a
clean boot sector over the infected one.
The virus may have relocated the original, clean boot sector to
some other part of the hard disk. Even if the virus has not
bothered to store the original boot sector, a copy of it may be
found in the middle of the NTFS partition; Windows NT makes such
a copy when it formats the partition for its own use. However,
this apparently does not hold true for all environments, so it
is best to play it safe and copy the boot sector on a diskette.
The boot sector of an NTFS partition is located on the first
sector of the first track - in the same place where DOS, also,
stores its boot sector.
When the boot sector has been disinfected in one way or another,
the computer can again be booted from the hard disk. NT should
function normally, provided the virus has not damaged the files
on the hard disk.
All in all, Windows NT provides relatively good protection
against file viruses, as long as users are given write rights
only to the files and directories where such rights can be
considered necessary. When it comes to boot sector viruses, the
situation is not so good. The disinfection of boot sector
viruses can in some cases become quite complicated, and
therefore it is a good idea to prevent diskette boots directly
from the computers' BIOS, when and if that is possible.
The soon-to-be-published Microsoft Windows 95 introduces new
characteristics to the field of anti-virus activities. Although
there have been rumors that the virus threat will be eliminated
when Windows 95 comes along, these are, for the most part,
insubstantial. In fact, almost all current viruses will be able
to function with Windows 95.
Boot sector viruses will be able to infect both hard disk Main
Boot Records and the boot sectors of disk partitions quite
normally. However, the viruses will not be able to spread to
diskettes normally after the initial infection.
When Windows 95 is started, it usually loads a 32-bit disk
access system. If, on the other hand, the computer has been
infected by a boot sector virus, Windows 95 is shunted to using
16-bit disk access system. In spite of this, some parts of the
32-bit access systems are loaded, and this prevents boot sector
viruses from spreading to diskettes. This does not mean that the
viruses can be safely left on the disk, however, because they
are still able to activate and cause damage. The infection
should be removed when it is detected. It should be noted that
if the user has set the 16-bit disk access on from the Windows
95 Control Panel, the viruses will be able to spread to
diskettes quite normally.
Boot sector viruses that use DOS interrupts to infect diskettes
will not be able function under Windows 95 - the operating
system's kernel takes command over all DOS interrupts, thus
preventing viruses from using them.
Although Microsoft's own anti-virus program will not be supplied
with Windows 95, Windows 95 is capable of detecting a boot
sector infection by itself. Check the lower half of the
Performance page in Control Panel's System program - it may
contain a warning about a MS-DOS -compatible disk access state
and a possible virus infection. Since this warning is not
repeated anywhere else, it is easy for a user to overlook.
File viruses, on the other hand, are able to function under
Windows 95 almost as well as under DOS itself. The main
difference is that the viruses are only able to spread
themselves inside DOS windows opened from Windows 95. This holds
true only for the present viruses, however - it is likely that
we will soon see viruses written expressly for Windows 95,
capable of exploiting its characteristics. Since Windows 95 is
technically quite different from earlier versions of Windows,
only few currently known Windows viruses will be able to
function under it.
Disinfection of Viruses
During installation, Windows 95 asks whether the user wants to
create an utility diskette from which the computer can be booted
afterwards. It is recommendable to take the program up on its
offer, for without such an utility diskette it may prove
difficult to disinfect certain boot sector viruses - especially
if no anti-virus program is immediately available at the time.
Disinfection of Boot Sector Viruses
In principle, boot sector viruses are disinfected in Windows 95
in quite the same way as in DOS. First, the computer must be
booted from a clean diskette - this can be done with either the
Windows 95 utility diskette created during installation, or a
normal DOS boot diskette. After this, the virus can be
disinfected by using an anti-virus program.
If the computer is booted from the Windows 95 utility diskette,
the disinfection procedure may in some cases be interrupted by
a warning about direct disk access. This warning can usually be
disabled by using Windows 95's own LOCK command, but it may
sometimes prove necessary to boot the computer from a DOS boot
diskette. After a DOS boot, the infection can be disinfected
normally with F-PROT for DOS. As can be seen, it is worthwhile
to hang onto an old DOS boot diskette even after switching to
Windows 95.
If no anti-virus program is immediately available, it is
possible to attempt disinfection by using the operating system's
own functions. This can be done with the command FDISK /MBR,
which can be used both after a DOS- and a Windows 95 diskette
boot. However, if the computer's hard disks cannot be accessed
normally after a diskette boot, one should not attempt a
FDISK/MBR disinfection. In such cases, the infecting virus has
probably encrypted the hard disk's partition table - there are
viruses that do this, among them the Stoned.Empire.Monkey
viruses.
Viruses that have infected the boot sector of a disk partition
can be removed manually by using the Windows 95 utility
diskette. After the diskette boot, the infection can be removed
by simply giving the SYS C: command - this will cause the boot
sector and system files to be rewritten on the hard disk. If the
computer has been booted from a DOS boot diskette, the SYS C:
command should not be used, because it will create a boot sector
different from the boot sectors used by Windows 95.
Disinfection of File Viruses
First, the computer should be booted from a clean diskette just
to be on the safe side. Windows 95 utility diskettes and DOS
boot diskettes are both suitable for booting. After that, the
viruses are disinfected just like in DOS.
The following viruses have been reported to be widespread in
different parts of the world:
Buptboot is a boot sector virus, functionally typical of its
kind, which infects the Main Boot Records of hard disks and boot
sectors of diskettes. The virus contains the text "Welcome to
BUPT 9146,Beijing!", which is why it is also known as Welcomeb.
The only peculiarity in this virus is that it does not store the
contents of the original boot sector anywhere.
F-PROT is able to detect and remove the Buptboot virus.
Crazyboot is also a boot sector virus, probably of Russian
origin. Because of programming errors, Crazyboot corrupts some
of the diskettes it infects. Every now and then the virus
displays the following message:
Don't PLAY with the PC !
Otherwise you will get in `DEEP,DEEP' trouble !...
Crazy Boot Ver. 1.0
When Crazyboot infects a hard disk, it removes the disk's
partition information from its correct place in the Main Boot
Record. Because of this, one should not attempt to remove a
Crazyboot infection with the FDISK /MBR command.
F-PROT is able to detect the Crazyboot virus. Due to the
above-mentioned relocation of partition information, special
steps must be taken to remove the virus; in case of an
infection, contact your local F-PROT distributor or F-PROT
Support for further instructions.
Tai-Pan, originally a Swedish virus, has quickly managed to
spread itself all over the world. It is now one of the most
globally common file viruses.
There are many different versions of Tai-Pan - two of these have
been described in earlier update bulletins (issues 2.14 and
2.17). The latest discovered variant of Tai-Pan does not much
differ from the original Tai-Pan.438; the changes it contains
have apparently been added only in order to bypass some anti-
virus program. The new variant has been found at least in Sweden
and Finland.
F-PROT is able to detect and remove the Tai-Pan.438.B virus.
The Vienna.Bua virus is also known by various other names, such
as Big Caibua, Bua, Butthead and Vienna.2279.
During May 1995, this virus managed to spread through some BBS
systems and ftp servers. The virus activates in the 5th of May,
at which time displays a graphic phallus symbol on the screen.
Later on, the virus tries to do damage by formatting the hard
disk's zero track, removing the first file in a directory,
creating subdirecto-ries with obscene names etc.
Vienna.Bua contains the following text strings, hidden under a
layer of encryption:
RABID is Actually NAMBLA.
Go figure
High Evolutionary Sucks BIG CAIBUA!
You bastardize code, I bastardize it again! F... You!
Difference is you cocksucker, I can actually program in
assembler.
Read about it in VSUM!
btw, Patty, Howabouts ya lick my BIG CAIBUA?
Oh, And John, Just in case you think I forgot your sorry ass.
The next one is for you!!! Muhahahahahahahahahaha!!!!
O.J. IS GUILTY!!
Tempest, Live for yourself.
You do not know what love is yet.
wait, it will come.
No worries.
F-PROT is able to detect and remove the Vienna.Bua virus.
Reported by Herve Carette,
DataRescue sprl, Belgium
Zarm is a memory-resident self-encrypt-ing COM and EXE infector.
It was found in France during May 1995.
Zarm is a stealth virus that intercepts interrupt 21h's
functions 11h, 12h, 31h, 3Dh, 4Eh, 4Fh, 4Ch, and 6Ch to mask its
presence in an infected system. The virus hooks int 3 to its own
decryption routine. This routine then decrypts a second
decryptor on the stack.
Once the virus has installed itself in memory, it uses also int
1Dh - normally a pointer to some video information - as a
gateway for calling the original int 21h. A new int 1Ch (timer)
handler is installed. It plays with the display controller,
effectively shaking the picture on a standard VGA display.
In addition to its other qualities, Zarm is also a retro-virus:
it is able to deactivate VSAFE, VDEFEND and VWATCH.
The virus contains the following text:
ZARMA-VIR by T. Power *** Claudia Schiffer Lives !!!..
Because of this text, Zarm is also known as T_Power.Zarma.
In the summer of 1995 a new virus using cluster techniques was
found and named as Byway. It uses similar methods with spreading
as the DIR-II virus family. When the user executes an infected
program in a clean machine, the virus creates a hidden file to
the root directory on drive C. The file is 2048 bytes long and
its name is CHKLISTx.MS. The "x" in the name of the virus is
ASCII character 255. Microsoft Anti-Virus uses almost the same
name for its checksum file, apparently the virus author wanted
to make the user believe that the new file is the MSAV's file.
Byway reserves 3216 bytes of memory for itself. When it infects
a file, it changes FAT to point to the virus' code instead of
the beginning of the file. When user runs an infected program,
the virus executes its own file and only after that starts the
program user originally wanted to run.
F-PROT detects the Byway virus.
The dangerous Michelangelo virus has been found on Emulex DCP-
286 driver diskettes. These diskettes are in worldwide
circulation. Luckily enough, the infected diskettes were all of
the old 5.25" type - all 3.5" driver diskettes checked out
clean. Emulex Inc has informed its distributors of the matter
and will supply new diskettes on request.
Not just one, but a couple of new Trojan Horses claiming to be
the latest versions of the PKZIP program have been discovered
recently. Actually, the latest version of PKZIP is still 2.04g.
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can also
contact F-Secure directly in the number 350-0-478 444.
Written questions can be mailed to:
F-Secure Ltd
F-PROT Support
Päiväntaite 8
FIN-02210 ESPOO
FINLAND.
Questions can also be sent by electronic mail to:
Internet: F-PROT@F-Secure.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
After I installed the F-PROT Gatekeeper software, my computer
took to crashing every time Windows is started. The crash takes
place in the middle of Gatekeeper's memory check - nothing will
happen after 62% of memory has been checked. My computer is an
ordinary 486 microcomputer with an S3 display adapter. How can I
fix this problem?
The problem is caused by the display adapter and its
drivers. Certain display adapters and their drivers
reserve a part of the computer's memory exclusively to
themselves, preventing other programs from even reading
the area. The consequence is that the computer will hang
when the area is read; F-PROT for Windows will also hang
during the memory check in a similar situation.
The problem can be solved by preventing Gatekeeper and
F-PROT from checking the memory are in question. A way to
do this has been described in the chapter 2.2.6 of F-PROT
Gatekeeper's manual. Another way is to use the following
table:
Segment Percentage
00 0%
01 6%
02 13%
03 18%
04 25%
05 31%
06 37%
07 43%
08 50%
09 56%
0a 62%
0b 68%
0c 75%
0d 81%
0e 87%
0f 93%
F-PROT Gatekeeper, like F-PROT Professional for Windows,
uses the F-PROTW.INI configuration file located in the
computer's Windows directory. By adding the line
AreaStatusMemorySegment=1 under the header [MemoryScan]
in this file, both programs can be instructed to leave a
certain memory segment unchecked. In this case, the
computer hangs when F-PROT Gatekeeper has checked 62% of
memory. Therefore, the problem can be solved by adding
the following lines to the F-PROTW.INI file:
[MemoryScan]
AreaStatus0a=1
F-PROTW.INI can hold multiple AreaStatus statements.
I noticed a virus infection in my hard disk's Main Boot Record,
and disinfected it immediately by using F-PROT. However, when I
restarted my computer, the infection appeared again. Why?
Apparently, you did not boot the computer from a clean
diskette before attempting disinfection. A clean diskette
boot is crucial when dealing with boot sector viruses,
for, if the computer is booted from the infected hard
disk, the virus manages to load itself into memory and
may infect the Main Boot Record again straight after it
has been disinfected. This is one of the reasons why a
computer should always be booted from a clean diskette
before any disinfection attempt.
When a boot diskette is created, it is important to make
sure that the computer is, indeed, clear of viruses. If
the computer happens to contain a virus, the diskette
will very probably be infected immediately when it is
inserted into the diskette drive - it will be worse than
useless. Make sure that the computer is clean by checking
the hard disk with F-PROT.
A boot diskette is created with the FORMAT /S command.
The /S parameter instructs the Format program to copy the
system files to the formatted diskette. After formatting,
it is also necessary to copy all the needed drivers to
the diskette - for instance, SCSI hard disk drivers,
keyboard drivers, network drivers and drivers needed by
possible disk compression programs. It is also worthwhile
to equip the diskette with DOS's own Format, Fdisk and
Sys programs.
After the necessary drivers have been copied, the start
files AUTOEXEC.BAT and CONFIG.SYS should be created on
the diskette. The easiest way to do that is to copy the
start files from the hard disk and edit them to be
suitable for a diskette boot - the statements in these
files must point to the programs on the diskette,
otherwise an infected program on the hard disk may be
executed during the boot-up.
After the boot diskette has been created, it should
always be kept write-protected, to ensure that viruses
will not get the chance to infect it at any time.
Then, when and if a virus infection is detected in the
computer, the computer must be booted from the clean boot
diskette before any disinfection attempt. After the boot,
F-PROT should also be executed from diskette - the
disinfection can then be performed quite normally.
The F-PROT diskette should be kept in the drive for as
long as the disinfection takes. F-PROT may have to load
virus search strings from the database on the diskette
during the disinfection operation.
After the infection on the hard disk has been taken care
of, all diskettes used in the computer should also be
checked. If the computer has been infected with a boot
sector virus, the infection has very probably spread to
all non-write protected diskettes used in the computer.
The best way to take care of the checking operation is to
copy F-PROT to the hard disk, execute it from there and
use it to check the diskettes.
3FD.EXE
Possibly a new variant of Grog
FLOS.EXE
Possibly a new variant of Trivial
LOCKSYSS.COM
Possibly a new variant of AstraSYS
OPENING.SYS
Possibly a new variant of Taz
PENTEST.COM
Possibly a new variant of Quiet
SWMP.EXE
Fish_6 (Virstop)
TRAPBIG.COM
Possibly a new variant of Three_Tunes
TRAPINT.COM
Possibly a new variant of Three_Tunes
Since the symbol "=" caused problems in BAT file arguments, we
now allow the command line parameter
/REPORT=filename to be written also in the form
/REPORT:filename.
F-PROT Gatekeeper settings buttons in the Protection Preferences
dialog were disabled if the "Show Virus Names" checkbox was left
unchecked. This has been corrected.
When a boot sector disinfection attempt was made on a write-
protected diskette, F-PROT for Windows added an error message to
the report and the operation failed. Now it shows a message box
with the text "Error: Write-protected diskette in drive A:", and
gives the user the chance to remove the write protection and
retry the operation. F-PROT for DOS works the same way.
In reports, longer virus descriptions used to be shown on single
continuous lines where "|" symbols stood for supposed line
separators. Now such descriptions are shown properly on
multiple lines.
The following 18 viruses are now identified, but can not be
removed as they overwrite or corrupt infected files. Some of
them were detected by earlier versions of F-PROT, but not
identified accurately.
Burger.398
Burma.756
Dual_GTM.1436
Dual_GTM.1446
Dual_GTM.1528
Dual_GTM.1643
HLLO.7227
HLLO.41714
Itti.162
Kode_4_over.131
Leprosy.loard
Sandra.1356
Trivial.50.A
Trivial.50.B
Trivial.84
Trivial.100
Trivial.127
VCL.Mindless.423.H
The following 89 new viruses can now be removed. Many of them
were detected by earlier versions, but are now identified
accurately.
_385
_419
_998
_3128
A-OD
Ambulance.795
Anticad.2900.ABT.C
AntiCMOS.C
Apparition
Avalanche.2818
Beda.883
Beda.1301
Cascade.1701.AJ
Cyberloard
Dark_Avenger.2000.Dieyoung.C
Datafire
Die.666
EAF.656
Equals.1448
Equus
Father_Mac.269.B
Future
Gidra.505
Ginger.2351
Hafenstrasse.1640
HLL.4629
HLL.Mercury
HLLC.8902
Holiday.3000
IMI.1536.G
IQ
Jerusalem.1808.EVg
Jerusalem.Fu_Manchu.E
Jerusalem.Pipi.1552.B
Jolter
Judge
Khiznjak.306
Khiznjak.711
Kode_4.285
Larry.497
Lockjaw.518
Lokinator.971
Lost_Geek.734
MMIR.393
Marian.700
Mirage.1322
Mirea.737
Moonlight
MZV
Nchc
Nightfall.4480
Nightfall.4518
Nightfall.4519
Npox.1487
Npox.1726
OOP
Override.1280
Polifemo.736
PS-MPC.Skeleton.556
PS-MPC.Skeleton.590
Ranger
Riot.Carpe_Diem.1354
Seagull
Shirley.E
SillyC.122
SillyC.190.B
SillyC.281
SillyCR.403
SillyCR.710
Sol.545
Sol.557
Sofia_Term.1369
SVC.1689.G
Svin
Swas
Tai-Pan.438.B
Tabulero.B
Tea
That
Trakia.1320
Vampiro.A
Vampiro.B
Vampiro.C
Vienna.767
VLAD.653
VLAD.655
VLAD.2042
X-Fungus.1483
The following 31 new viruses are now detected and identified but
can not yet be removed.
Antigus
Australian_Parasite.254
BW.708
Caustic
Cowabunga
Dementia
Earle
Father_Mac.306.B
G_World
Green
Ha!.1224.B
Hello.365
JVW.893
Mickie
NRLG.713
NRLG.750
NRLG.752
NRLG.872
Radiation
Ratboy.513
Ratboy.545
Ratboy.671
RTL
Sign
Slovakia_II
Tiawan
TT
Uniq.308
Vice.1197
VLAD.696
Zarm
The following 2 new viruses are now detected, but not
identified. F-PROT will just report the family name with a (?)
or report the virus as a "New or modified variant", as it is not
yet able to determine which variant it is dealing with.
Disinfection of these viruses is not yet possible.
Byway
Manzon
The following 7 viruses which were identified by earlier
versions can now be removed.
5lo
Die_Hard
Dream
Jerusalem.Zerotime.Australian.A
Jerusalem.Zerotime.Australian.B
Jerusalem.Zerotime.Australian.C
Sayha
The following viruses have been renamed:
_1376 -> Quicky
Media -> Markt
Stanco -> HLL.Stanco
F-PROT Professional 2.19 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.19 is mentioned.
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
