F-PROT Professional Update Bulletins
F-PROT Professional 2.21 Update Bulletin
CONTENTS BRIEFLY
---- Contents 6/95
---- Change in climate
---- Virus Writer Sentenced to Prison in UK
---- The Global Virus Situation
---- Little_Red.B
---- Stoned.Angelina
---- WordMacro/Colors
---- News in Short
---- The Happy Birthday Hardware Trojan
---- Common Questions and Answers
---- Virus Activation Routines
---- Changes in F-PROT version 2.21
---- Changes in F-PROT for DOS
---- Changes in F-PROT for Windows
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@F-Secure.com
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.21 is mentioned. Copyright (c) 1995 F-Secure Ltd.
Change in climate
Virus Writer Sentenced to Prison in UK
The Global Virus Situation
Little_Red.B
Stoned.Angelina
WordMacro/Colors
News in Short
The Happy Birthday Hardware Trojan
Common Questions and Answers
Virus Activation Routines
Changes in F-PROT version 2.21
In recent times, the attitudes towards viruses and virus
writers seem to have toughened worldwide.
People have apparently recognized viruses for what they are:
an information security threat, not just harmless pranks. We
here at F-Secure approve of this trend; it makes our job
that much easier.
The weather has indeed turned cloudy for virus writers and
virus groups. A short time ago, a virus writer in UK
experienced the consequences of this shift.
Christopher Pile, an unemployed 26-year-old from Efford,
Plymouth in UK, gained notoriety under the pseudonym Black
Baron by creating the viruses Pathogen, Queeg and Smeg.
These viruses were available on computer bulletin boards and
systems connected to Internet.
Unlike too many virus writers, Pile was caught. At his trial
on 26th of May 1995, Pile pleaded guilty to eleven charges
arising from his creation and release of these viruses. Ten
counts related to instances where organizations had suffered
unauthorized modification of their computer data by one of
these viruses. The eleventh charge relates to inciting
others to create computer viruses and hence cause
unauthorized modifications. Although Pile's trial was in
May, the sentencing was delayed until November to allow both
defense and prosecution counsel to argue the seriousness of
these crimes.
Christopher Pile was sentenced to 18 months of imprisonment.
This makes him the first person in the United Kingdom to be
convicted of writing and distributing computer viruses, and
the first person in the world to be convicted of inciting
others to create computer viruses. Of course, precedents for
punishing virus writers exist in the UK; in October 1992,
three Cornell University students were each sentenced to
several hundred hours community service for creating and
disseminating a computer virus.
Unauthorized modification of information in a computer
system is an offense under section 3 of the United Kingdom's
Computer Misuse Act 1990. The maximum punishment under this
section is five years imprisonment or an unlimited fine or
both.
The Little_Red.B virus infects COM and EXE files every time
they are opened or executed. The virus is also able to
infect programs in a directory when the DIR command is used
on the directory. Infected files grow by 1465 bytes.
Little_Red was quite a common virus in the USA during the
end of 1994. The virus activates on the 26th of December and
the 9th of September and plays one of two Chinese melodies.
The activation dates are the birth and death dates of Mao
Tse Tung, which is why the virus is also known as Mao.
The Little_Red virus is known to hide on some Proview
monitor utility diskettes (Power Management EPA Energy Star
& VESA DPMS Compliant Version 2.02).
F-PROT is able to detect and disinfect the Little_Red virus.
In November 1995, this Polish variant of the Stoned virus
was discovered on some brand-new, straight-out-of-the-
factory Seagate 5850 (850MB) IDE hard disks. Discoveries
were made in at least the Nordic countries.
The virus contains the text:
Greetings for ANGELINA !!!/by Garfield/Zielona Gora
Zielona Gora is a city in Poland.
Stoned.Angelina is a stealth virus. It is able to hide its
own code on the hard disk while it remains active in the
computer's memory.
One new Microsoft Word macro virus has appeared since the
discovery of the first three macro viruses (for more
information, see Update Bulletin 2.20). The new virus is
known as WordMacro/Colors. This macro virus was sent to a
usenet newsgroup on the 14th of October, 1995. The virus is
also known by the name Rainbow.
WordMacro/Colors infects Word documents in a similar manner
as the previous Word macro viruses. However, the viruse's
operation does not depend solely on the auto-execute macros.
Thus, the virus is able to execute even if automatic macros
are turned off. WordMacro/Colors contains the following
macros:
AutoClose
AutoExec
AutoOpen
FileExit
FileNew
FileSave
FileSaveAs
ToolsMacro
macros
All the viral macros are encrypted with the standard Word
execute-only feature.
Once an infected document has been opened, the virus will
execute when the user:
o Creates a new file
o Closes the infected file
o Saves the file (autosave does this automatically after the
infected document has been open for some time)
o Lists macros with the Tools/Macro command
You will naturally wish to verify that your computer has not
been infected by the WordMacro/Colors virus. However, do not
use the Tools/Macro command to do so - if the virus is
indeed present, you will only succeed in executing it.
Instead, use the File/Templates/Organizer/Macros command to
detect and delete the offending macros. Keep also in mind
that some future macro virus will probably subvert this
command as well.
The virus maintains a generation counter in WIN.INI, where a
line "countersu =" in the [windows] part is added to during
the execution of the viral macros. After every 300rd
increments the virus will modify the system's color
settings; the colors of different Windows objects will be
changed to random colors after the next boot-up. This
activation routine does not work in Microsoft Word for
Macintosh.
It is interesting to note that the viruse`s AutoExec macro
is empty. It has probably been included only in order to
overwrite an existing AutoExec macro - which might contain
some anti-virus routines. WordMacro/Colors also re-enables
the automatic execution of automacros if it has been
disabled, and turns off the `prompt to save changes to
NORMAL.DOT' feature; both measures have been used in
countering macro viruses.
WordMacro/Colors seems to be carefully written; it has even
a built-in debug mode. The virus has probably been written
in Portugal.
F-PROT Professional 2.21 detects the WordMacro/Colors virus.
November the 13th surprises have become something of a
tradition. This year, a large number of users encountered
one again.
There seems to be a large set of trojanized AMI BIOS chips
going around. These chips halt the machine during the boot-
up on the 13th of November, and play `Happy Birthday' from
the PC speaker until you press a key. Do note that this is
not a virus - the affliction will not spread anywhere from a
trojanized machine.
If you have this problem, contact your hardware vendor for a
BIOS replacement.
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can
also contact F-Secure directly at the number
358-0-478 444.
Written questions can be mailed to:
F-Secure Ltd
F-PROT Support
Päiväntaite 8
02210 ESPOO
FINLAND
Questions can also be sent by electronic mail to:
Internet:
F-PROT-support@F-Secure.com
or F-PROT-sales@F-Secure.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
I am interested in Internet and Web surfing. However, I am
afraid of catching a virus from the net. Do the viruses in
Internet pose a real danger?
There is a problem with viruses in Internet.
However, at the moment other information security
problems present a much greater dilemma than
viruses.
In public, well-known ftp and www servers there are
virtually no viruses, since the files in them are
checked for infections before they are placed in
distribution. However, Internet contains also plenty
of shady, obscure servers where one may find
anything at all. There is no shortage of servers
specializing in pure virus distribution, either.
Those who search for viruses will have no trouble
finding them.
There are also other ways to distribute viruses via
Internet: files attached to e-mail, the chat
function IRC and its file-exchange features, the
different newsgroups. The greatest danger lays
probably in the alt.binaries newsgroups - they serve
as relay stations for all kinds of programs, most of
which are not checked for infections. To make
matters worse, many virus writers use these
newsgroups as a distribution route for their viruses
- they simply infect an innocuous-looking file
package with their latest invention and send it to a
newsgroup.
For instance, this kind of an incident took place in
24.07.1994, when a game called SEXXY was mailed to
the alt.binaries.pictures.erotica newsgroup. The
virus writer who sent the game had deliberately
infected it with the new Kaos4 virus. During the
next five days, reports of the virus arrived from
all over the world. There were also many who never
reported the virus - too embarrassed to admit that
they had caught the infection from a pornographic
newsgroup.
Netsurfers would be well advised to protect their
computers with the F-PROT Gatekeeper background
protection program, which automatically examines all
files that are transferred to the computer. That
way, one does not have to check the files for
viruses separately. Of course, common sense during
Internet adventures doesn't exactly hurt, either.
I installed Windows 95 on my computer. Soon after that, I
came to notice that Windows writes on my non-write-protected
diskettes even if I only browse the diskettes' directory
listings. Why is that? May it cause harm?
Windows 95 does indeed act in this peculiar manner.
The actual reason it does so is not known.
Microsoft's technical documentation states that, for
the purposes of detecting disk changes, Windows 95
writes on diskettes' boot sectors when the diskettes
are used, but in reality Windows 95 also writes on
the diskettes' root directories.
Windows 95 seems to make a note of all the EXE files
it has not previously seen. These notes are stored
in an unused area in directory information, and they
take up two bytes per. The bytes are apparently
time-stamped checksums of the file's directory
information.
If Win95 has previously encountered a similar EXE
file on the hard disk, on a diskette, or in the
network, it won't make a note of the file. Windows
does not examine the file's contents - instead, it
seems to maintain a database about EXE files'
directory information. Win95 does not make notes
about COM files, nor does it try to write on
write-protected diskettes. The writing in
directories seems most probably connected to Windows
95' icon cache function.
In any case, Windows 95 does write on
non-write-protected diskettes during normal read
procedures. This may hamper the functioning of
certain copy-protection programs and nonstandard
diskettes.
The following article on virus activation routines was
written by Mikko Hyppönen, F-Secure LTD's F-PROT
Technical Support Manager. We will publish the article in
two parts - the second will appear in the next Update
Bulletin. The text has previously been published for the
Eicar Conference `95, where Mr. Hyppönen presented it in its
entirety.
Introduction
The general public's idea of a computer virus is usually
something like "It's a program that destroys data". Strictly
speaking, this is not true, for a virus doesn't have to
destroy anything in order to be a virus. In fact, most of
the known viruses do not format hard drives or overwrite
files - or do anything at all besides spreading.
All anti-virus support persons know that a lot of the people
calling support ask "Your program said I have this virus.
What does it do?", and the typical answer is: "Nothing. It
just replicates".
People often find this surprising, because the destructive
or spectacular viruses - naturally - get more publicity than
the boring ones which have nothing special about them.
Still, roughly half of the known viruses have no activation
routines at all. Perhaps the authors of these viruses wanted
to make their viruses smaller by omitting such routines, or
perhaps they reasoned that any activation at all will just
result in the virus being discovered earlier. Or perhaps
they just didn't have the imagination to think up an
activation routine.
Common Viruses and Activation Routines
A quick look at the most common viruses worldwide reveals
that most of them have no visible activation features at
all:
o AntiCMOS.A - has an activation routine, which is never
executed
o AntiEXE - has an activation routine, which is practically
never executed
o DIR_II.A - no activation routine
o Form.A - has an activation routine, which is practically
never executed
o Tai-Pan.438 - no activation routine
o Junkie - no activation routine
o Stoned.Empire.Monkey.B - no activation routine
o Stoned.Standard.A - has an activation routine, which is
executed very seldom
o Stoned.No_INT.A - no activation routine
o Stealth_Boot.B - no activation routine
o WordMacro/Concept - no activation routine
These viruses alone are currently responsible for probably
two thirds of all the virus infections worldwide. However,
among the most common viruses there are also viruses with
activation features:
o Kampana.A - overwrites part of the hard drive after 400
boots
o Green_Caterpillar.1575 - draws a caterpillar on the screen
after 60 days
o Michelangelo - overwrites part of the hard drive on every
6th of March
o Cascade.1701.A - drops letters to the bottom of the screen
o V-Sign - draws a large V with ASCII graphics after every
64 boots
o Tequila - draws a fractal by random
Classification
There are no formal classifications rules for the viruses'
different activation routines. However, we can divide the
routines of known viruses in the following groups:
o Data destruction
o Sounds, tunes, speech
o Animations
o Messages
o Interactive activations
o Fake hardware failures
o Practical jokes
o Denial of service
Data Destruction
Destructive activation routines can be further divided into
immediate and gradual.
Michelangelo, Kampana and Natas are examples of immediately
destructive viruses - they simply overwrite part of the hard
drive with a low-level BIOS function. Other viruses with
immediately destructive routines delete or overwrite files
instead of overwriting physical sectors.
Gradual destruction is done by viruses such as Ripper or
Nomenklatura, which slowly corrupt the data on the hard
drive. This is also known as data-diddling. Such corruption
is likely to go unnoticed until the corrupted data has been
backed up several times. This makes data recovery
considerably more difficult, and in most cases significant
amounts of data will be lost for good.
Thankfully, destructive activation routines quite often fail
to work due to programming errors. It seems that the virus
authors are reluctant to test these routines on their own
machines.
It is also worth noticing that there are very few
destructive viruses on the Macintosh side. This is possibly
a result of the different user cultures of PC and Mac users.
Sounds, tunes, speech
There are several viruses which play tunes through the PC
speaker upon activation. Probably the most common examples
are the different Yankee_Doodle variants which activate by
playing the Yankee Doodle tune at different times of day.
Other viruses just produce beeps and zaps occasionally.
There are also some viruses which try to speak - one example
is the Dreamer virus, which tries to say "Hitler!" through
the PC speaker. Finally, there are some viruses which try to
utilize a sound card if the infected PC contains one.
Animations
Viruses which activate with an animation can be further
divided into text-mode and graphical animation viruses.
Examples of text-mode animation viruses are the
Cascade.1701.A virus, which drops the characters on the
screen to the bottom of the screen, and the Walker virus,
which produces a walking man animation on the screen.
Another example is the Vienna.Bua AKA Big Caibua virus,
which attracted media attention with its activation routine:
it displayed a text-mode animation of an ejaculating penis
on the screen while deleting data on the hard drive.
Graphical activation routines are somewhat rarer. However,
they can be found in viruses like Den_Zuk, which displays a
logo on the screen, and the HH&H virus, which shows quite an
interesting 3D animation of a bouncing ball built out of
small dots.
Messages
Viruses which display messages on-screen include
Stoned.Standard.A, which occasionally displays "Your PC is
now Stoned!" if the machine is booted from a diskette.
Another common virus with a message to display is the
Parity_Boot.B virus, which activates by displaying "PARITY
CHECK".
A more interesting display is produced by the Rescue virus,
which shows a screen full of nonsense messages.
Interactive Activations
Some viruses stop the PC and demand that the user do
something. For example, the Joshi virus stops the machine on
January 5th and allows the computer to continue functioning
normally only after the user types "Happy Birthday Joshi".
The Casino virus forces the user to gamble in a Jackpot
game, the stakes being the contents of the hard drive.
Some viruses demand somewhat more effort from the user. The
YAM.Math virus will occasionally stop the machine when a
program is run, and display simple addition or subtraction
questions. Execution of the program is denied unless the
user gives the correct answer.
Another similar virus called Peter_II displays the following
message:
Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data
in Hardisk!!!
WAIT for 1 MINUTES,please...
After this, the virus encrypts the whole hard drive. Having
done that, it continues by displaying the following
questionnaire:
Ok.If you give the right answer to the following questions,I
will save your HD:
A. Who has sung the song called "I`ll be there" ?
1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All
(1-4):
B. What is Phil Collins ?
1.A singer 2.A drummer 3.A producer 4.Above all(1-4):
C. Who has the MOST TOP 10 singles in 1980`s ?
1.Michael Jackson 2.Phil Collins (featuring Genesis)
3.Madonna 4.Whitney Houston(1-4):
If the user gives correct answers to all questions, the
virus decrypts the hard disk and displays the following
message:
CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ......
The user can then continue to use the computer normally.
However, if incorrect answers are given, the virus will not
decrypt the hard disk. Instead, it will just display the
following message:
Sorry!Go to Hell.Clousy man!
Correct answers to the questions are left as an exercise to
the reader.
Finally, some viruses invite the user to play a game on the
PC. An example of this is the Playgame virus, which displays
a simple race game.
Fake Hardware Failures
Some viruses try to simulate a hardware failure. For
example, the Azusa virus disables the serial and parallel
ports of the machine, and Parity_Boot makes it appear as if
the computer has faulty memory chips.
In the worst case, the user is fooled into replacing
components of his system before he realizes that there is
nothing physically wrong with the machine.
Practical Jokes
Several viruses play practical jokes on the user. The
Jerusalem.Fu_Manchu virus monitors what the user types, and
inserts comments when keywords such as `Thatcher', `Reagan'
or `Waldheim' are entered.
The Armagedon virus from Greece checks whether a modem is
connected to the machine, and tries to call out to the local
time service when the time is between 5am and 6am. The
Fone.688 tries to pull a similar prank but with one
difference - it calls to X-rated 1-900 phone services in the
USA.
The Haifa virus inserts two text lines in the middle of DOC
files when they are accessed:
OOPS! Hope I didn't ruin anything!!!
Well, nobody reads those stupied DOCS anyway!
Similarly, the WordMacro/Nuclear virus adds comments against
French nuclear testing in Pacific to the end of documents
when they are printed or faxed from Microsoft Word.
Denial of Service
Some viruses just try to make the machine unusable. Viruses
which overwrite hard drives are somewhat obvious about it,
but good backups provide a fast way to recover from the
damage. On the other hand, there are also viruses like
Monica, which turns the BIOS boot-up password function on
(if the BIOS supports this), and sets the password to
`monica'. As there is no way for the user to guess the
password, the machine is rendered effectively unusable until
the CMOS battery is disconnected. In the future we will
probably see Flash BIOS -aware viruses, which will cause
even more difficult problems.
The remaining part of the article will be published in the
next Update Bulletin. It describes viral trigger mechanisms,
tells where to get information about viruses, and lays out
some future prospects.
The Antibase virus was previously detected only in COM
files. Now it can also be detected in EXE files.
Although the Ginger.2774 virus could previously be detected
in boot sectors, the program could not identify it
accurately. This has been corrected.
Formerly, the PH33R virus could only be detected in DOS
programs. Now, it can also be detected in Windows programs.
Minor Improvements and Changes
Previously, if someone created a file containing a short
byte string which happened to be one of the search strings
used by F-PROT, the program reported that the file had been
infected by "a new or a modified variant". Nowadays, the
program checks whether the file is large enough to contain
the virus in the first place. If the file is too short,
F-PROT does not report anything.
F-PROT can now identify files destroyed by the Exebug virus.
The memory test has been changed to avoid problems with
buggy flat model display drivers.
Communications directory polling mechanism has been changed
to reduce sharing violations and other network conflicts,
especially in NT networks.
It is now possible to poll the network communication
directory at a different rate from polling the local
directory. F-Agent's polling interval specified in the
Network preferences now determines the polling rate for the
communications directory only. Value of 90 minutes is the
default. The local tasks poll rate is hardcoded to 6
minutes.
Sometimes an "Error -xxx loading scan_s.dll" message was
shown without real reason occasionally on startup; this bug
has been fixed.
Environment variable name is now allowed in user name at
workstation preferences: if you have variable USER holding
the name of the user, you can enter #USER# to Workstation
name field.
F-PROT Gatekeeper Scans for document macro viruses by
default now; feature can be disabled by a setting in F-
PROTW.INI.
Less conventional memory (below 1MB) will be reserved by
Gatekeeper when it is loaded.
It is now possible to configure the position of Gatekeeper's
memory scan progress bar by a setting in F-PROTW.INI in your
Windows directory, for example:
[MemoryScan]
StatusWindowPos=LowerRight
Choices are UpperLeft, UpperRight, LowerLeft and LowerRight.
The dialog "Distribute Installations by Autoinst" now has an
Options button, which brings out a dialog for setting some
basic options: whether to install FPW or Gatekeeper or both,
and whether there will be a local, remote, or standalone
installation. The AUTOINST.INI created will then contain
proper settings for the selected installation type.
Changes in the F-ARC Program
It is now possible to disable F-ARC's boot sector check.
This is done by adding the following lines to the file
F-ARC.INI:
[F-ARC]
bootscan=0
The following 29 viruses are now identified, but can not be
removed as they overwrite or corrupt infected files. Some
of them were detected by earlier versions of F-PROT, but not
identified accurately.
_548
Bane
Burgar.560.BB
Darth_Vader.411
Itti.99.C
Leprosy.534
Leprosy.666.R
Leprosy.792
Linda
MSK.272.B
MSK.272.C
MSK.284.B
Orce.67
Orce.71
Quasar.422
SillyOR.83
Springs
Terra
Trelew
Trivial.26.D
Trivial.29.F
Trivial.40.H
Trivial.42.I
VCL.341
VCL.355
VCL.407
VCL.427
VCL.645
VCL.Mindless.423.I
The following 183 new viruses can now be removed. Many of
them were detected by earlier versions, but are now
identified accurately.
_205
_351
_553
_612
_658
_724
_759
_1314
_1972
Ahav
Alex.818
Anthrax.B
Armagedon.1065
Armagedon.1066
Asahi.1045
Asahi.1061
Australian_Parasite.231
Australian_Parasite.279.B
Avalon
Badsectors.3627
Barrotes.1463
Beda.1530
Bengal.1170
Black_Jec.231.B
BootExe.453.A
BootExe.453.B
BootExe.453.C
Cascade.1701.AL
Cascade.1701.AM
Cascade.1701.AN
Cascade.1701.AO
Cascade.1701.AP
Catherine
CED
Chomik
Conjurer.181
Conjurer.265
Conjurer.270
Conjurer.277
Conjurer.353
Conjurer.550
Continua.B
Cor
Coyote
CPW.1457
Creeper.482
Dagger
Danish_Tiny.263.B
Danish_Tiny.312
Dark_Avenger.2000.GoGo
Dark_Revenge
Darth_Vader.344.E
Dex
Diablo
Diamond.1024.D
Drunk.527
EM
Fis
Flame.B
Ginger.2620
Gippo.Bumpy.B
Gynx
H8
Hates.190
Heja.511.B
Heja.511.C
Helloween.1376.B
Helloween.1376.C
Helloween.1376.D
Helloween.1376.E
Helloween.1376.F
Hellspawn.1075
HLL.10217
HLLC.12573
Ibqqz
IVP.652
Jerusalem.1024
Jerusalem.1234
Jerusalem.1624
Jerusalem.1747.B
Jerusalem.1808.Frere.K
Jerusalem.1808.sUMsDos.AS
Jerusalem.1808.sUMsDos.AT
Jerusalem.1808.sUMsDos.AU
Jerusalem.Sunday.P
Katvir
Keeling
Kode_4.399.B
Kode_4.412
Kolumna.1100
Leda
Leech.1008
Little_Brother.276
Malaise.D
Mario
MDS.331
Mephisto.510
Minnie
MR
Murphy.HIV.D
Murphy.HIV.E
Natas.4740
No_Frills.1358
NotStoned
November_17th.768.E
Ntmy
Opal
Open.1569
Open.1581
Overboot
Peligro.1208
PH33R
Phi
Pihenj
PS-MPC.306
PS-MPC.603.D
PS-MPC.Skeleton.598.G
Pure.439
Quell
Quick
Reverse.C
Riihi.258
Riot.Carpe_Diem.1305
Riot.Carpe_Diem.1415
RMC
Rocket
Rodolf.4096.B
Salamander
Scotch
Seventh_son.334
SillyC.101
SillyC.109
SillyC.162
SillyC.184
SillyC.254.A
SillyC.254.B
SillyCR.125.B
SillyCR.3152
SillyER.168
Stoned.Dinamo.B
Stoned.Dinamo.C
Suriv_1.941
Suriv_1.1000.B
Swiss_boot.B
Tai-Pan.438.C
Tankar.212
Teh
Tib
Timid.245
Timid.289
Timid.302.B
Titanium
Undershove
VCL.229
VCL.331
VCL.339
VCL.343.A
VCL.343.B
VCL.395
VCL.401
VCL.432
VCL.453
VCL.485
VCL.513
VCL.517
VCL.570
VCL.708
VCL.851.B
VCL.909
VCL.Spam
VCL.VCC.343
VCL.VCC.353
Vienna.648.AG
Vienna.648.AH
Vienna.Iraqui_Warrior.C
Vienna.W-13.600
Virdem.1336.German.C
Won't_Last
WSI
WZ.436.A
WZ.465.B
Xiv
YB.8588
The following 65 new viruses are now detected and identified
but can not yet be removed.
_732
_2158
Air_Raid.330
Annihilator.208
Annihilator.272.B
Annihilator.276
Annihilator.308
Annihilator.314
Annihilator.361
Annihilator.394
Annihilator.453
Annihilator.510
Annihilator.548
Attitude.823
Caos
Conjurer.300
Conjurer.312
Conjurer.377
Conjurer.408
Conjurer.433
Conjurer.506
Conjurer.510
Conjurer.586
Conjurer.886
Crazy_Frog
Dan.1092
Dan.1871
Digdeath.1062
Digdeath.1153
Explorer.3037
Grace
Int13.B
IVP.632
IVP.674
IVP.703
IVP.1017
IVP.Insomnio
Lost_Friend.881
Lost_Friend.882
Lucifer
Marbas.1303
M01
NRLG.575
NRLG.587
NRLG.624
NRLG.655
NRLG.727
NRLG.982
No_of_the_beast.AC
Psychosis.991
Qtiny.162
Quish
Red_Zar.461
Red_Zar.467
Rider.575
Riot.Carpe_Diem.1012
Spec
St_R
Thirty_First
Tigre.1800.B
Vampiro.1623
VCL.VCC.367
VCL.VCC.438
VCL.VCC.571
WordMacro/Colors
The following 5 new viruses are now detected, but not
identified. F-PROT will just report the family name with a
(?) or report the virus as "New or modified variant", as it
is not yet able to determine which variant it is dealing
with. Disinfection of these viruses is not yet possible.
Avispa.C
Avispa.D
Avispa.E
Avispa.F
FinnPoly
The following 2 viruses which were identified by earlier
versions can now be removed.
Boot-437
LV
The following viruses have been renamed:
Espejo -> Fifteen_Years
Vienna.IWG -> Vienna.Iraqui_Warrior.B
F-PROT Professional 2.21 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@F-Secure.com
This material can be freely quoted when the source, F-PROT Professional
>Update Bulletin 2.21 is mentioned. Copyright (c) 1995 F-Secure Ltd.
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
