F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-PROT Professional Update Bulletins

F-PROT Professional 2.22 Update Bulletin

CONTENTS BRIEFLY



F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@F-Secure.com

This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.22 is mentioned. Copyright (c) 1996 F-Secure Ltd.


F-PROT guards against viruses from Internet


F-PROT Gatekeeper 2.22 protects PCs against viruses from Internet. When files are transferred via e-mail or from WWW pages, Gatekeeper's `Scan on Create' function searches them automatically for viruses when they arrive at the computer. Gatekeeper has always provided excellent protection against viruses from Internet. However, in the past it was possible for the viruses to remain unnoticed until an attempt was made to run or copy an infected program. This kind of protection is fully adequate in keeping computers from being infected, but now Gatekeeper searches files for viruses at the time they are created. Thus, infected files are detected much sooner. When this kind of a new feature is introduced, there is always a slight possibility that it may not be compatible with some of the less common hardware and software combinations. For this reason, the new `Scan on Create' feature is not switched on by default in this version of the program. If you wish to try out this new feature, you can switch it on by creating a file called F-PROTW.INI in your computer's Windows directory. Write the following two lines to the file: [Gatekeeper] ScanOnCreateRename=1 This setting takes force after you have saved the file and restarted Windows. We have also received requests to make Gatekeeper more visual, so that users could see Gatekeeper perform its checks. This is now possible; add the following line to the [Gatekeeper] section in F-PROTW.INI: ShowActivity=1

Peter Szor to join F-PROT Development team


F-Secure Ltd's antivirus development team acquired a valuable addition in the beginning of this year when the virus researcher Peter Szor joined it. Peter Szor is from Hungary, and he is known as the main developer of the PASTEUR antivirus program. He has now moved to Finland, and started working with the F-PROT Professional antivirus program in January 1996. Peter Szor graduated from the University of Veszprem in 1991, majoring in Computer Programming. After that, he worked for two years at SG2-H Ltd, a French-Hungarian joint venture, creating financial computer software. Two years later he joined Mezobank and worked at the Bank's electronic data processing department. Peter became interested in computer viruses in 1990. His University diploma work was the PASTEUR antivirus program. PASTEUR quickly became popular and received good reviews in magazines such as Chip and Computer Panorama. Encouraged by the success of PASTEUR, Peter developed PASTEUR PLUS NLM version for Novell Netware. PASTEUR was always one of the fastest scanners in the market, being several times faster than most of its competitors. PASTEUR and PASTEUR PLUS had over 9000 established clients. At the moment, PASTEUR is discontinued and the existing customers will get a replacement license of F-PROT Professional. Mr. Szor is now the primary virus analyst at F-Secure Ltd He spends his days analyzing new viruses and developing new features to the F-PROT Professional suite. Welcome aboard, Peter!

The Global Virus Situation


Burglar


This virus infects EXE programs when they are accessed or executed. In addition to this, Burglar searches for new victims and infects them when the `file attribute change' function (used by ATTRIB) and `get free disk space' function (used by DIR and many other commands) are called. Burglar has stealth features: it hides the changes in the size of the infected files when viewed with the DIR command. Every time the virus infects files, it checks the time. If the minute field is 14, the virus activates and writes a flashing message in the top left corner of the screen: Burglar/H The virus also contains an unencrypted text which is never shown: AT THE GRAVE OF GRANDMA Burglar has anti-heuristics mechanisms. Burglar checks for and does not infect Windows programs or programs which have the letters `V' or `S' in the file name (covering programs like VIRSTOP, SCAN, VSHIELD, MSAV, NAV, CPAV etc.). Burglar was found in the wild internationally in January 1996. The virus has been spread in an infected version of a demo called `Dawn'. F-PROT 2.22 is able to detect and disinfect the Burglar virus.

The First Windows 95 Virus Found


The first virus to spread only under the Microsoft Windows 95 operating system was found in January 1996. This virus is of Australian origin. It has not been reported in the wild anywhere in the world, and can not be seen as a serious threat to Windows 95 users. This new virus has been named `Boza'. It infects only Windows Portable Executable EXE files - such files are used by Windows 95 and Windows NT. However, Boza does not infect machines running the Microsoft Windows NT operating system. So far, no viruses written specifically for Windows NT have been found. Whenever an EXE file infected by Boza is run, the virus will infect programs in the current directory. With each execution, one to three EXE files will be infected. After this, Boza executes the code of the original infected file - otherwise the user would notice that something is wrong. Boza does not stay active in memory after execution. For this reason it spreads from one program to another relatively slowly. The actual infection process is fast enough to go undetected in most machines. Boza has no destructive routines but it contains a bug which will in some cases increase an infected EXE file's size by several megabytes. This can reduce free disk space rather quickly. The virus also has an activation routine which displays texts like `The taste of fame just got tastier!' and `From the old school to the new'. This message is shown if the virus is run on the 31st of any month. Boza also contains internal texts like: Please note: the name of this virus is [Bizatch] written by Quantum / VLAD These texts are never displayed. VLAD is a virus-writers' group originating from Australia. Boza's spreading technique resembles some of the early DOS viruses. When the first DOS viruses were found in 1980's, they were very simple compared to some of the currently known polymorphic multipartite fast infecting stealth viruses. It can be expected that a similar evolution will take place with Windows viruses. Boza would be an otherwise totally unremarkable virus, but since it was the first virus which spreads only under Windows 95, it has received a lot of publicity. Boza is unlikely to become a real problem for Windows 95 users. Two minor variants of Boza have also been found. These are named Boza.B and Boza.C. They seem to fix some bugs in original Boza, although the C variant seems to just crash always. These variants have not been found not in the wild, either. F-PROT 2.22 is able to detect the Boza virus.

New Macro Viruses


Two new Microsoft Word macro viruses and the world's first Ami Pro macro virus have been discovered recently. Microsoft Word and Ami Pro are by no means the only programs to use a macro language. However, so far no viruses have been developed for such applications as Microsoft Access or Microsoft Excel.

New Word for Windows macro viruses have been found.


New Word macro viruses Since the last program update, two new Microsoft Word macro viruses have been discovered.

WordMacro/Hot


WordMacro/Hot is the first Word macro virus written in Russia. It was found in the wild over there in January 1996. Hot spreads in a similar manner as the -virus: when an infected DOC is first opened, the virus modifies the NORMAL.DOT file. After that, it will spread to other documents. Unlike the earlier Word macro viruses, Hot does not replicate when the File/Save As command is used - it infects documents only during the execution of the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones. Infected documents contain the following four macros, which are visible in the macro list: AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginat When Hot infects NORMAL.DOT, it renames these macros to: StartOfDoc AutoOpen InsertPageBreak FileSave Macros have been saved with the `execute-only' feature, which means that a user can't view or edit them. WordMacro/Hot contains a counter. It adds the following line to the WINWORD6.INI file: QLHot=35112 This number is based on the number of days that have passed since the beginning of this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot spreads normally during this time, but it will not activate. After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. The virus will delete all text and re-save the document. Hot does not do this, if it finds a file called EGA5.CPI in the C:\DOS directory. A comment in the source code of the virus hints that this feature has been added so that the author of the virus and his friends can protect themselves from the activation damage. By default, there is no file by the name EGA5.CPI in MS-DOS distributions. WordMacro/Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions is specific to Windows 3.1x, which means that WordMacro/Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message. F-PROT Professional 2.21a is able to detect the WordMacro/Hot virus.

WordMacro/Atom


WordMacro/Atom was found in February 1996. Its operating mechanism is quite similar to private href="#concept" MACROBUTTON HtmlResAnchor WordMacro/Concept , with the following differences: . All the macros in this virus are encrypted (Word's execute- only feature) . In addition to file saving operations, the virus replicates during file openings as well . The virus has two destructive payloads The first activation happens when the date is December 13th. At this time, the virus will attempt to delete all the files in the current directory. The second activation takes place when a File/Save As command is issued and the seconds of the clock are equal to 13. When these conditions are met, the virus will password-protect the document, making it inaccessible to the user in the future. The password is set to be ATOM#1. It is not easy to give a search string for this virus: some of the replicants are usually in the files password-protected by the virus, and thus contain no constant user-definable search string. Disabling automacros will make Atom unable to execute and spread. Turning on the Prompt to save NORMAL.DOT setting will make Atom unable to infect NORMAL.DOT, but it will still be able to infect documents that are opened or saved during the same Word session. WordMacro/Atom is not known to be in the wild.

The First Ami Pro Macro Virus: AmiMacro/GreenStripe


In Microsoft Word, a document and all the macros related to it are stored in a single file. So files like DOCUMENT.DOC or DOCUMENT.DOT contain both the document contents and the macros. But in Lotus' Ami Pro, macros are stored in a separate file: if you have DOCUMENT.SAM, macros related to it are stored in DOCUMENT.SMM. This makes it somewhat more difficult for Ami Pro viruses to spread; when a user distributes a document, he is likely to leave the .SMM file behind, thus effectively disabling the virus. The first Ami Pro macro virus was found in January 1996. The virus, which is called Green Stripe or AmiMacro/GreenStripe, works by creating a .SMM file for every .SAM file in Ami Pro's default DOCS directory (\amipro\docs), and modifying the existing .SAM files to use the new macros. The name of the virus comes from it's main macro procedure, which is called Green_Stripe_virus. Green Stripe propagates by intercepting Ami's File/Save and File/Save As commands. Using File/Save As and saving an infected document to a network drive or a floppy is the only likely way this virus can spread from one machine to another. Green Stripe has an activation routine which triggers during saving: the virus searches through the document and replaces all occurrences of the word "its" with "it's". Such a change can easily go undetected by the user. However, it is unclear whether this routine works at all. Green Stripe is rumored to have been originally published in a US virus-related magazine. It is unlikely to spread in the wild. Detecting Green Stripe Open the Tools/Macros/Edit menu and check whether the document has a .SMM macro file which is assigned to be executed on open. To disinfect an infected document, just delete the .SMM file, open the document in Ami and uncheck the above setting. Also, the initial infection process takes a long time, and the user is likely to notice that something is going amiss, since all the documents in the default directory will quickly appear and disappear on the screen as the virus infects them.

News in Short


IBM Germany Shipped a Virus by Accident


IBM Germany distributed a number of infected original diskettes in January 1996. The program in question was called VoiceType Vokabular. It was shipped on permanently write-protected floppies, which were infected by a boot sector virus. Since the virus in question was pretty new, there is still some confusion about the name. F-PROT 2.21 and newer detect it as `Newboot_1', but the CARO name has been decided to be `Quandry'. Other names for this virus are Parity.Boot.Enc and IHC. The virus itself is a very simple, basic boot sector virus.

Microsoft Slovenia Shipped a Virus by Accident


In the beginning of February 1996, Microsoft Slovenia held a press conference where they presented the Slovenian version of Microsoft Office for Windows 95. All journalists received a floppy disk marked OBVESTILO ZA JAVNOST 30. 1. 1996 (in English, "Press Release 30. 1. 1996"). The floppy disk contained two files, NOVKONF1.DOC and NOVKONF1.TXT, and the NOVKONF1.DOC file was infected with the WordMacro/Concept virus. Next day, all journalists received a floppy from Microsoft Slovenia containing a disinfecting utility. For more information on the Concept virus, see our update bulletin 2.20.

Common Questions and Answers


If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact F-Secure directly in the number 350-0-478 444. Written questions can be mailed to: F-Secure Ltd F-PROT Support Päiväntaite 8 02210 ESPOO FINLAND Questions can also be sent by electronic mail to: Internet:F-PROT@F-Secure.com X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi Elisa: Hyppönen Mikko. Microsoft Word 6 is extensively used in our company, and we're a bit scared of a macro virus infection. We send documents to our clients and partners every day, and we want to avoid the risk of spreading a macro virus completely. We're not only concerned about the known macro viruses, but also about completely new viruses and trojan horses. How can we exchange documents without a virus risk? There is an easy solution: instead of sending the documents in Word's DOC-format, save the outgoing documents in Rich Text Format (RTF). RTF will retain the layout of your document, but macros are not transferred through it. As a bonus, your clients can open RTF files not only in Word, but also in almost any other word processor.

Virus Activation Routines, Part 2


The following article on virus activation routines was written by Mikko Hyppönen, F-Secure LTD's F-PROT Technical Support Manager. We publish the article in two parts - the first part appeared in the previous Update Bulletin. The text has previously been published for the Eicar Conference `95, where Mr. Hyppönen presented it in its entirety.

Triggers


There are several different trigger events, which viruses use to decide when to activate. These include: Date or time Generation counter of the virus Number of keypresses on the keyboard Amount of free space on the hard drive Amount of minutes the machine has been idle Name of an executed program Basically, viruses can use any event in the PC as a trigger.

Why It Is Important to Know What a Virus Does


When you have a real infection in your hands, you probably want to know what the virus in question does. Actually, this information can be crucial, especially in the case of viruses which perform gradual corruption. A virus like One_Half also demonstrates the importance of knowing what a virus does before starting to disinfect it: One_Half is a full stealth virus, which gradually encrypts the contents of the hard drive. The encryption key and counter are kept inside the virus body in the boot sector. If One_Half is removed by overwriting the virus code in the boot sector with a clean one boot sector, the components required to decrypt the drive are lost, and the encryption will not be hidden anymore by the stealth routines of the virus. In effect, the data on the hard drive is lost due to the virus disinfection procedure.

Information sources


It would be great to have a single source of information which would describe every computer virus, complete with its propagation methods and activation routines. Unfortunately, no such reference exists, and will never exist. There are just too many viruses out there, and new ones are created too fast. Today, when several new viruses are found every day, and virus experts have limited time which spend in analyzing any single virus. Virus analysis systems are automated as much as possible, and a virus typically will get only a cursory look - which is usually enough to add detection, identification and disinfection. Such analysis will not reveal any special features the virus may contain. For this reason, no anti-virus vendor can provide a complete reference guide for all viruses their product detects. There are, however, some useful sources. These sources typically cover only the most common or otherwise special viruses, but this is usually enough. These sources include: The virus description database of F-PROT Professional antivirus package. Do note that this is not the same as in the shareware version of F-PROT. The emphasis of descriptions are on viruses which are known to be in the wild. Virus description service at F-Secure Ltd's Internet World-Wide Web server at http://www.F-Secure.com/. This database is based on the same information that is used by the F-PROT Professional antivirus program, but it is constantly updated. Its features include the ability to do free searches and browse through the latest updates. This is a free service, which currently serves several hundreds of description requests every day. AVP Virus Encyclopedia. This Russian freeware DOS hypertext program has probably the largest single set of descriptions; there are several thousand viruses described here. Some of the descriptions even include a demo of the actual activation routine. The only problem with AVPVE is that at times the language is a bit difficult to understand - English with a Russian accent. CAROBase is a joint effort of the Computer Antivirus Researcher's Organization to gather technical descriptions of viruses. It currently contains only about 120 descriptions, but the detail and accuracy of those are excellent. VTC Computer Virus Catalog is already getting outdated, but it still contains excellent descriptions of over 200 PC viruses, and also covers other platforms, such as Amiga, Atari and Unix. There are other sources available as well. The popular VSUM Virus Summary can not be strongly recommended due the several errors it contains, but it can be useful as a cross-reference tool when trying to locate a virus which is known by several alias names. Antivirus programs such as McAfee SCAN, Thunderbyte Antivirus or Dr. Solomon's Antivirus Toolkit do contain brief descriptions, but these are all based on a few basic attributes for each virus, so they don't have details on activation routines. S&S International has also published a book called Virus Encyclopaedia, which has more detailed information.

Future


The Worst Possible Activation Routine What would be the worst possible activation routine that could exist in a virus? Obviously, it would not be a virus which just destroys data - incidents like that are relatively unimportant if good backup practices are followed, and gradually corrupting viruses can be found with good integrity checking. But how about a virus which would breach the security and privacy of your system? The rising popularity of the Internet does indeed bring new risks. Considering the widespread use of the Internet and TCP/IP connections for normal PC workstations, and the amount of Winsock installations in use, several scary visions come to mind. How about a virus which opens a NNTP connection from your machine and spams every newsgroup in the Usenet news hierarchy, masquerading as you? Or sends rude e-mail messages to all addresses found from your e-mail package's alias database. In some e-mail systems, a virus could even use the authentication features to positively identify the sender as you. Even worse, how about a virus which waits until a machine with a Winsock connection has been idle for some hours, opens an ftp connection to some large public ftp server which has an open area for incoming files, and uploads all DOC, XLS and DBF files found in your hard drive - or your network? If the virus became widespread, Internet surfers would make interesting discoveries while going through the confidential files of hundreds or thousands of unsuspecting users. It's difficult to think of a worse activation routine for a virus. Unfortunately, we will probably see something like this in the future.

Conclusions


There is a wide variety of activation routines found in the current viruses. After all, imagination is the only limit. There are some scary possibilities which future viruses will probably use in their activation routines to make the life of computer users miserable. It is still good to keep in mind that, although flashy viruses get all the media attention, most viruses do nothing but replicate.

Changes in F-PROT Professional version 2.22



Changes in F-PROT for DOS


When a diskette or hard disk was infected with multiple boot sector viruses, F-PROT used to refuse to remove the infections. It will now handle this situation properly. We are continuing the massive virus renaming that was described in the previous update bulletin. Many older viruses have now been renamed to correspond with the new scheme, including the VCL, PS-MPC and IVP-generated viruses. Names like VCL.Genocide.839 have been changed to VCL.839. The following problems were found and corrected: The Skid_Row viruses were not disinfected correctly in 2.21 and earlier versions, which occasionally resulted in the corruption of the host programs. The /BEEP switch did not produce a beep when F-PROT encountered overwriting viruses, boot sector image files, and some other types of unusual viral objects.

Changes in F-PROT for Windows


We have added an F-PROTW.INI setting which can be used to disable the dialog at F-PROT for Windows startup asking if expired tasks should be executed immediately. F-PROT will then reschedule those tasks automatically. To use this feature, add the following two lines to F-PROTW.INI in your computer's Windows directory: [FPWM] RescheduleAtStartup=1 F-PROT shows now an error message if a batch scan is started with non-existent task. If password in FPWNET.CFG is missing/empty, F-PROT uses the password from F-PROTW.CFG and copies it to FPWNET.CFG. Then; if not empty, the program uses it and copies it to F-PROTW.CFG. No more sharing violation error message boxes are shown while scanning files opened by Word 6. A bug causing General Protection Fault when scanning MIRROR.COM has been fixed. Timestamp string is now put into the Gatekeeper message sent to admin upon finding an infection; the drive letter of a boot infection is also mentioned. Scan on create/rename has been implemented in Gatekeeper. The feature is disabled by default: use the F-PROTW.INI setting [Gatekeeper] ScanOnCreateRename=1 to enable it. If an attempt to execute A-PROT.EXE was made when it was already running, error message was shown. This behavior can now be overridden with the following F-PROTW.INI setting: [Gatekeeper] ErrorIfAlreadyLoaded=0. If the value is 0, no error message will be shown if A-PROT.EXE is attempted to load again. In addition to AUTOINST.EXE, the distribute installations feature now also copies DFGROUP.EXE and AUTOW31.EXE to the destination directory. When infected files are being sent to the administrator, viruses are encrypted before they are sent to the comm directory. Earlier versions used to copy it to comm directory and then encrypt it, which caused an unnecessary alarm by Net-Prot etc. When F-PROTW.EXE (Launcher) is performing auto-updating, and Gatekeeper is changed in such a way that the newer version is incompatible with the VxD of the old version, the Launcher does not load the new Gatekeeper after updating (attempt to load it would result in an error message and failure to load anyway). Instead, the Launcher will inform the user (in the file copy progress dialog) that Gatekeeper will be loaded at next Windows startup; the computer's work will not be interrupted and users will not be disturbed by the automatic update. The F-PROTW.INI setting [Launcher] AlwaysReloadGatekeeper=1 can be used to override this behavior. Network polling frequency in administration mode has been raised to 10 minutes. The F-PROTW.INI AdminPollInterval= setting can be used to change the administration polling frequency. The string "Boot infection: `virus_name' This virus does not preserve the original diskette boot sector, and is therefore disinfected by overwriting it with `generic' non-bootable code." was too long for 1 line. It has been split over multiple lines for use in reports. Command "Load F-Agent at Windows startup" has been added to F- Agent's menu in standalone and administration modes. The command will add/remove F-Agent to/from the run= line of WIN.INI; the command is unaware of Windows' startup group.

Changes and fixes in AUTOINST


Now allowed text with spaces in [TSRLoad] ... <substring> in AUTOINST.INI. (until now Autoinst used the 1st word from <substring> only). Now allowed multiple "UserNameFromIni=" and "WorkstationName- FromIni=" entries in AUTOINST.INI: the first one pointing to an entry in an inifile will be used. If "f-protw.386=" setting is present with remote installations, AUTOINST copies f-protw.386 automatically to the designated place from InstallRemote directory. "UserNameFromRegistry=" and "WorkstationNameFromRegistry=" settings are now supported in AUTOINST.INI for AUTOW32.EXE. In addition to the "UserName=", "UserNameFromIni=", "WorkstationName=" and "WorkstationNameFromIni=" settings, the "UserNameFromRegistry=" and "WorkstationNameFromRegistry=" entries are supported. Multiple "UserNameFromRegistry=" and "WorkstationNameFromRegistry=" entries may be used: the first one that points to a value in the registry will take effect. The format for the values of both these entries (called "registry locators") is: MAINKEY [\ SUBKEY] \\ [VALUENAME] where: . MAINKEY : main key name, must be one of: HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE", "HKEY_USERS" . SUBKEY : subkey name, may be missing . VALUENAME : name of registry value, may be missing if the default value is to be used For example, these are all valid locator specifiers: . ; all items present: UserNameFromRegistry= HKEY_LOCAL_MACHINE\ Network\Logon\\username . ; no subkey: UserNameFromRegistry= HKEY_LOCAL_MACHINE\\user-name . ; no value name: UserNameFromRegistry= HKEY_LOCAL_MACHINE\ Network\Logon\\ . ; no subkey nor value name: UserNameFromRegistry= HKEY_LOCAL_MACHINE\\ AUTOW32.EXE now works from directory which has spaces in its name (older versions didn't use the correct AUTOINST.INI because the command line was processed incorrectly). A bug in AUTOINST which caused multiple spaces to be left on run= line of WIN.INI if the previous run= line had trailing spaces there has been fixed. UNC pathnames are supported by Autoinst and FPW (as for the communication dir).

New Viruses Detected by F-PROT


The following 35 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but not identified accurately. _641 Burger.393 Exe2Win.113 Exe2Win.116 Exe2Win.132 Exe2Win.214 Exe2Win.710 HLLO.5520 HLLO.6561 HLLO.Honi.B Jerusalem.Nai-Tai.B Leprosy.554 Leprosy.1306.B SillyOR.177 Trivial.26.E Trivial.34.C Trivial.37.C Trivial.42.J Trivial.42.K Trivial.45.G Trivial.45.H Trivial.45.I Trivial.47 Trivial.50.C Trivial.52 Trivial.56 Trivial.66 Trivial.77 Trivial.78 Trivial.88 Trivial.137 Trivial.214 Trivial.241 Ymir.101 Ymir.144 The following 281 new viruses can now be removed. Many of them were detected by earlier versions, but are now identified accurately. _406 _494 _585 _589 _789 _1000.A _1000.B _1024 A_Ant.564 Acdc.499 Alfons.1344 Arme.411 Ash.743.L Aspargus.768 Awaits.500 Baby.962 Bad_Com.600 Badless.494 BelinHQ.434 Bero.677 Brownie.688 Bunny.497 Canna.357 Carry.534 Chad.750 Chang.3584 Chapa.448 Chapa.450.C Chapa.566 Chapa.572 Chapa.586 Click.375 Clonewar.252 Clonewar.255 Clonewar.258 Clonewar.267 Creat.795 Crovir.625 Dagg.882 Danish_Tiny.333.C Dark_Avenger.1728 Dark_Avenger.1783 Dark_Avenger.1803.B Dark_Avenger.1805 Dark_Avenger.1808 Dark_Avenger.2000.K Dark_Avenger.2000.L Deathboy.655 Deino.1000 Destructor.2082 Doperland.490 DSTT.231 DSTT.242 DSTT.330 DSTT.347 DSTT.396 Eb.313 Eb.378 Eddie-2.657 Eleet.726 Escort.151 Fifo.333 Flip.2153.J Frodo.4096.L Fumble.866 Garfio.1000 Green_Caterpillar.1575.K Halka.704 Halt.A Heja.623.B Hellis.608 Helloween.1377 Hi.378 Hi.512 Hi.559 Hi.671 Hi.806 Hi.833 IMI.1536.H Immortal.2174 Immortal.2185 Inch.386 Insane.197 Int_AA Intruder.1312 Intruder.1319.C Ivir.221 Ivir.240 IVP.872 Jason.626 Jerusalem.1806.Frere.L Jerusalem.1808.Sumsdos.AV Jinx.846.B Jinx.846.C Jinx.854 JH_error.1215 Karnavali.1986 Kela.2122 Kela.2163 Keyb.996 Khiznjak.560 Khiznjak.735 Khiznjak.749.B Khiznjak.761 Khiznjak.766 Kobrin.489 Kobrin.491 Leech.1024.B Liberty.2857.I Locust.735 Louse.919 Lunch_Time.783 Maxi.1148 Mirage.1309 Movius.231 Morgul.400 Morgul.424 Murderer.3670 Murphy.1277.C Mururoa.2469 Myroom.891 Nado.841 Neumann.752 NLA.383 Obid.555 Oppressor.1071 Overdoze.563 Overdoze.568 Overdoze.569 Overdoze.572 Overdoze.573 Overdoze.578 Overdoze.580.A Overdoze.580.B Overdoze.580.C Overdoze.582 Overdoze.584 Overdoze.585 Overdoze.587 Overdoze.588 Overdoze.590 Overdoze.591 Overdoze.593 Overdoze.596 Overdoze.600.A Overdoze.600.B Overdoze.606 Paladine.1080 Pixel.847.K Pixel.3072 Pottery.316 Pressreset.607 PS-MPC.139 PS-MPC.227 PS-MPC.329 PS-MPC.333 PS-MPC.374 PS-MPC.384 PS-MPC.389 PS-MPC.391 PS-MPC.393.A PS-MPC.392.B PS-MPC.397.A PS-MPC.397.B PS-MPC.399 PS-MPC.404 PS-MPC.408 PS-MPC.412 PS-MPC.418 PS-MPC.424 PS-MPC.428.A PS-MPC.428.B PS-MPC.428.C PS-MPC.442 PS-MPC.443 PS-MPC.481 PS-MPC.482.A PS-MPC.482.B PS-MPC.509 PS-MPC.510.B PS-MPC.515 PS-MPC.520.B PS-MPC.520.C PS-MPC.520.D PS-MPC.526 PS-MPC.535 PS-MPC.575.C PS-MPC.576.B PS-MPC.579 PS-MPC.581 PS-MPC.583 PS-MPC.584 PS-MPC.585.D PS-MPC.589 PS-MPC.597 PS-MPC.600 PS-MPC.602 PS-MPC.605 PS-MPC.609 PS-MPC.611.L PS-MPC.620.B PS-MPC.629 PS-MPC.640 PS-MPC.646.B PS-MPC.719 PS-MPC.723 PS-MPC.728 PS-MPC.802 PS-MPC.848 PS-MPC.868 PS-MPC.910 PS-MPC.1233 Puppets.960 Qpis.2931 Quarrel.390 Quintessence.992 Radar.2155 Revenge.948.D Rihii.128 RP Scrappy.416 Scroll.600 Seventh_Son.440 SFT.777 SillyC.161 SillyCR.354 Siskin.311 Siskin.555 Slaughter.512 Sno.1015.A Sno.1015.B Spirit Starslost.596 Sterculius.456 Sterculius.458 Sterculius.474 Sza.1864 Triple5.556 Tanpro.525 Umbrella.3032 Uneven.738 Vang.483 VCC.450.A VCC.450.B VCC.565 VCC.585 VCC.592 VCC.625 VCC.667 VCC.735 VCC.753 VCC.793 VCC.813 VCC.857 VCC.867 VCC.917 VCC.1144 VCC.1198 VCC.1263 VCL.346 VCL.348 VCL.383 VCL.847 VCL.848 VFSI.427 Vienna.462 Vienna.480 Vienna.629 Vienna.660.B Werewolf.658 Werewolf.678 Werewolf.685 Werewolf.1152 WilliWonka.1088 Wolfman.2064.C Xram.1000 YB.325 Yesmile.4304 Yesmile.5504 Zapper.1121 Zimboot ZZZ.412 The following 43 new viruses are now detected and identified but can not yet be removed. _2000 _3008 Australian_Parasite.972 Bin.466 Bowl.737 Boza.A Boza.B Cybertech.688 Danish_Tiny.390 DIR_II.AF DIR_II.AG ElFla.687 ElFla.1017 Enero.2690 Entity.1986 Fangs.658 Fangs.685 Gripped.685 Halka.720.B HeyHunter.1087 IVP.1103 Kalo.1464 Katya.732 Leech.1024.B Mosca.849 Nightbird.419 Noone.1237 NRLG.968 Ratboy.539 Silence.4096 Silence.5120 Struck.731 Tornado Trance.1688 VCC.436 VCC.437 VCC.440 VCC.44 VCC.449 VCC.451 VCC.459 VCC.461 Vigo.1000 The following 3 new viruses are now detected, but not identified. F-PROT will just report the family name with a (?) or report the virus as "New or modified variant", as it is not yet able to determine which variant it is dealing with. Disinfection of these viruses is not yet possible. Positron Trance.1982 Trance.3336 The following 1 virus which was identified by earlier versions can now be removed. Crazyboot

F-PROT Professional 2.22 Update Bulletin

F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@F-Secure.com This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.22 is mentioned. Copyright (c) 1996 F-Secure Ltd.


. .



Copyright © 1996 F-Secure