F-PROT Professional Update Bulletins
F-PROT Professional 2.22 Update Bulletin
CONTENTS BRIEFLY
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@F-Secure.com
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.22 is mentioned. Copyright (c) 1996 F-Secure Ltd.
F-PROT Gatekeeper 2.22 protects PCs against viruses from
Internet. When files are transferred via e-mail or from WWW
pages, Gatekeeper's `Scan on Create' function searches them
automatically for viruses when they arrive at the computer.
Gatekeeper has always provided excellent protection against
viruses from Internet. However, in the past it was possible for
the viruses to remain unnoticed until an attempt was made to run
or copy an infected program. This kind of protection is fully
adequate in keeping computers from being infected, but now
Gatekeeper searches files for viruses at the time they are
created. Thus, infected files are detected much sooner.
When this kind of a new feature is introduced, there is always a
slight possibility that it may not be compatible with some of
the less common hardware and software combinations. For this
reason, the new `Scan on Create' feature is not switched on by
default in this version of the program.
If you wish to try out this new feature, you can switch it on by
creating a file called F-PROTW.INI in your computer's Windows
directory. Write the following two lines to the file:
[Gatekeeper]
ScanOnCreateRename=1
This setting takes force after you have saved the file and
restarted Windows. We have also received requests to make
Gatekeeper more visual, so that users could see Gatekeeper
perform its checks. This is now possible; add the following line
to the [Gatekeeper] section in F-PROTW.INI:
ShowActivity=1
F-Secure Ltd's antivirus development team acquired a
valuable addition in the beginning of this year when the virus
researcher Peter Szor joined it. Peter Szor is from Hungary, and
he is known as the main developer of the PASTEUR antivirus
program. He has now moved to Finland, and started working with
the F-PROT Professional antivirus program in January 1996.
Peter Szor graduated from the University of Veszprem in 1991,
majoring in Computer Programming. After that, he worked for two
years at SG2-H Ltd, a French-Hungarian joint venture, creating
financial computer software. Two years later he joined Mezobank
and worked at the Bank's electronic data processing department.
Peter became interested in computer viruses in 1990. His
University diploma work was the PASTEUR antivirus program.
PASTEUR quickly became popular and received good reviews in
magazines such as Chip and Computer Panorama.
Encouraged by the success of PASTEUR, Peter developed PASTEUR
PLUS NLM version for Novell Netware. PASTEUR was always one of
the fastest scanners in the market, being several times faster
than most of its competitors.
PASTEUR and PASTEUR PLUS had over 9000 established clients. At
the moment, PASTEUR is discontinued and the existing customers
will get a replacement license of F-PROT Professional.
Mr. Szor is now the primary virus analyst at F-Secure Ltd He
spends his days analyzing new viruses and developing new
features to the F-PROT Professional suite.
Welcome aboard, Peter!
This virus infects EXE programs when they are accessed or
executed. In addition to this, Burglar searches for new victims
and infects them when the `file attribute change' function (used
by ATTRIB) and `get free disk space' function (used by DIR and
many other commands) are called.
Burglar has stealth features: it hides the changes in the size
of the infected files when viewed with the DIR command.
Every time the virus infects files, it checks the time. If the
minute field is 14, the virus activates and writes a flashing
message in the top left corner of the screen:
Burglar/H
The virus also contains an unencrypted text which is never
shown:
AT THE GRAVE OF GRANDMA
Burglar has anti-heuristics mechanisms. Burglar checks for and
does not infect Windows programs or programs which have the
letters `V' or `S' in the file name (covering programs like
VIRSTOP, SCAN, VSHIELD, MSAV, NAV, CPAV etc.).
Burglar was found in the wild internationally in January 1996.
The virus has been spread in an infected version of a demo
called `Dawn'.
F-PROT 2.22 is able to detect and disinfect the Burglar virus.
The first virus to spread only under the Microsoft Windows 95
operating system was found in January 1996. This virus is of
Australian origin. It has not been reported in the wild anywhere
in the world, and can not be seen as a serious threat to Windows
95 users.
This new virus has been named `Boza'. It infects only Windows
Portable Executable EXE files - such files are used by Windows
95 and Windows NT. However, Boza does not infect machines
running the Microsoft Windows NT operating system. So far, no
viruses written specifically for Windows NT have been found.
Whenever an EXE file infected by Boza is run, the virus will
infect programs in the current directory. With each execution,
one to three EXE files will be infected. After this, Boza
executes the code of the original infected file - otherwise the
user would notice that something is wrong. Boza does not stay
active in memory after execution. For this reason it spreads
from one program to another relatively slowly. The actual
infection process is fast enough to go undetected in most
machines.
Boza has no destructive routines but it contains a bug which
will in some cases increase an infected EXE file's size by
several megabytes. This can reduce free disk space rather
quickly. The virus also has an activation routine which displays
texts like `The taste of fame just got tastier!' and `From the
old school to the new'. This message is shown if the virus is
run on the 31st of any month. Boza also contains internal texts
like:
Please note: the name of this virus is [Bizatch]
written by Quantum / VLAD
These texts are never displayed. VLAD is a virus-writers' group
originating from Australia.
Boza's spreading technique resembles some of the early DOS
viruses. When the first DOS viruses were found in 1980's, they
were very simple compared to some of the currently known
polymorphic multipartite fast infecting stealth viruses. It can
be expected that a similar evolution will take place with
Windows viruses.
Boza would be an otherwise totally unremarkable virus, but since
it was the first virus which spreads only under Windows 95, it
has received a lot of publicity. Boza is unlikely to become a
real problem for Windows 95 users.
Two minor variants of Boza have also been found. These are named
Boza.B and Boza.C. They seem to fix some bugs in original Boza,
although the C variant seems to just crash always. These
variants have not been found not in the wild, either.
F-PROT 2.22 is able to detect the Boza virus.
Two new Microsoft Word macro viruses and the world's first Ami
Pro macro virus have been discovered recently.
Microsoft Word and Ami Pro are by no means the only programs to
use a macro language. However, so far no viruses have been
developed for such applications as Microsoft Access or Microsoft
Excel.
New Word macro viruses
Since the last program update, two new Microsoft Word macro
viruses have been discovered.
WordMacro/Hot is the first Word macro virus written in Russia.
It was found in the wild over there in January 1996.
Hot spreads in a similar manner as the -virus: when an infected
DOC is first opened, the virus modifies the NORMAL.DOT file.
After that, it will spread to other documents.
Unlike the earlier Word macro viruses, Hot does not replicate
when the File/Save As command is used - it infects documents
only during the execution of the basic File/Save command. This
means that Hot will infect only existing documents in the system
- not new ones.
Infected documents contain the following four macros, which are
visible in the macro list:
AutoOpen
DrawBringInFrOut
InsertPBreak
ToolsRepaginat
When Hot infects NORMAL.DOT, it renames these macros to:
StartOfDoc
AutoOpen
InsertPageBreak
FileSave
Macros have been saved with the `execute-only' feature, which
means that a user can't view or edit them.
WordMacro/Hot contains a counter. It adds the following line to
the WINWORD6.INI file:
QLHot=35112
This number is based on the number of days that have passed
since the beginning of this century. Hot adds 14 to this number
and then waits until this latency time of 14 days has passed.
Hot spreads normally during this time, but it will not activate.
After the 14 day pause, there is a 1 in 7 chance that a document
will be erased when it is opened. The virus will delete all text
and re-save the document. Hot does not do this, if it finds a
file called EGA5.CPI in the C:\DOS directory. A comment in the
source code of the virus hints that this feature has been added
so that the author of the virus and his friends can protect
themselves from the activation damage.
By default, there is no file by the name EGA5.CPI in MS-DOS
distributions.
WordMacro/Hot was the first macro virus to use external
functions. This system allows Word macros to call any standard
Windows API call. The use of external functions is specific to
Windows 3.1x, which means that WordMacro/Hot will be unable to
spread under Word for Macintosh or Word 7 for Windows 95:
opening an infected document will just produce an error message.
F-PROT Professional 2.21a is able to detect the WordMacro/Hot
virus.
WordMacro/Atom was found in February 1996. Its operating
mechanism is quite similar to private href="#concept"
MACROBUTTON HtmlResAnchor WordMacro/Concept , with the following
differences:
. All the macros in this virus are encrypted (Word's execute-
only feature)
. In addition to file saving operations, the virus replicates
during file openings as well
. The virus has two destructive payloads
The first activation happens when the date is December 13th. At
this time, the virus will attempt to delete all the files in the
current directory.
The second activation takes place when a File/Save As command is
issued and the seconds of the clock are equal to 13. When these
conditions are met, the virus will password-protect the
document, making it inaccessible to the user in the future. The
password is set to be ATOM#1.
It is not easy to give a search string for this virus: some of
the replicants are usually in the files password-protected by
the virus, and thus contain no constant user-definable search
string.
Disabling automacros will make Atom unable to execute and
spread. Turning on the Prompt to save NORMAL.DOT setting will
make Atom unable to infect NORMAL.DOT, but it will still be able
to infect documents that are opened or saved during the same
Word session.
WordMacro/Atom is not known to be in the wild.
In Microsoft Word, a document and all the macros related to it
are stored in a single file. So files like DOCUMENT.DOC or
DOCUMENT.DOT contain both the document contents and the macros.
But in Lotus' Ami Pro, macros are stored in a separate file: if
you have DOCUMENT.SAM, macros related to it are stored in
DOCUMENT.SMM. This makes it somewhat more difficult for Ami Pro
viruses to spread; when a user distributes a document, he is
likely to leave the .SMM file behind, thus effectively disabling
the virus.
The first Ami Pro macro virus was found in January 1996. The
virus, which is called Green Stripe or AmiMacro/GreenStripe,
works by creating a .SMM file for every .SAM file in Ami Pro's
default DOCS directory (\amipro\docs), and modifying the
existing .SAM files to use the new macros. The name of the virus
comes from it's main macro procedure, which is called
Green_Stripe_virus.
Green Stripe propagates by intercepting Ami's File/Save and
File/Save As commands. Using File/Save As and saving an infected
document to a network drive or a floppy is the only likely way
this virus can spread from one machine to another.
Green Stripe has an activation routine which triggers during
saving: the virus searches through the document and replaces all
occurrences of the word "its" with "it's". Such a change can
easily go undetected by the user. However, it is unclear whether
this routine works at all.
Green Stripe is rumored to have been originally published in a
US virus-related magazine. It is unlikely to spread in the wild.
Detecting Green Stripe
Open the Tools/Macros/Edit menu and check whether the document
has a .SMM macro file which is assigned to be executed on open.
To disinfect an infected document, just delete the .SMM file,
open the document in Ami and uncheck the above setting.
Also, the initial infection process takes a long time, and the
user is likely to notice that something is going amiss, since
all the documents in the default directory will quickly appear
and disappear on the screen as the virus infects them.
IBM Germany distributed a number of infected original diskettes
in January 1996. The program in question was called VoiceType
Vokabular. It was shipped on permanently write-protected
floppies, which were infected by a boot sector virus.
Since the virus in question was pretty new, there is still some
confusion about the name. F-PROT 2.21 and newer detect it as
`Newboot_1', but the CARO name has been decided to be `Quandry'.
Other names for this virus are Parity.Boot.Enc and IHC.
The virus itself is a very simple, basic boot sector virus.
In the beginning of February 1996, Microsoft Slovenia held a
press conference where they presented the Slovenian version of
Microsoft Office for Windows 95.
All journalists received a floppy disk marked OBVESTILO ZA
JAVNOST 30. 1. 1996 (in English, "Press Release 30. 1. 1996").
The floppy disk contained two files, NOVKONF1.DOC and
NOVKONF1.TXT, and the NOVKONF1.DOC file was infected with the
WordMacro/Concept virus.
Next day, all journalists received a floppy from Microsoft
Slovenia containing a disinfecting utility.
For more information on the Concept virus, see our update
bulletin 2.20.
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can also
contact F-Secure directly in the number 350-0-478 444.
Written questions can be mailed to:
F-Secure Ltd
F-PROT Support
Päiväntaite 8
02210 ESPOO
FINLAND
Questions can also be sent by electronic mail to:
Internet:F-PROT@F-Secure.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
Elisa: Hyppönen Mikko.
Microsoft Word 6 is extensively used in our company, and we're a
bit scared of a macro virus infection. We send documents to our
clients and partners every day, and we want to avoid the risk of
spreading a macro virus completely. We're not only concerned
about the known macro viruses, but also about completely new
viruses and trojan horses. How can we exchange documents without
a virus risk?
There is an easy solution: instead of sending the
documents in Word's DOC-format, save the outgoing
documents in Rich Text Format (RTF). RTF will retain
the layout of your document, but macros are not
transferred through it. As a bonus, your clients can
open RTF files not only in Word, but also in almost any
other word processor.
The following article on virus activation routines was written
by Mikko Hyppönen, F-Secure LTD's F-PROT Technical Support
Manager. We publish the article in two parts - the first part
appeared in the previous Update Bulletin. The text has
previously been published for the Eicar Conference `95, where
Mr. Hyppönen presented it in its entirety.
There are several different trigger events, which viruses use to
decide when to activate. These include:
Date or time
Generation counter of the virus
Number of keypresses on the keyboard
Amount of free space on the hard drive
Amount of minutes the machine has been idle
Name of an executed program
Basically, viruses can use any event in the PC as a trigger.
When you have a real infection in your hands, you probably want
to know what the virus in question does. Actually, this
information can be crucial, especially in the case of viruses
which perform gradual corruption.
A virus like One_Half also demonstrates the importance of
knowing what a virus does before starting to disinfect it:
One_Half is a full stealth virus, which gradually encrypts the
contents of the hard drive. The encryption key and counter are
kept inside the virus body in the boot sector. If One_Half is
removed by overwriting the virus code in the boot sector with a
clean one boot sector, the components required to decrypt the
drive are lost, and the encryption will not be hidden anymore by
the stealth routines of the virus. In effect, the data on the
hard drive is lost due to the virus disinfection procedure.
It would be great to have a single source of information which
would describe every computer virus, complete with its
propagation methods and activation routines. Unfortunately, no
such reference exists, and will never exist. There are just too
many viruses out there, and new ones are created too fast.
Today, when several new viruses are found every day, and virus
experts have limited time which spend in analyzing any single
virus. Virus analysis systems are automated as much as possible,
and a virus typically will get only a cursory look - which is
usually enough to add detection, identification and
disinfection. Such analysis will not reveal any special features
the virus may contain. For this reason, no anti-virus vendor can
provide a complete reference guide for all viruses their product
detects.
There are, however, some useful sources. These sources typically
cover only the most common or otherwise special viruses, but
this is usually enough.
These sources include:
The virus description database of F-PROT Professional
antivirus package. Do note that this is not the same as in the
shareware version of F-PROT. The emphasis of descriptions are
on viruses which are known to be in the wild.
Virus description service at F-Secure Ltd's Internet
World-Wide Web server at http://www.F-Secure.com/. This
database is based on the same information that is used by the
F-PROT Professional antivirus program, but it is constantly
updated. Its features include the ability to do free searches
and browse through the latest updates. This is a free service,
which currently serves several hundreds of description
requests every day.
AVP Virus Encyclopedia. This Russian freeware DOS hypertext
program has probably the largest single set of descriptions;
there are several thousand viruses described here. Some of the
descriptions even include a demo of the actual activation
routine. The only problem with AVPVE is that at times the
language is a bit difficult to understand - English with a
Russian accent.
CAROBase is a joint effort of the Computer Antivirus
Researcher's Organization to gather technical descriptions of
viruses. It currently contains only about 120 descriptions,
but the detail and accuracy of those are excellent.
VTC Computer Virus Catalog is already getting outdated, but it
still contains excellent descriptions of over 200 PC viruses,
and also covers other platforms, such as Amiga, Atari and
Unix.
There are other sources available as well. The popular VSUM
Virus Summary can not be strongly recommended due the several
errors it contains, but it can be useful as a cross-reference
tool when trying to locate a virus which is known by several
alias names.
Antivirus programs such as McAfee SCAN, Thunderbyte Antivirus or
Dr. Solomon's Antivirus Toolkit do contain brief descriptions,
but these are all based on a few basic attributes for each
virus, so they don't have details on activation routines. S&S
International has also published a book called Virus
Encyclopaedia, which has more detailed information.
The Worst Possible Activation Routine
What would be the worst possible activation routine that could
exist in a virus? Obviously, it would not be a virus which just
destroys data - incidents like that are relatively unimportant
if good backup practices are followed, and gradually corrupting
viruses can be found with good integrity checking. But how about
a virus which would breach the security and privacy of your
system?
The rising popularity of the Internet does indeed bring new
risks. Considering the widespread use of the Internet and TCP/IP
connections for normal PC workstations, and the amount of
Winsock installations in use, several scary visions come to
mind. How about a virus which opens a NNTP connection from your
machine and spams every newsgroup in the Usenet news hierarchy,
masquerading as you? Or sends rude e-mail messages to all
addresses found from your e-mail package's alias database. In
some e-mail systems, a virus could even use the authentication
features to positively identify the sender as you.
Even worse, how about a virus which waits until a machine with a
Winsock connection has been idle for some hours, opens an ftp
connection to some large public ftp server which has an open
area for incoming files, and uploads all DOC, XLS and DBF files
found in your hard drive - or your network? If the virus became
widespread, Internet surfers would make interesting discoveries
while going through the confidential files of hundreds or
thousands of unsuspecting users.
It's difficult to think of a worse activation routine for a
virus. Unfortunately, we will probably see something like this
in the future.
There is a wide variety of activation routines found in the
current viruses. After all, imagination is the only limit. There
are some scary possibilities which future viruses will probably
use in their activation routines to make the life of computer
users miserable.
It is still good to keep in mind that, although flashy viruses
get all the media attention, most viruses do nothing but
replicate.
When a diskette or hard disk was infected with multiple boot
sector viruses, F-PROT used to refuse to remove the infections.
It will now handle this situation properly.
We are continuing the massive virus renaming that was described
in the previous update bulletin. Many older viruses have now
been renamed to correspond with the new scheme, including the
VCL, PS-MPC and IVP-generated viruses. Names like
VCL.Genocide.839 have been changed to VCL.839.
The following problems were found and corrected:
The Skid_Row viruses were not disinfected correctly in 2.21 and
earlier versions, which occasionally resulted in the corruption
of the host programs.
The /BEEP switch did not produce a beep when F-PROT encountered
overwriting viruses, boot sector image files, and some other
types of unusual viral objects.
We have added an F-PROTW.INI setting which can be used to
disable the dialog at F-PROT for Windows startup asking if
expired tasks should be executed immediately. F-PROT will then
reschedule those tasks automatically.
To use this feature, add the following two lines to F-PROTW.INI
in your computer's Windows directory:
[FPWM]
RescheduleAtStartup=1
F-PROT shows now an error message if a batch scan is started
with non-existent task.
If password in FPWNET.CFG is missing/empty, F-PROT uses the
password from F-PROTW.CFG and copies it to FPWNET.CFG. Then; if
not empty, the program uses it and copies it to F-PROTW.CFG.
No more sharing violation error message boxes are shown while
scanning files opened by Word 6.
A bug causing General Protection Fault when scanning MIRROR.COM
has been fixed.
Timestamp string is now put into the Gatekeeper message sent to
admin upon finding an infection; the drive letter of a boot
infection is also mentioned.
Scan on create/rename has been implemented in Gatekeeper. The
feature is disabled by default: use the F-PROTW.INI setting
[Gatekeeper] ScanOnCreateRename=1 to enable it.
If an attempt to execute A-PROT.EXE was made when it was already
running, error message was shown. This behavior can now be
overridden with the following F-PROTW.INI setting: [Gatekeeper]
ErrorIfAlreadyLoaded=0. If the value is 0, no error message will
be shown if A-PROT.EXE is attempted to load again.
In addition to AUTOINST.EXE, the distribute installations
feature now also copies DFGROUP.EXE and AUTOW31.EXE to the
destination directory.
When infected files are being sent to the administrator, viruses
are encrypted before they are sent to the comm directory.
Earlier versions used to copy it to comm directory and then
encrypt it, which caused an unnecessary alarm by Net-Prot etc.
When F-PROTW.EXE (Launcher) is performing auto-updating, and
Gatekeeper is changed in such a way that the newer version is
incompatible with the VxD of the old version, the Launcher does
not load the new Gatekeeper after updating (attempt to load it
would result in an error message and failure to load anyway).
Instead, the Launcher will inform the user (in the file copy
progress dialog) that Gatekeeper will be loaded at next Windows
startup; the computer's work will not be interrupted and users
will not be disturbed by the automatic update. The F-PROTW.INI
setting [Launcher] AlwaysReloadGatekeeper=1 can be used to
override this behavior.
Network polling frequency in administration mode has been raised
to 10 minutes. The F-PROTW.INI AdminPollInterval= setting can be
used to change the administration polling frequency.
The string "Boot infection: `virus_name' This virus does not
preserve the original diskette boot sector, and is therefore
disinfected by overwriting it with `generic' non-bootable code."
was too long for 1 line. It has been split over multiple lines
for use in reports.
Command "Load F-Agent at Windows startup" has been added to F-
Agent's menu in standalone and administration modes. The command
will add/remove F-Agent to/from the run= line of WIN.INI; the
command is unaware of Windows' startup group.
Now allowed text with spaces in [TSRLoad] ... <substring> in
AUTOINST.INI. (until now Autoinst used the 1st word from
<substring> only).
Now allowed multiple "UserNameFromIni=" and "WorkstationName-
FromIni=" entries in AUTOINST.INI: the first one pointing to an
entry in an inifile will be used.
If "f-protw.386=" setting is present with remote installations,
AUTOINST copies f-protw.386 automatically to the designated
place from InstallRemote directory.
"UserNameFromRegistry=" and "WorkstationNameFromRegistry="
settings are now supported in AUTOINST.INI for AUTOW32.EXE.
In addition to the "UserName=", "UserNameFromIni=",
"WorkstationName=" and "WorkstationNameFromIni=" settings, the
"UserNameFromRegistry=" and "WorkstationNameFromRegistry="
entries are supported. Multiple "UserNameFromRegistry=" and
"WorkstationNameFromRegistry=" entries may be used: the first
one that points to a value in the registry will take effect. The
format for the values of both these entries (called "registry
locators") is:
MAINKEY [\ SUBKEY] \\ [VALUENAME]
where:
. MAINKEY : main key name, must be one of:
HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE",
"HKEY_USERS"
. SUBKEY : subkey name, may be missing
. VALUENAME : name of registry value, may be missing if the
default value is to be used
For example, these are all valid locator specifiers:
. ; all items present: UserNameFromRegistry=
HKEY_LOCAL_MACHINE\
Network\Logon\\username
. ; no subkey:
UserNameFromRegistry=
HKEY_LOCAL_MACHINE\\user-name
. ; no value name: UserNameFromRegistry=
HKEY_LOCAL_MACHINE\
Network\Logon\\
. ; no subkey nor value name: UserNameFromRegistry=
HKEY_LOCAL_MACHINE\\
AUTOW32.EXE now works from directory which has spaces in its
name (older versions didn't use the correct AUTOINST.INI because
the command line was processed incorrectly).
A bug in AUTOINST which caused multiple spaces to be left on
run= line of WIN.INI if the previous run= line had trailing
spaces there has been fixed.
UNC pathnames are supported by Autoinst and FPW (as for the
communication dir).
The following 35 viruses are now identified, but can not be
removed as they overwrite or corrupt infected files. Some of
them were detected by earlier versions of F-PROT, but not
identified accurately.
_641
Burger.393
Exe2Win.113
Exe2Win.116
Exe2Win.132
Exe2Win.214
Exe2Win.710
HLLO.5520
HLLO.6561
HLLO.Honi.B
Jerusalem.Nai-Tai.B
Leprosy.554
Leprosy.1306.B
SillyOR.177
Trivial.26.E
Trivial.34.C
Trivial.37.C
Trivial.42.J
Trivial.42.K
Trivial.45.G
Trivial.45.H
Trivial.45.I
Trivial.47
Trivial.50.C
Trivial.52
Trivial.56
Trivial.66
Trivial.77
Trivial.78
Trivial.88
Trivial.137
Trivial.214
Trivial.241
Ymir.101
Ymir.144
The following 281 new viruses can now be removed. Many of them
were detected by earlier versions, but are now identified
accurately.
_406
_494
_585
_589
_789
_1000.A
_1000.B
_1024
A_Ant.564
Acdc.499
Alfons.1344
Arme.411
Ash.743.L
Aspargus.768
Awaits.500
Baby.962
Bad_Com.600
Badless.494
BelinHQ.434
Bero.677
Brownie.688
Bunny.497
Canna.357
Carry.534
Chad.750
Chang.3584
Chapa.448
Chapa.450.C
Chapa.566
Chapa.572
Chapa.586
Click.375
Clonewar.252
Clonewar.255
Clonewar.258
Clonewar.267
Creat.795
Crovir.625
Dagg.882
Danish_Tiny.333.C
Dark_Avenger.1728
Dark_Avenger.1783
Dark_Avenger.1803.B
Dark_Avenger.1805
Dark_Avenger.1808
Dark_Avenger.2000.K
Dark_Avenger.2000.L
Deathboy.655
Deino.1000
Destructor.2082
Doperland.490
DSTT.231
DSTT.242
DSTT.330
DSTT.347
DSTT.396
Eb.313
Eb.378
Eddie-2.657
Eleet.726
Escort.151
Fifo.333
Flip.2153.J
Frodo.4096.L
Fumble.866
Garfio.1000
Green_Caterpillar.1575.K
Halka.704
Halt.A
Heja.623.B
Hellis.608
Helloween.1377
Hi.378
Hi.512
Hi.559
Hi.671
Hi.806
Hi.833
IMI.1536.H
Immortal.2174
Immortal.2185
Inch.386
Insane.197
Int_AA
Intruder.1312
Intruder.1319.C
Ivir.221
Ivir.240
IVP.872
Jason.626
Jerusalem.1806.Frere.L
Jerusalem.1808.Sumsdos.AV
Jinx.846.B
Jinx.846.C
Jinx.854
JH_error.1215
Karnavali.1986
Kela.2122
Kela.2163
Keyb.996
Khiznjak.560
Khiznjak.735
Khiznjak.749.B
Khiznjak.761
Khiznjak.766
Kobrin.489
Kobrin.491
Leech.1024.B
Liberty.2857.I
Locust.735
Louse.919
Lunch_Time.783
Maxi.1148
Mirage.1309
Movius.231
Morgul.400
Morgul.424
Murderer.3670
Murphy.1277.C
Mururoa.2469
Myroom.891
Nado.841
Neumann.752
NLA.383
Obid.555
Oppressor.1071
Overdoze.563
Overdoze.568
Overdoze.569
Overdoze.572
Overdoze.573
Overdoze.578
Overdoze.580.A
Overdoze.580.B
Overdoze.580.C
Overdoze.582
Overdoze.584
Overdoze.585
Overdoze.587
Overdoze.588
Overdoze.590
Overdoze.591
Overdoze.593
Overdoze.596
Overdoze.600.A
Overdoze.600.B
Overdoze.606
Paladine.1080
Pixel.847.K
Pixel.3072
Pottery.316
Pressreset.607
PS-MPC.139
PS-MPC.227
PS-MPC.329
PS-MPC.333
PS-MPC.374
PS-MPC.384
PS-MPC.389
PS-MPC.391
PS-MPC.393.A
PS-MPC.392.B
PS-MPC.397.A
PS-MPC.397.B
PS-MPC.399
PS-MPC.404
PS-MPC.408
PS-MPC.412
PS-MPC.418
PS-MPC.424
PS-MPC.428.A
PS-MPC.428.B
PS-MPC.428.C
PS-MPC.442
PS-MPC.443
PS-MPC.481
PS-MPC.482.A
PS-MPC.482.B
PS-MPC.509
PS-MPC.510.B
PS-MPC.515
PS-MPC.520.B
PS-MPC.520.C
PS-MPC.520.D
PS-MPC.526
PS-MPC.535
PS-MPC.575.C
PS-MPC.576.B
PS-MPC.579
PS-MPC.581
PS-MPC.583
PS-MPC.584
PS-MPC.585.D
PS-MPC.589
PS-MPC.597
PS-MPC.600
PS-MPC.602
PS-MPC.605
PS-MPC.609
PS-MPC.611.L
PS-MPC.620.B
PS-MPC.629
PS-MPC.640
PS-MPC.646.B
PS-MPC.719
PS-MPC.723
PS-MPC.728
PS-MPC.802
PS-MPC.848
PS-MPC.868
PS-MPC.910
PS-MPC.1233
Puppets.960
Qpis.2931
Quarrel.390
Quintessence.992
Radar.2155
Revenge.948.D
Rihii.128
RP
Scrappy.416
Scroll.600
Seventh_Son.440
SFT.777
SillyC.161
SillyCR.354
Siskin.311
Siskin.555
Slaughter.512
Sno.1015.A
Sno.1015.B
Spirit
Starslost.596
Sterculius.456
Sterculius.458
Sterculius.474
Sza.1864
Triple5.556
Tanpro.525
Umbrella.3032
Uneven.738
Vang.483
VCC.450.A
VCC.450.B
VCC.565
VCC.585
VCC.592
VCC.625
VCC.667
VCC.735
VCC.753
VCC.793
VCC.813
VCC.857
VCC.867
VCC.917
VCC.1144
VCC.1198
VCC.1263
VCL.346
VCL.348
VCL.383
VCL.847
VCL.848
VFSI.427
Vienna.462
Vienna.480
Vienna.629
Vienna.660.B
Werewolf.658
Werewolf.678
Werewolf.685
Werewolf.1152
WilliWonka.1088
Wolfman.2064.C
Xram.1000
YB.325
Yesmile.4304
Yesmile.5504
Zapper.1121
Zimboot
ZZZ.412
The following 43 new viruses are now detected and identified but
can not yet be removed.
_2000
_3008
Australian_Parasite.972
Bin.466
Bowl.737
Boza.A
Boza.B
Cybertech.688
Danish_Tiny.390
DIR_II.AF
DIR_II.AG
ElFla.687
ElFla.1017
Enero.2690
Entity.1986
Fangs.658
Fangs.685
Gripped.685
Halka.720.B
HeyHunter.1087
IVP.1103
Kalo.1464
Katya.732
Leech.1024.B
Mosca.849
Nightbird.419
Noone.1237
NRLG.968
Ratboy.539
Silence.4096
Silence.5120
Struck.731
Tornado
Trance.1688
VCC.436
VCC.437
VCC.440
VCC.44
VCC.449
VCC.451
VCC.459
VCC.461
Vigo.1000
The following 3 new viruses are now detected, but not
identified. F-PROT will just report the family name with a (?)
or report the virus as "New or modified variant", as it is not
yet able to determine which variant it is dealing with.
Disinfection of these viruses is not yet possible.
Positron
Trance.1982
Trance.3336
The following 1 virus which was identified by earlier versions
can now be removed.
Crazyboot
F-PROT Professional 2.22 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@F-Secure.com
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.22 is mentioned. Copyright (c) 1996 F-Secure Ltd.
.
.
Copyright © 1996 F-Secure
|
|
