F-PROT Professional Update Bulletins
F-PROT Professional 2.24 Update Bulletin
CONTENTS BRIEFLY
--- Contents 3/96
--- A Public Secret
--- What to do?
--- The Global Virus Situation
--- Microsoft Excel Macro Viruses
--- The Future
--- What About DMV?
--- Hare
--- Hare.7750
--- Hare.7786
--- Tentacle
--- Tentacle_II
--- Buy-a-virus
--- Common Questions and Answers
--- Changes in F-PROT version 2.24
--- Changes in F-PROT for DOS
--- Changes in F-PROT for Windows
--- New Viruses Detected by F-PROT
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-9-478 444, Fax +358-9-478 44 599
E-mail: F-PROT-Support@F-Secure.com, WWW: http://www.F-Secure.com/
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.24 is mentioned. Copyright (c) 1996 F-Secure Ltd.
A Public Secret
The Global Virus Situation
Microsoft Excel Macro Viruses
Hare
Tentacle
Tentacle_II
Buy-a-virus
Common Questions and Answers
Changes in F-PROT version 2.24
New Viruses Detected by F-PROT
Quite recently, we read in the newspapers how CIA and NSA (National
Security Agency) managed to break into the EU Commission's systems and
access confidential information about the GATT negotiations. The stolen
information was then exploited in the negotiations.
The EU Commission denies the allegation, but that is a common practice in
matters involving information security breaches. At the beginning of June,
the news in Great Britain told the public about an incident where British
and American banks had paid 400 million pounds in ransom to keep the
criminals who had broken into their systems from publicizing the systems'
weaknesses [London Times, 3.6.1996].
The sums involved are simply enormous, especially since all these millions
of pounds bought nothing more than silence. According to London Times, the
banks' representatives said that the money had been paid because
"publicity about such attacks could damage consumer confidence in the
security of their systems".
Criminal hackers are probably encouraged by the fact that, in most cases,
their victims are not at all eager to report the incidents to the police.
And that is not all; assuming that the information reported by London
Times is correct, they may even get paid a "fee" for breaking in!
According to Financial Times' estimation in April 1996, a computer is
broken into in Internet every 20 seconds. The paper continued: "There are
also more than 20.000 aggressive, deliberately destructive hackers in the
US...".
Whatever the truth about these incidents may be, the fact remains that
current information systems are quite vulnerable to penetration from
outside. As Internet becomes more popular and spreads ever wider,
criminals can break into an increasing number of systems easily and
without a real risk of being caught.
Computers and data communications connections cannot be protected against
hackers with a 100% certainty. In practice, there are always some security
holes which a skillful burglar can exploit.
Since it is virtually impossible to plug all the holes that a hacker can
use, the best way to attain information security is to make sure that any
stolen information is unusable to the thief. This can be achieved by using
data encryption based on strong cryptography, especially in cases where
information is transferred outside a local area network (LAN). If the LAN
itself carries much secret or confidential communication, it is important
to implement data encryption in the network's internal workings also.
Even at their initial stages, F-Secure Ltd's F-Secure products meet
many of these demands. It is the goal of our continuing product
development to eventually address all such information security needs.
The SSH client/server software can be used to protect data communications
and remote connections between internal systems. With the VPN software, it
is possible to construct automatically encrypting tunnels between two or
more secure LANs. By using our program libraries, authentication and
encryption can be implemented in a company's internal systems.
More information about the F-Secure products can be found on our WWW
pages, at:
www.datafellows.europe.com
A year after the first widespread Microsoft Word macro virus, the first
real Microsoft Excel macro was found in July 1996. This macro virus was
named ExcelMacro/Laroux.
Laroux has not been reported widely and it can not be considered to be a
real threat at the moment.
Once the Excel environment has been infected by this virus, the virus will
always activate when Excel is loaded and infect all new Excel workbooks
that are created, as well as old workbooks when they are accessed.
ExcelMacro/Laroux was written with Visual Basic for Applications (VBA).
This is a macro language based on Microsoft's Visual Basic programming
language. The virus is be able to function with Excel 5.x and 7.x, in
Windows 3.x, Windows 95 and Windows NT environments. ExcelMacro/Laroux
works also with some localized versions of Excel, but not all (for
example, it fails under the French version of Excel). The virus does not
work with any version of Excel for Macintosh or Excel 3.x or 4.x for
Windows.
ExcelMacro/Laroux consists of two macros, auto_open and check_files. The
auto_open macro is executed whenever an infected workbook is opened,
followed by the check_files macro which checks Excel's startup path. If
there is no file named PERSONAL.XLS in the startup path, the virus creates
one. This file contains a module called "laroux".
PERSONAL.XLS is the default filename for any macros recorded under Excel.
Thus, you may have PERSONAL.XLS in your system even though your computer
is not infected by this virus. The program's startup path is by default
set as \MSOFFICE\EXCEL\XLSTART, but it can be changed by using Excel's
Tools/Options/General/Alternate Startup File menu option.
If an infected workbook resides on a write-protected floppy, an error will
occur when Excel tries to open it. The virus will not be able to
replicate.
ExcelMacro/Laroux is not intentionally destructive and contains no
payload; it just replicates itself.
Laroux can also be detected manually from Excel itself. Select the menu
command Tools/Macro in Excel. If you find the macros auto_open,
check_files, PERSONAL.XLS!auto_open and PERSONAL.XLS!check_files (and
possibly 'bookname'!auto_open and 'bookname'!check_files from any infected
workbooks you may have open at the time), it is likely that your program
is infected. You can verify the matter by selecting the Window/Unhide menu
command and unhiding the Personal file. This should make the Personal
sheet visible, with text "laroux" in the sheet tab.
To disinfect ExcelMacro/Laroux, delete these macros and exit Excel, saving
all changes. Now Excel itself is clean. Next, open all infected workbooks
one by one, keeping the left shift key pressed down while opening them
(according to the Excel documentation, this bypasses automacros, but
unfortunately the function doesn't always seem to work). After opening an
infected workbook, select the Tools/Macro command, delete the virus macros
and save the file.
We're trying to evaluate how widely ExcelMacro/Laroux has spread. If you
find that your computer is infected with this virus, please contact us.
In general, Microsoft Excel has an even more powerful set of commands and
system hooks than Microsoft Word does. This means that Excel viruses have
more ways to propagate than Word viruses (or Ami Pro viruses, for that
matter). However, Excel is not as widely used as Word.
A person called Joe McNamara wrote a Word macro virus called WordMacro/DMV
to study the behavior of macro viruses in the fall of 1994 - at the same
time, he published a detailed study about macro viruses.
McNamara also published a skeleton for a virus which was designed to
infect Microsoft Excel spreadsheet files. However, this file was not
functional, and could not spread itself. So, at its current state, it can
not really be called a virus. It would be possible to develop a working
virus from the DMV Excel sample, but we have not seen such yet. This makes
ExcelMacro/Laroux the first working Excel virus that has come to our
attention.
Although it can be argued that spreading information like Mr. McNamara has
done will educate the public, we can also except to see new variants of
the DMV virus, as well as totally new viruses inspired by the techniques
used in it. We are opposed to such behavior.
See also information on Word macro viruses and Ami Pro macro viruses (for
instance, F-PROT Update Bulletins 2.20, 2.21, 2.22 and 2.23).
Hare is a resident stealth multipartite virus of Slovenian origin. The
virus was first found in the wild in USA in May 1996. It was apparently
distributed over Internet, for infections were soon after found in Canada,
UK, Switzerland, Russia...in general, everywhere. Hare uses antiheuristic
and antiemulation tricks, and encrypts itself with a slow polymorphic
encryption layer.
Hare infects COM and EXE files, the MBRs of hard drives and diskette boot
sectors. Infected files and boot sectors are encrypted with a slowly
changing polymorphic encryption layer. The virus marks infected files by
setting the seconds field of the time stamp to 34. Hare will not infect
files starting with 'TB' or 'F-', or files which have the letter 'V' in
their name - the virus apparently tries to avoid infecting anti-virus
programs which have a self-check routine.
When an infected file is run, the virus first infects the MBR of the hard
drive. After this, it stays resident in memory and is able to infect files
(but not boot sectors). While infecting the MBR, Hare attempts to bypass
BIOS boot sector virus protection systems.
When the machine is rebooted, the virus installs itself into memory from
the MBR and starts to infect diskette boot sectors during diskette access,
as well as COM and EXE files.
While resident, the virus occupies over 9kB of memory. Infected files grow
around 7-8kB in size, depending on the polymorphic decryptor. The
polymorphic decryptor contains several conditional and unconditional jumps
and several calls to do-nothing interrupts - the purpose is to confuse the
heuristics and emulation techniques of anti-virus programs. Polymorphic
encryption changes slowly; the virus tries to make it difficult to create
a large sample set with variable decryptors.
Hare attempts to hide its presence in the system, but it sometimes reports
the infected files to be a little bigger or smaller than they originally
were.
Hare is Windows 95 -aware: it deletes the Windows 95 diskette driver file
to make itself capable of spreading to diskettes used from Windows 95.
After disinfecting Hare, you will need to reinstall the
\WIN95\SYSTEM\IOSUBSYS\HSFLOP.PDR file from backups.
Hare activates when the computer is booted on the 22nd of August and 22nd
of September. At this time, it displays the text:
"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
After this, the virus attempts to overwrite the hard drive and the A: and
B: drives. This results in a 'Non-system disk' error, but the virus stays
resident in memory even after the destruction is done - in other words, it
can still replicate if a non-write-protected boot diskette is inserted to
start up the machine.
This is a newer variant in which some of the original virus's bugs have
been corrected. The text message in the virus has been changed to:
"HDEuthanasia-v2" by Demon Emperor: Hare, Krsna, hare, hare...
Otherwise, the virus is similar to the original variant.
The Hare.7750 variant was spread in faked posts in Usenet news on 26th of
June, 1996. Among the infected files were:
vpro46c.exe in alt.cracks
agent99e.exe in alt.cracks
red_4.exe in alt.sex
pkzip300.exe in alt.comp.shareware
The text message in this variant has been changed to:
"HDEuthanasia-v3" by Demon Emperor: Hare, Krsna, hare, hare...
The Hare.7786 variant was spread in faked posts in Usenet news on 29th of
June, 1996. Among the infected files were:
agent99e.exe in alt.crackers
lviewc.exe in alt.crackers
This Windows virus was found in the wild in France and UK in March 1996.
The virus was distributed in a file called dogzcode.zip via the alt.cracks
Usenet newsgroup. Tentacle infects Windows 3.1x EXE files.
Tentacle infects files in the current and Windows directories. It does not
stay resident in memory.
Occasionally, Tentacle will replace the icon of an infected EXE file with
its own icon. This new icon contains a picture of a tentacle and the text
'Tentacle'. Tentacle also sometimes corrupts EXE files while infecting
them. Such programs do not work after the infection.
Tentacle_II is actually not very closely related to the original Tentacle
virus, but it has been written by the same author. The virus was found in
the wild in June 1996 in USA, UK, Australia, Norway and New Zealand.
Tentacle_II is also known as Shell.
A known infection happened on the 3rd of August, 1996, when an infected
screen saver called PCTRSHOW.ZIP was posted to the following newsgroups:
alt.sex.pictures
alt.binaries.pictures.erotica
alt.binaries.pictures.erotica.blondes
alt.binaries.pictures.erotica.breasts
alt.binaries.pictures.erotica.cheerleaders
alt.binaries.pictures.erotica.female
alt.binaries.pictures.erotica.lesbians
alt.binaries.pictures.erotica.oral
alt.binaries.pictures.erotica.orientals
alt.binaries.pictures.erotica.redheads
alt.binaries.pictures.erotica.teen
alt.binaries.pictures.erotica.teen.female
alt.binaries.pictures.erotica.voyeurism
alt.binaries.pictures.erotica.young
alt.binaries.pictures.groupsex
alt.binaries.pictures.erotica.latina
alt.binaries.pictures.celebrities
alt.binaries.pictures.girls
Do note that there are also clean copies of PCTRSHOW in circulation.
The virus infects only Windows 3.x executables (NE). It manages the
infection without changing the executable entry point.
When executed, Tentacle_II searches the directory tree for suitable files
to infect. EXE and SCR (screen saver) files can get infected. The virus
may also infect 32-bit Windows 95 and Windows NT executables, but it is
unable to spread further from such files. Tentacle_II does not stay
resident in memory.
The Tentacle_II virus activates by dropping a GIF file, which contains a
picture of a tentacle and the text: "I'm the Tentacle Virus!"
There sure is enough enterpreneurs in the Internet. One web site,
operating from the USA, is selling personalized viruses for anybody. For
the price of 10$, you can choose the name and the functionalism of the
virus. These viruses seem to be based on VCL, so they are automatically
detected by F-PROT.
If you have questions about information security or virus prevention,
contact your local F-PROT distributor. You can also contact F-Secure
directly in the number 358-9-478 444.
Written questions can be mailed to:
F-Secure Ltd
F-PROT Support
Päiväntaite 8
02210 ESPOO
FINLAND
Questions can also be sent by electronic mail to:
Internet:F-PROT@F-Secure.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
Elisa: Hyppönen Mikko.
I run my computer with Windows 95. One day, my CD-ROM suddenly stopped
responding, and now I can't access it under 95 at all. If I boot to DOS,
CD-ROM works fine. Could this be caused by a virus?
Yes. This effect is typical of boot sector viruses under
Windows 95. The virus installs a new handler for the hard
disk interrupt INT 13h, and this prevents Windows 95's
32-bit disk access drivers from loading. As a result, the
normal CD-ROM access won't work. Check your machine for boot
sector viruses.
I suspect a virus infection in my computer, and want to boot from a clean
system diskette to make sure no viruses remain resident while I scan my
hard disk. My computer is rather old, and I use Disk Manager from OnTrack
to access its 1GB IDE disk. Disk Manager is installed in the hard disk's
MBR, and when I boot the machine, it prompts me to press space to boot
from a diskette. If I do this, am I actually booting clean?
No, you're not booting clean. If the hard disk is infected
by a boot sector virus which infects MBRs, the virus will
already be resident at this stage. To really boot clean
under Disk Manager, you will have to boot directly from a
diskette - which means you won't see the 'Press Space'
prompt at all. After a direct diskette boot, you won't be
able to access the files on your hard disk, but F-PROT will
still be able to scan and disinfect the MBR. After you've
done this, you can safely reboot using Disk Manager's
diskette boot function and check the rest of the hard disk.
You will have to do this also if you're using Micro House
EZ-Drive.
I have noticed that Word document files that have been infected by a macro
viruses cannot be saved with Word to alternative directories. I suppose
this is a side effect caused by the virus. I disinfected a set of
documents with F-PROT, and I noticed that most of the documents could be
saved normally after this, but not all. How come?
You are right, it is caused by a side effect. Infected DOC
files are always templates in structure, regardless of the
file extension (normal extension for templates is DOT). Only
templates can contain macros. A side- effect of this is that
infected files can usually be saved by Word only as
templates and only to the default template directory.
When disinfecting infected files, F-PROT will normally
change the file back to a normal document. However, some
files have originally been templates so F-PROTtries to
determine this and preserve them as templates after
disinfection.
If the file contains extra macros after disinfection, it has
probably been a template in the first place and will not be
changed to a document by F- PROT. The same will happen if:
- The document contains user-defined menus or toolbars
- The filename extension of the file was DOT
- The filename of the file was NORMAL
The following problems were found and corrected
The disinfection of the Quandary virus from the hard disk didn't work
- F-PROT was complaining that the original MBR could not be found.
Fixed.
The following false alarms were fixed:
RD16.COM : Possibly a new variant of Chips
FPW/Win31: Closing of the task settings dialog is not allowed if both
"Look for viruses/trojans" and "Look for doc macro viruses" check
boxes are unchecked.
FPW: Added an option for the main program to F-PROTW.INI: [FPWM]
RemoveInvalidTasks=1; if zero, tasks with invalid targets are not
deleted upon F-PROT startup. This option is useful because it makes
it possible to stop F-PROT from deleting eg tasks for scanning network
drives in case when Windows is booted without network, and the drives
are not available. It is possible that we will make this a default
behavior in the future.
FPW/Win31/Win95/WinNT: Release month and year have been removed from
F-PROT's splash screen.
F-PROT Gatekeeper
GK/Win31: When finding a boot sector virus, Gatekeeper will continue
scanning the diskette boot sector until the diskette gets removed from
the system. After each scan, Gatekeeper would send a message about
the infection to the administrator, and would write an entry into the
log. This has been corrected: now only one message is sent for a
single infection.
GK/Win31/Win95: Gatekeeper now uses on-demand scanner's executables
extensions list for determining which files to scan, instead of the
previously used hardcoded list. Note that the Windows 3.1x Gatekeeper
will continue to search for document macro viruses from files with
extensions starting with "DO" only. This is because document files
have to be opened with a different method in Windows 3.1 Gatekeeper.
FPW/GK/Win95: When scanning a diskette with boot sector virus with
Gatekeeper enabled, Gatekeeper used to notify about the boot sector
virus as well. This has been corrected.
GK/Win95: Added the LoadDelay= feature in F-PROTW.INI [Gatekeeper],
for Windows 95 Gatekeeper, as it is in Windows 3.1x Gatekeeper. The
default delay value is 3 seconds in order to avoid some obscure file
access conflicts at Windows startup.
GK/Win95: Windows 95 Gatekeeper now uses the 10-point "System" font in
the virus notification dialog if Japanese language is used. This was
needed because with the previously used font, the Japanese characters
were not displayed correctly.
Scanning engine
Scan: Files which can not be disinfected of macro viruses are now
renamed. Earlier versions used to report about deleting such files
(no deletion took place actually).
Scan: Corrected a bug which caused the Windows versions of F-PROT to
miss some viruses which the DOS version would find, eg Rex.1637 from
COM files.
Scan/Win31/Win95/WinNT: The macro scan engine has been updated to
perform a more exact identification of the viruses, and to remove only
the viral macros upon disinfection.
Scan/Win31/Win95/WinNT: The counter of disinfected document files was
not updated. This has been corrected.
Autoinstaller
AI: It is now possible to set user and workstation names for
non-administration-enabled installations as well. This has been done
so mainly because Gatekeeper will ask for user/workstation names if
they are missing even in single user mode.
AI/Win32: After installing the Windows 95 Gatekeeper with Autoinst,
Gatekeeper was unable to load right after the installation. This
happened because Gatekeeper needs a certain registry setting to find
some of its components; Autoinst would write the entry into the
registry, but because of Windows 95's caching mechanism, the registry
would be physically updated a few seconds later, meaning that
Gatekeeper would not find this entry when being activated by Autoinst.
The problem has been fixed by forcing Windows to write the registry
changes to disk immediately after writing the entry there.
AI/Win32; F-Agent/Win95: Enabling Gatekeeper from F-Agent now makes
sure that the known VxDs entry is present in the registry. Earlier
versions required the Windows 95 Gatekeeper to be installed with
either the Setup program, or with Autow32. This meant that users
could not enable Gatekeeper even if the files had been installed by
the automatic update via the communication directory.
The following 28 viruses are now identified, but can not be removed as
they overwrite or corrupt infected files. Some of them were detected
by earlier versions of F-PROT, but not identified accurately.
_180
Bugsb.282
Cascade.1701.AX
Danish_Tiny.282
Measles.212
Nuts.360
Syskill.290
Trivial.29.G
Trivial.31.E
Trivial.32.D
Trivial.32.E
Trivial.32.F
Trivial.32.G
Trivial.34.D
Trivial.35.B
Trivial.35.C
Trivial.36.E
Trivial.37.D
Trivial.37.E
Trivial.37.F
Trivial.38.C
Trivial.44.F
Trivial.44.G
Trivial.60
Trivial.78.B
Trivial.320
Vorbis.155
Vorbis.166
The following 336 new viruses can now be removed. Many of them were
detected by earlier versions, but are now identified accurately.
_366
_497
_514
_600
_699
_768
_948
_1097
_1259
_1522
_2124
Aaa.807
Adi_Pop.470
Adi_Pop.485
Alho.676
AntiCad.3000
AntiCad.3012.G
AOS.813
AOS.823
AOS.831
AOS.839
AOS.845
AOS.855
Arcv.746
Babyly.674
BadSize.369
Beer.3225
Beer.3434
Beer.3441
Beer.3522
Beer.3612
Beer.3774
Best_Wishes.981
Bishkek.319
Blazer.1000
Bootexe.451.B
BR.1180
BW.304
BW.309
BW.323
BW.382
BW.384
BW.395
BW.399
BW.400
BW.402
BW.405.A
BW.405.B
BW.412
BW.414
BW.488
BW.493
BW.550
BW.551
BW.552
BW.558
BW.559
BW.562
BW.567.A
BW.567.B
BW.572
BW.573
BW.575
BW.577.A
BW.577.B
BW.577.C
BW.579
BW.649
Bytewarr.1155
Caco.3310
Cascade.1701.AT
Cascade.1701.AV
Cascade.1701.AW
Cascade.1701.AY
Checkbox.936
Civil_IV.533
Civil_IV.837
Claire.821
Cliff.1313
CMOS_Death
Cmosmess.3622
Cmosmess.3710
Croatia_II.560
Cuareim.800
Currar.1171
Dark_Avenger.1800.AD
Dayton.792
Dear.524
Delta.1163
Diamond.1096
Diw.386
Diw.389
Diw.393
Diw.428
Diw.480
Diw.488
Diw.512
Diw.555
Diw.565
Diw.597
Diw.600
Dolong.1380
Drepo.2461
Dutch_tiny.98
DVA.437
DVA.443
DVA.445
DVA.490
DVA.640
DVA.749
DVA.753
Eastern_Digital.1700
Epsilon.513
Epsilon.1498
Equals.2221
Fax_Free.1024.Pisello.C
Gerli.593
Ginger.2848
Glupak.847.C
Gotcha.613
Gotcha.623
Hare.7610
Hare.7750
Hare.7786
Hera.1208
HLLP.5062
HLLP.5176
HLLP.6917
IBVV.742
Icelandic.642.D
Icelandic.642.E
Icelandic.1618.G
Indonesia.2456
Insert.260
Intruder.459
Intruder.879
Intruder.956
Intruder.1347
Intruder.2028
IR&MJ
IVP.335
IVP.336
IVP.475
IVP.495.B
IVP.648
IVP.674.B
Jerusalem.1349
Jerusalem.1808.Null.C
Jerusalem.1808.Sumsdos.AW
Jerusalem.2012
Jorgito.730
Jovial.503
June_24.570
Keeper.776
Khiznjak.507
Kobrin.492
Leech.1024.C
Leech.D
Leo
Little.159
Little.268
LIttle_Boy.944
Lovebuzz.591
Lupus.866
Macav.1000
Mango.470
Marcia.4651
Markt.1548
Matador.832
Mathiew.2667
Mathiew.3044
Michael.1458
Mirea.703
Mrei.313
Natas.4826
Natas.4926
Nazgul.209
Necropolis.1963.E
Nightking.1568
Oktubre.1784
Oolong.1380
Ornate
Parity_Boot.C
Parity_Boot.D
Peligro.1206
Pepper.528
Power_Off.798
Probe.2140
Proto-T.690
PS-MPC.356.B
PS-MPC.431
PS-MPC.432.B
PS-MPC.433.A
PS-MPC.433.B
PS-MPC.440
PS-MPC.444.C
PS-MPC.446.C
PS-MPC.446.D
PS-MPC.446.E
PS-MPC.447
PS-MPC.448.A
PS-MPC.448.B
PS-MPC.466
PS-MPC.475.D
PS-MPC.490.B
PS-MPC.509.B
PS-MPC.512
PS-MPC.513.C
PS-MPC.513.D
PS-MPC.513.E
PS-MPC.518
PS-MPC.520.E
PS-MPC.522.B
PS-MPC.526.C
PS-MPC.534.B
PS-MPC.536.B
PS-MPC.539
PS-MPC.580
PS-MPC.591.E
PS-MPC.591.F
PS-MPC.592.R
PS-MPC.592.S
PS-MPC.592.T
PS-MPC.592.U
PS-MPC.592.V
PS-MPC.592.W
PS-MPC.592.X
PS-MPC.592.Y
PS-MPC.592.Z
PS-MPC.592.AA
PS-MPC.592.AB
PS-MPC.592.AC
PS-MPC.592.AD
PS-MPC.592.AE
PS-MPC.592.AF
PS-MPC.593.H
PS-MPC.593.I
PS-MPC.593.J
PS-MPC.593.K
PS-MPC.596.E
PS-MPC.596.F
PS-MPC.597.W
PS-MPC.597.X
PS-MPC.597.Y
PS-MPC.597.Z
PS-MPC.597.AA
PS-MPC.597.AB
PS-MPC.597.AC
PS-MPC.597.AD
PS-MPC.597.AE
PS-MPC.597.AF
PS-MPC.598.P
PS-MPC.598.Q
PS-MPC.598.R
PS-MPC.598.S
PS-MPC.600.C
PS-MPC.601.B
PS-MPC.611.U
PS-MPC.618
PS-MPC.641.B
PS-MPC.653
Rabbit.B
Retaliator.1529
Riot.1409
Riot.1435
Romania.856
Rose
Salieri.1745
Salman.2000
Sentinel.4638
Sepultura
SillyC.90
SillyC.115
SillyC.147
SillyC.155.B
SillyC.165
SillyC.187
SillyC.191
SillyC.200
SillyC.202
SillyC.212
SillyC.213
SillyC.215.C
SillyC.224
SillyC.226.B
SillyC.228
SillyC.335
SillyComp.219
SillyCR.59
Sineda.1208
Skater.819
Stdemo.803
Suriv_1.897.I
Suriv_1.897.J
Suriv_1.942
Timish.2132
Topper.1024.B
Tsc.714
Tucuman.828
Tula.1540
Tula_II.1656
Ufro
Umbrella.3173
Vacsina.1212.B
VCC.269.B
VCC.313.A
VCC.313.B
VCC.313.C
VCC.313.D
VCC.350.A
VCC.350.B
VCC.350.C
VCC.350.D
VCC.350.E
VCC.350.F
VCC.350.G
VCC.350.H
VCC.389
VCC.392
VCL.523
VCL.596
VCL.758
Viaggio.1051
Vienna.481
Vienna.502
Vienna.636
Vienna.637.B
Vienna.639
Vienna.1278
Vota.591
Voyage.1134
WereWolf_III.1168
Xuxa.1984
Yankee_Doodle.1672
Yosha.975
Zarina.590
Zibbert.1268
The following 71 new viruses are now detected and identified but can
not yet be removed.
_699
_1587
_1730
AOS.794
AOS.802
AOS.812
AOS.820
AOS.826
AOS.832
AOS.844
AOS.851
AOS.860
Bladder.1015
BW.548
BW.630
BW.634
BW.637
BW.640
BW.641
BW.642
BW.648.A
BW.648.B
BW.649.B
DBCE.3403
Doubleheart.645
Edwin
Enjoy.1667
Father_Mac.784
Father_Mac.794
Father_Mac.833
Father_Mac.1437
Father_Mac.1446
Father_Mac.1495
Father_Mac.1508
Father_Mac.1531
Father_Mac.1534
Father_Mac.1579
Father_Mac.1622
Gosha.1831
Httm.580
INT_12
IVP.667
IVP.683.B
IVP.814
Kvapavka.879
Lyubasha.381
Majkl.1432
Majkl.1503
Mathiew.2667
Mathiew.3044
Moonlite.343
Ninja.1195
Number_of_the_Beast.512.AD
Ornate
Prdevil.716
Ratboy.463
Seat.2419
Shff.4509
Skvernuk.599
Small_comp.100.C
Topper.1024
Ufo.1468
VCC.424
Veronika.1549.B
Voyager.508
Walhala.1283
Wildy.399
Wildy.402
Wildy.421
Xute.1182
Zub.792
The following 1 new virus is now detected, but not identified. F-PROT
will just report the family name with a (?) or report the virus as
"New or modified variant", as it is not yet able to determine which
variant it is dealing with. Disinfection of theis virus is not yet
possible.
Tentacle_II
The following 9 viruses which were identified by earlier versions can
now be removed.
Caco.2965
Dementia.4207
Legozz.1000
Pojer.1919
Pojer.1935
Pojer.1941
Pojer.1949
Werewolf.1500.A
Werewolf.1500.B
The following viruses have been renamed.
_1315 -> Zibbert.1315
_2965 -> Caco.2965
F-PROT Professional 2.24 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-9-478 444, Fax +358-9-478 44 599, E-mail: F-PROT@F-Secure.com
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.24 is mentioned. Copyright (c) 1996 F-Secure Ltd.
.
.
|
|
