F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-PROT Professional Update Bulletins




F-PROT Professional 2.25 Update Bulletin

CONTENTS BRIEFLY


--- Contents 4/96 --- The F-Secure Encryption Software Family Wins the First --- Prize in European Union's Information Technology Competition --- F-Secure Was Selected 'Product of the Year' by the --- Biggest Scandinavian IT Magazine --- 200 Word Macro Viruses --- The Global Virus Situation --- WordMacro/Wazzu Running Free --- The Microsoft Factor --- WordMacro/Bandung --- WordMacro/NPad --- Price --- Alfons --- MultiAni --- HLLC.Plane --- Hoax alert --- Common Questions and Answers --- GENERIC DISINFECTION --- Changes in F-PROT Professional Version 2.25 --- Changes in F-PROT for DOS --- Changes in F-PROT for Windows --- New Viruses Detected by F-PROT


F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-9-478 444, Fax +358-9-478 44 599 E-mail: F-PROT-Support@F-Secure.com, WWW: http://www.F-Secure.com/ This material can be freely quoted when the source, F-PROT Professional

Update Bulletin 2.25 is mentioned. Copyright (c) 1996 F-Secure Ltd.



Contents 4/96


The F-Secure Encryption Software Family Wins the First Prize in European Union's Information Technology Competition F-Secure Was Selected 'Product of the Year' by the Biggest Scandinavian IT Magazine 200 Word Macro Viruses The Global Virus Situation WordMacro/Wazzu Running Free The Microsoft Factor WordMacro/Bandung WordMacro/NPad Price Alfons MultiAni HLLC.Plane Hoax alert Common Questions and Answers GENERIC DISINFECTION (Peter Szor) Changes in F-PROT Professional Version 2.25 New Viruses Detected by F-PROT

The F-Secure Encryption Software Family Wins the First



Prize in European Union's Information Technology Competition


Never before in its history had F-Secure gained such international recognition as it did in November, when the Chairman of the Commission Jacques Santer handed the first prize of the European Union's Information Technology Competition ITEA to the representative of Data Fellows. The ITEA competition is a continent-wide information technology competition. This year, 253 products from 25 European countries were submitted to the competition. 25 companies were selected for the finals, among them such enterprises as Nokia, IBM, Hewlett-Packard and Siemens- Nixdorf. F-Secure took part in the competition with its new encryption products. At the moment, there is a great need for encryption and strong user authentication in the global networks. Electronic business, Intranet systems and public official services in the WWW cannot become more common if good implementations based on strong cryptography are not brought to the market. It is estimated that, by 1997, there will be 75 million users connected to the Internet. More than 50 million of these users will be newcomers, having joined the Internet during 1996. According to estimations made by different consulting companies, the number of Internet users will double during 1997, reaching 150 million. Furthermore, the recent study by the Yankee Group shows business-to- business Internet commerce will surge to $134 billion by 2000. The major obstacle to the realisation of these projections is the lack of data security in the Internet. Security, more increasingly world-wide as trade barriers vanish, is vital especially in electronic commerce and on the Intranets. Firewalls are not able to secure transactions made over publicly accessible networks such as the Internet. Initially, there will be five different F-Secure products. F-Secure SSH is a client-server software which makes it possible to create strongly authenticated and encrypted terminal connections from Unix, Windows, OS/2 and Macintosh computers to Unix servers. F-Secure can also be used to create secure X11 connections and to tunnel freely selected TCP/IP protocols between computers. For example, the software can be used to encrypt an ODBC connection between an Excel spreadsheet and an Oracle database. F-Secure VPN is an encrypting router which makes it possible to construct Virtual Private Networks over unreliable public networks. The product can be used to connect a company's LANs located in different offices to each other with encrypted and authenticated tunnels. In such a solution, all network packages transferred between offices will be automatically encrypted, regardless of which applications and protocols are used. F-Secure Commerce is used for securing HTTP connections, i.e. the connections between a WWW server and a client software. With F-Secure Commerce, it is easy to construct secure public services, such as banking, insurance and official services. By using the product's Intranet version, it is possible to create secure Intranet systems like management's information systems etc. By using F-Secure Desktop, a PC user can easily and effortlessly encrypt files on the computer's hard disk. The Desktop software is ideal for laptop users, for it ensures that the information on the hard disk remains secure even if the computer is stolen or lost.

F-Secure Was Selected 'Product of the Year' by the



Biggest Scandinavian IT Magazine


The biggest Scandinavian IT magazine, MikroPC selected F- Secure as the 'Software Product of the Year'. MikroPC selects yearly four 'Products of the Year': two PC hardware products, one networking product, and one PC software product. A group of most respected Scandinavian PC professionals select the winners among all the new products of the global industry. So the jury considered F- Secure to be more important than, for instance, Microsoft Office 97 or Windows CE. More information about the F-Secure products can be found at our WWW server, or by contacting our local distributor. The trial versions of our F-Secure SSH and Desktop programs can also be freely downloaded from our WWW server.

200 Word Macro Viruses


The number of known Microsoft Word macro viruses has quickly risen. The first Word macro virus was found in August 1995. By the end of 1995, we were aware of only five Word macro viruses. During the summer 1996, new macro viruses started to appear rapidly. By the time this bulletin was published, three new macro viruses were found every day globally, and the total number of Word macro viruses was edging on 200. It should be noted that a large percentage of known macro viruses are actually the result of random corruption. Word seems to corrupt a part of the macro area of a document quite often, and the result can be a still functional version of a virus that has infected the document.
Number of Word macro viruses is growing quickly
The first common macro virus, WordMacro/Concept, was only able to replicate under English versions of Word. For many, this created the misconception that all macro viruses will fail to operate under nationalised versions of Word. Unfortunately, this is not true. In fact, about half of the currently known Word macro viruses operate under any language version of Word. In addition to that, there are dozens of macro viruses that operate under only under some non-English version of Word. For example, here's a chart of macro viruses that require a specific version of Word in order to replicate: Language Number of viruses Dutch 1 French 1 Italian 2 Chinese 15 German 17 Actually, most of the Chinese macro viruses have been written in Taiwan. It is quite surprising that no macro viruses specific to, for example, Spanish or Swedish versions of Word have been found. This doesn't necessarily mean that no macro viruses have been written in these countries, as these macro viruses could have been written to work in any language version of Word.

The Global Virus Situation



WordMacro/Wazzu Running Free


Microsoft has accidentally spread the WordMacro/Wazzu virus several times during the last weeks. WordMacro/Wazzu is a macro virus which spreads when infected files are exchanged between computers. When such a document is opened in Word 6 or 7, the virus executes and infects the system macros of Word. After this, the virus spreads to other documents that are opened or created. Wazzu consists of a single AutoOpen macro; this makes it language independent, i.e. this macro virus is able to infect localised versions of Word as well as the English version of Word. Unlike most other macro viruses, Wazzu has really been seen in the wild, and it is considered common nowadays. Wazzu is a harmful macro virus: it modifies the contents of the documents it infects, moving words around and occasionally inserting the text 'wazzu ' to a random location in the document. The word `Wazzu' is reported to be a nickname for the Washington State University. F-PROT detects and disinfects the WordMacro/Wazzu virus.

The Microsoft Factor


The September edition of the Microsoft SPCD (Solution Provider CD) had a single Word document infected with WordMacro/Wazzu.A. This CD was distributed internationally to Microsoft partners. The infected file on this CD is \sia\mktools\case\ed3905a.doc. Microsoft distributed Wazzu.A also during the Swiss ORBIT conference on another CD called Letz Fetz on the Netz, in a document called hotl95d.doc. An infected document was available for download on Microsoft's WWW site in the http://www.microsoft.com/switzerland/ hierarchy for several days, possibly weeks. This file has now been cleaned.

WordMacro/Bandung


Bandung is a Word macro virus that has become common recently. WordMacro/Bandung consists of six macros: AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ToolsCustomize. The virus is language dependent, i.e. it is able to spread only under English version of Microsoft Word. The macros are not encrypted, but they can NOT be viewed from the Tools/Macro menu, since the virus replaces that menu command with it's own macro. After the 19th of every month, when the time is after 10:00, the virus actives. At this time, it displays a dialog which says: Reading menu...Please wait ! After this, the virus deletes most of the files on drive C: and creates a file called C:\PESAN.TXT. The file contains the following text: Anda rupanya sedang sial, semua file di mesin ini kecuali yang berada di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini bukan ulah Anda, tapi ini hasil pekerjaan saya...Barang siapa yang berhasil menemukan cara menangkal virus ini, saya aka" + "n memberi listing virus ini untuk Anda !!! Dan tentu saja saya akan terus datang kesini untuk memberi Anda salam dengan virus- virus terbaru dari saya...selamat ! Bandung, Tueday, 26 November 1996, Jam: 11:24. The text is in Indonesian. The virus also has a routine which replaces all 'a' letters in the current document with the string: '#@'. In addition to being in the wild in Asia, Bandung was also found in Norway in November 1996.

WordMacro/NPad


WordMacro/NPad consists of a single AutoOpen macro; this makes it language independent, i.e. this macro virus is able to infect localised versions of Word as well as the English Word. The AutoOpen macro is encrypted and cannot be viewed from Tools/Macro menu. NPad has apparently been written in Indonesia: it contains the texts: D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung, Indonesia Macro MsWord virus, multiplatform, multi versi NPad adds an entry to WIN.INI/Registry under Windows and uses it as generation counter. When the virus has replicated 23 times, it scrolls the above 'D0EUNPAD94' text on Word's status row and resets the counter to zero. WordMacro/NPad was reported to be in the wild in Europe during late 1996. NPad and Bandung viruses may have been written by the same author.

Price


The Price virus, which is also known as 'Fischer Price 96', was spread in a file called ftplist.zip in the Internet during the fall of 1996. When an infected program is run, the virus infects one COM program in the current directory and stays resident in memory. Every now and then it puts the text Fischer Price 96 to the keyboard buffer. Otherwise the virus only replicates. There is no way to disinfect this virus: infected files have to be replaced with clean ones.

Alfons


Alfons is a 1344 bytes long destructive virus which was reported to be heavily in the wild in Israel early in 1996. It was also found in the wild in Finland in December 1996. The virus activates on random dates. When this happens, it displays the following text and overwrites drive C: Alfons ! Synchronizing drive C: (Do not interrupt this operation !): 100% Done. A later, 1536 byte variant is also known. Alfons is also known by the names Alfo and Iuta99.

MultiAni


This Romanian boot virus was found in the wild in Italy, Romania, Czech and Finland in December 1996. The virus does not infect the MBR areas of hard disks; instead, it infects the DOS boot sectors. MultiAni can spread only on diskettes. The only way to get an infection from an infected diskette is to attempt to boot from it. After this, all diskettes used in the infected machine will get the infection. The virus replaces the DOS boot sector with a new copy which is almost identical with a clean boot sector; only a few bytes differ. The rest of the virus is stored later on the first track (on hard disks) or in the root directory area (on diskettes). MultiAni activates randomly in December. When it activates, it enters a perpetual loop where it displays this text over and over again: La multi ani ! La multi ani ! La multi ani ! 'La multi ani' is Romanian and means 'Happy birthday'. The virus contains no directly destructive code.

HLLC.Plane


This companion virus is written with Turbo Pascal and is 8304 bytes in size. When an infected file is executed, virus locates random EXE files and copies itself to the same directory with them, with a COM extension. Later on, these files get executed when users run programs without specifying the extension. The companion files created by the virus are always 8304 bytes in size, and they are visible in the directory listings normally. This virus does not stay resident in memory. HLLC.Plane activates by random. When it activates, it shows a character-based animation of a red plane flying past the screen and dropping a parachute in the middle of the screen. HLLC.Plance was reported to be in the wild in Northern Europe in December 1996.

1.

2.

3.

4.


Hoax alert


There have been a lot of widespread virus hoaxes and false alerts lately. The Good Times hoax warning about a non-existent e-mail virus has been going around for two years already. There have been several versions of this hoax, including Irina, Penpal Greetings, PKZIP300 and Deeyenda Maddick. Here's an example of an authentic Deeyenda Maddick hoax warning, which has been passed on via e-mail in the Internet:


  ******** VIRUS ALERT ******



  VERY IMPORTANT INFORMATION: PLEASE READ !



  There is a computer virus that is being sent across the Internet. If you

  receive an email message with the subject line "Deeyenda", DO NOT read the

  message, DELETE it immediately. Please read the messages below. Some

  miscreant is sending email under the title "Deeyenda" nationwide, if you

  get anything like this DON'T DOWNLOAD THE FILE! It has a virus that

  rewrites your hard drive, obliterating anything on it. Please be careful

  and forward this mail to anyone you care about.



  FCC WARNING !!!!! ----- DEEYENDA PLAGUES INTERNET ----



  The internet community has again been plagued by another computer virus.

  This message is being spread throughout the internet, including USENET

  posting, EMAIL, and other interent activities.. The reason for all the

  attention is because of the nature of this virus and the potential security

  risks it makes. Instead of a destructive trojan virus (most viruses!), this

  virus, referred to as Deeyenda Maddick, performs a comprehensive search on

  your computer, looking for valuable information, such as email and login

  passwords, credit cards, personal info, etc. The Deeyenda virus also has

  the capability to stay memory resident while running a host of applications

  and operation systems, such as Windows 3.11 and Windows 95.



  What this means to internet users is that when a login and PASSWORD are

  sent to the server, this virus can COPY this information and SEND IT OUT TO

  AN UNKNOWN ADDRESS (varies).



  The reason for this warning is because the Deeyenda virus is virtually

  undetectable. Once attacked, your computer will be unsecure. Although it

  can attack any O/S, this virus is most likely to attack those users viewing

  Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet Explorer 3.0+

  which are running on Windows 95) . Researchers at Princeton University have

  found this virus on a number of World Wide Web pages and fear its spread.



  Please pass this on, for we must alert the general public at the security

  risks.

The only way to fight these hoaxes is to pass the word on them and to try to stop other users from sending them further. However, as we can see from the Good Times hoax, this can be very difficult.

Another recent hoax was a Warning about a virus on Microsoft home page. This was a nasty hoax warning that was distributed on several mailing lists and in Usenet news. The hoax message was falsely attributed to a member of the F-PROT Professional Support team.

This false warning urged people to stay off Microsoft's home page and to avoid using Microsoft Internet Explorer, because the 'Microsoft home page is possibly infected by a virus'. This was nonsense.

In addition to the traditional e-mail chain letter hoaxes, several innocent programs have received lots of publicity lately as they have been accused of being trojans or viruses.

The first example of these programs was GHOST.EXE. This is a Windows demonstration program which displayed a graveyard and a set of ghosts in a window. On Friday the 13th, the title of the screen was changed to 'Happy Friday the 13th!' and the ghosts started flying around the Windows desktop. This program was analysed and found harmless.


GHOST.EXE false alarm

SHEEP.EXE is a program which creates a cute animation of a little sheep which wonders around the screen, eats, sleeps, jumps etc. There were several widespread warnings that this program was a trojan or a virus, but after SHEEP.EXE and SCMPOO16.EXE samples were analysed, the program was found innocent. However, during the analysis the original Japanese author of this program was contacted, and it was found out that SHEEP.EXE is a commercial program, and should not be passed on between users.


SHEEP.EXE or SCMPOO16.EXE false alarm

EYES.EXE or WINEYES.EXE caused alarms similar to GHOST and SHEEP: it's a simple demo program which has created a lot of warnings. This program was analysed and found harmless.


EYES.EXE false alarm

Naturally, whenever any program is declared clean, there's a risk that somebody will take the file and infect it - since people will now trust it. To overcome this problem, you can verify the files against the 32-bit CRC's of the confirmed clean versions (as displayed by PKUNZIP):


Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name

------  ------   ----- -----   ----    ----   -------- ----  ----

317792  DeflatN 117014  64%  09-12-96  08:25  683ae9da --w-  SHEEP.EXE

317088  DeflatN 116749  64%  03-12-96  22:17  3662678a --w-  SCMPOO16.EXE

 28096  DeflatN  14145  50%  30-10-96  13:20  5dce8738 --w-  GHOST.EXE

 28064  DeflatN  14142  50%  13-11-96  13:45  a6839c30 --w-  GHOST2.EXE

 28065  DeflatX  14121  50%  11-22-96  12:11  f47d5cbd --w-  GHOST3.EXE

 54048  DeflatX   9157  84%  11-15-96  14:42  ba2cda0b --w-  EYES.EXE

------          ------  ---                                  -------




Common Questions and Answers



If you have questions about information security or virus

prevention, contact your local F-PROT distributor. You

can also contact F-Secure directly in the number 358-

0-478 444.

Written questions can be mailed to:



F-Secure Ltd

F-PROT Support

Päiväntaite 8

FIN-02210 ESPOO

FINLAND



Questions can also be sent by electronic mail to:

 Internet:F-PROT@F-Secure.com

 X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi

 Elisa: Hyppönen Mikko.



F-PROT found a virus in the file SUHDLOG.DAT. No other

infections were detected. What is going on here? I'm

running Windows 95 on my computer.



        At the time Windows 95 was installed, your

        computer was infected by a boot sector virus.

        During the installation, Windows 95 replaced the

        infected boot sector with a clean one, and thus

        removed the infection at the same time. However,

        during a Windows 95 installation, the previous

        boot sector is stored in the file SUHDLOG.DAT.



        This file is harmless in itself, but if Windows

        95 is uninstalled by using the UNINSTALL

        function, the previous boot sector will be

        restored - along with the virus. Therefore, the

        infected SUHDLOG.DAT should be deleted from the

        hard disk.



For some reason, my hard disk has been named `Ap'. It

seems that I cannot change the name. I'm running Windows

95.



        Windows 95 supports long file names, but at the

        same time it is compatible with the older

        versions of DOS. This has been accomplished by

        allocating the space needed in long names in

        additional volume label entries. Normally, a

        disk holds only one such entry, that which tells

        the disk's name.



        The additional entries cause no inconvenience,

        unless the disk has not been given any name

        before the installation of Windows 95. In such

        cases, the disk is automatically named 'Ap' or

        'Af' or something of the kind. This is annoying

        but hardly dangerous.



I heard about 'The Year 2000 virus'. What is it? Does F-

PROT protect me from it?



        No, F-PROT does not protect you from it.



        There is no virus detected by this name by

        F-PROT. However, the media sometimes talks about

        the 'Year 2000 virus', referring to the problems

        computers will encounter when the two last

        digits of the current year change to 00 on the

        1st of January, 2000.



        For example, many programs calculate the age of

        a person by subtracting the current year from

        the birth year (for instance, 97-65 = person is

        32 years old). Such a calculation on January

        1st, 2000 would give the answer that the person

        in our example is -65 years old.



        More information about these problems is

        available in the web at http://www.year2000.com/






GENERIC DISINFECTION


This paper was presented by Peter Szor at the International Virus Bulletin'96 conference. Peter works as a senior virus analyst at F-Secure Ltd. 1 INTRODUCTION Traditionally, anti-virus scanners have only been able to disinfect viruses that have been analysed beforehand by product developers. Around 10,000 viruses have been found during the past 10 years. So far, producers of anti-virus products have been pretty much able to keep up with the new viruses, adding detection and disinfection routines for most new viruses. We can expect this situation to change in the future: when there are, say, 50,000 viruses, no vendor will be able to analyse every single virus separately. As the number of viruses keeps on growing, more and more viruses are only detected, as the developers do not consider every virus to be important enough to add specific disinfection routines for it. Unfortunately, some users will eventually get infected by such a virus. It is possible (but more difficult) to disinfect unknown viruses. There are several approaches to this problem: one known method is to trace the execution of a possibly infected program until the virus has restored the host to its original state. This method works, but cannot be considered truly reliable. An alternative is to emulate the program and collect information on its execution, using this information together with generic rules to do rule-based disinfection. Although this is difficult to implement, it produces surprisingly good results. How many viruses can be removed this way? Testing a generic disinfector is a very difficult task. Testing how many particular viruses it can handle does not make sense, because it is a generic anti-virus product. It is more important to test how many different types of viruses we can handle by using these kinds of methods. However, a figure of 60% is quite possible. Most anti-virus programs do not even come close to this percentage (for example, my old program, called Pasteur). 2 HOW A VIRUS INFECTS A PROGRAM Before we can talk about generic disinfection, we should understand how a virus infects a program. In most cases, a virus adds itself to the end of a file. If this is the case, the virus modifies the beginning of the program to transfer control to itself. Unless the virus is very primitive, it saves the beginning of the file within the virus code, because it will be necessary to execute the victim file correctly after infection. This technique is called the `appending' method. CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE CODE a. Victim program J ODE CODE CODE CODE CODE CODE CODE CODE CODE C M ODE CODE CODE CODE CODE CODE CODE CODE CODE VIRUS C P ODE CODE CODE CODE CODE CODE CODE CODE CODE C b. Infected program Every virus adds new functionalities to the victim. The infected victim will execute the virus code, which will infect other files or system areas or go resident in memory. After this, the virus code repairs the beginning of the victim in memory and starts it. This sounds very simple: unfortunately, it is that, at least from the point of view of the virus, which modifies a few bytes in the victim file and saves a piece of the file's original code into the virus body (in this example: `CCC'). When we started to analyse viruses, there were no problems with conventional disinfection. We had enough time to analyse them, because there were only a few viruses. We could spend weeks with every new sample until we had all the information necessary to clean them successfully. Basically, the cleaning process is as easy as the infection. All we need to know is: - how to find the virus (in most cases, with a search- string selected from the virus) - where the original beginning of the victim file (`CCC') can be found in the virus body - the size of the virus in bytes. If we have all this information, we can remove the virus easily: `Let's read the original beginning from the virus code and put it back in its original place, then truncate the file at its original end, calculating where this is from the virus size'. That's it! This method might have been interesting in case of the first ten viruses, but everybody who has spent years with viruses hates it: it is just too tedious. So, we developed `goat' systems to make virus samples automatically. These systems save time. We can calculate the place of the original bytes in the virus body by comparing many infected samples to non-infected ones, using a special utility. This system works as long as the virus is not encrypted, self-mutating, or polymorphic. Of course, it must not have an anti-goat mechanism or new infection technique which our disinfector does not know how to handle. If one of these problems occur, we will have to analyse the virus manually. If we are lucky, it is enough. If not, we will have to change our anti-virus strategy by adding new functions to it, or by modifying already existing ones. This can take a lot of time, and is therefore not efficient enough. 3 GENERIC DECRYPTORS Most of the better anti-virus products have a generic decryptor to combat polymorphic viruses, so it appears we can solve the biggest problem that way. We can decrypt the virus so we can use the old search-string technique once again: this is great. Basically, the generic decryptor method is a part of the generic disinfection technique. There are two different generic decryptor methods: single-stepping (by using Int 01h, Int 03h) and emulating. Unfortunately, each has both advantages and disadvantages. 3.1 SINGLE-STEPPING METHOD Single-stepping is based on the Int 01h function. It is generated automatically by the processor at the end of each machine instruction if the trace bit (TF) in FLAGS is set. This is what makes the T command of DEBUG work for single-stepping. If we are using the single-stepping method, we should not develop a processor emulator. We should not care which kind of operating system must be emulated, because we can use the current one by calling the harmless interrupts directly from the system. But the main question is: which interrupt is harmless? We should also know which code is not dangerous. What can we do if the virus is using anti- debugging techniques and we start to execute it in a controlled way? What can we do if the virus uses an instruction which is simply buggy on the current processor? For example: the Finnpoly virus pushes its decryptor to the stack and starts to execute it by a CALL SP instruction. This instruction works on every Intel processor except 386DX and 386SX, where the CALL goes to offset FFFF instead of the current value in SP register. So if we start to trace the virus by using Int 01h on a 386 system, the virus will crash, together with the analyser. Yes, a virus like this cannot infect our environment, because it will not work on it. But what happens if we are scanning files on the network in a case like this? And finally, what happens if the `controlled' environment is buggy? In this case, the virus writer has a chance to write a virus which can escape from the analyser; and that is where we should stop for a second. We should not execute the virus in a controlled way, because we cannot be 100% sure that the virus cannot escape from the analyser. 3.2 EMULATING METHOD Implementing a real processor emulator requires much more work than using the single-stepping method. The first question: is which processor should be emulated? If we think about it, the answer is very easy: most good anti- virus packages will still work on an XT. Why? Because most viruses do not use instructions from processors other than 8086, which means that if we are developing only 286 (or higher) products we cannot find viruses on XT. I am sure most of the developers have not seen an XT machine in the last five years, but many people still use them: that is why we cannot change our system fast enough. Unfortunately, some viruses need a 286 or a 386 to work. If a virus uses 386 code, it cannot spread on an XT or on a 286. The 286 is still a very common platform, especially in east-European countries. Thus, to summarise, we should develop an emulator which can emulate 8086, 286, and 386 code. This should be sufficient for a long time. Most anti-debugging tricks are based on pre-fetch queue tricks, or on the use of Int 01h and Int 03h. If we have an intelligent emulator, then we do not have a big problem with such anti-debugging techniques. We can avoid or emulate them. However, there are other problems involved with emulating. Basically, the biggest question is: where should we stop in the emulating process? At first glance, it does not seem too difficult. The answer is: we should stop when we decrypt the virus. Unfortunately, this process is quite difficult. Every encrypted or polymorphic virus has a different decryptor size, which means we need to emulate different amounts of instructions. One virus might need 1000 instructions to be emulated and decrypted, while another may need a few million. Virus writers understood this, so they started to use tricks against generic decryptors and heuristic analysers. One `dirty trick' is the use of loops before the real decryptor comes: 1112 MOV CX,FFFF 1115 LOOP 1115 Let's say the analyser starts to emulate the first 2000 instructions. If it finds some suspicious code, then it can emulate more. If the analyser cannot recognise a loop, however, then it cannot find the virus, because it will stop before the loop has finished and the real virus code has started. Fortunately, good emulators can handle this situation easily. There are other anti-emulating tricks which we must also be able to handle. Every emulator stops when it recognises that the program comes back to DOS. In the following examples, we can see that virus writers have started to use this phenomenon in their tricks: CMOSDEAD.3622 virus 011A8DBC2B01 LEA DI,[SI+012B] 011EB80812 MOV AX,1208; DECREMENT SYSTEM FILE TABLE 0121CD2F INT 2F ; REFERENCE COUNT, but DI points to 12B 0123051901 ADD AX,0119 01268BD0 MOV DX,AX 0128B9B30D MOV CX,0DB3 012BB44C MOV AH,4C 012DCD21 INT 21 Int 2Fh/AX=1208 is a DOS 3+ internal function. It decrements one byte where ES:DI points. If the emulator does not emulate this interrupt, then it will stop its process at 012D, because it thinks the program comes back to DOS. Here, DI points to 012B, which means that this interrupt will decrement the byte at 012B from B4h to B3h. So the MOV AH, 4C instruction at 012B changes to MOV BL,4C (which happens to be the `Are you there' call of this virus). Letter_H.665 virus 05E3B80035 MOV AX,3500 05E6CD21 INT 21 05E88D941502 LEA DX,[SI+0215] 05ECB80025 MOV AX,2500 05EFCD21 INT 21 05F140 INC AX 05F2B80000 MOV AX,0000 05F5F7F0 DIV AX 05F7B8014C MOV AX,4C01 05FACD21 INT 21 Interrupt 0h (internal hardware) is automatically called after DIV or IDIV operations that result in error or overflow. Normally it is set by DOS to display an error message and abort the current program. This virus hooks Int 00h before it deliberately performs a division by zero on purpose at 05F5h, which means it can start the full infection process from Int 00h. There are many other problems with the emulating method, but it is a much safer technique than single-stepping. Unfortunately, emulation is slow: Users will not be pleased if they have to wait for any length of time. It does not help to say `our product is based on emulation, please wait a few hours', because the users will choose other, faster anti-virus packages. A good emulator should therefore be as fast as possible: speed is one of the most important aspects of anti-virus products from the users point of view. 4 HOW DOES A GENERIC DISINFECTOR WORK? The idea of doing generic disinfection without any information on the original file is not new; it was first developed by Frans Veldman, more than three years ago. Unfortunately, there is only one common generic cleaner available: TBCLEAN. The main question is: why? Basically, the generic disinfection method is simple but great: the disinfector loads the infected file and starts to emulate it until the virus restores the infected file to its `original' form, and is ready to execute it. So the generic disinfector can use the virus to perform the most important part of the cleaning process. The virus has the beginning of the original file. All we need to do is copy the cleaned program back into the file. However, there are still a few questions which have not been answered: 4.1 WHICH EMULATION METHOD SHOULD WE USE? As explained above, the generic decryptor method is very similar to generic disinfection. We should `execute' instructions only until the virus gives control to the original program. In my opinion, emulating is much safer. It is the only way to be 100% sure that the virus cannot escape from the analyser. We need an intelligent emulator which can emulate and control the `execution' of the infected program. I will demonstrate what controlling means later. 4.2 HOW CAN THE DISINFECTOR BE SURE THAT THE FILE IS INFECTED? We can use all the techniques we used for heuristic scanners. In my opinion, a generic disinfector is a combination of a heuristic scanner and a heuristic disinfector. This way, our disinfector will not remove the `unknown from the unknown' [1] but will remove the virus from the unknown. The one big problem with all heuristic products is false alarms. If the generic disinfector removes everything from the file which looks like a virus, it might remove non-virulent code, too, and corrupt the file. Heuristics is a science which is developing quickly, so we will find better ways to reduce false-alarms. 4.3 WHERE IS THE ORIGINAL END OF THE FILE? This question is also very important. We cannot always just remove the part of the program that gained control; otherwise we cannot handle viruses like One_Half. This virus modifies the body of the original program by putting its polymorphic decryptor in 10 blocks at random into the original file end minus 64K. (Every One_Half- infected file looks like a Swiss cheese. See Figure 1.) In most cases, we can truncate the file to which the first JMP points, but not with viruses like One_Half. If we truncate the file in that position, we will remove too much, and the `disinfected' program will not work anymore. The other problematic task is removing too few bytes from the program: in this case, other virus scanners might find search-strings from the file after disinfection. We should collect information about the virus during emulation. That way we can get a very good result. 5 HOW MANY VIRUS TYPES CAN WE HANDLE THIS WAY? There is an almost unlimited number of methods which a virus can use to infect programs or system areas. It is true that we cannot handle all viruses by using only generic disinfection techniques - but we can handle most of them. 5.1 BOOT SECTOR INFECTORS The PC virus problem started with a boot sector virus (Brain). Unfortunately, it is relatively easy to write a boot sector virus. Nowadays, file viruses outnumber boot sector viruses with a big margin: only about 5% of all viruses infect boot sectors. So, it is not a very big problem to handle boot sector viruses with conventional methods. However, if a new virus is found in the wild, it is more likely to be a boot sector virus than a file infector, because boot sector viruses are usually better spreaders. Fortunately, most virus writers have not recognised this situation. Also, there have been very few polymorphic boot sector viruses so far, which is fortunate, since they are obviously much more difficult to handle. We can also use generic methods to detect and disinfect boot sector viruses. We should emulate the boot sector code as we did for files. There are at least 12 different techniques which can be used to infect boot sectors or Master Boot Sectors. Most of these involve saving the original boot sector somewhere before changing the code in the boot sectors. If we can find the virus heuristically, it is possible to locate the original boot sector, too. In case of diskettes it can often be found at the end of the root-directory, at the very end of the disk, or in areas marked as bad sectors. In the case of MBR infectors, it can usually be found on the Track 0. Most anti-virus products have a function for locating the original boot record, so it is not necessary to have pre- defined information about the disinfection. There are boot sector viruses which do not save the original boot sector or master boot sector anywhere before infecting. In such cases, the boot record should be overwritten with clean, generic code. 5.2 FILE INFECTORS There are many more possible ways to infect files, because there are so many different file structures. The biggest problem is the overwriting method, in which the virus overwrites the beginning of the file with its body, without saving the original code. Such viruses are impossible to disinfect without information about the file structure before infection. So, while it is not possible to disinfect viruses like this, it is easy to detect them using heuristics. Around 10% of viruses are overwriting, and cannot be disinfected. There are also other problematic cases, such as: Windows application infectors, device driver infectors, cluster infectors, batch file infectors, object file infectors and macro infectors. Together, these account for only about 1% of all viruses. Several other viruses cause problems for heuristic techniques. Such viruses use different infection techniques, with `dirty tricks' specifically designed to make detection and disinfection with generic methods difficult. These viruses make up to 15% of all viruses. When we combine overwriting viruses and other special cases, the result is that about 30% of all viruses cannot be handled with generic methods easily, or at all. A listing of all infection techniques and whether or not they are suitable to be handled by generic methods would go beyond the scope of this paper. There remains only one problem with viruses against which we can easily use generic disinfection techniques. If the part of the virus code where the virus repairs the infected program cannot gain control during emulation, then the disinfector cannot get the necessary information. We should control the `execution' of the virus code very intelligently. For example, when the virus make its `Are you there?' call, the emulator should give the answer the virus wants. This way, the virus thinks that its code is already resident in memory, and repairs the host file. 6 HEURISTIC FLAGS IN AHD AHD (Advanced Heuristic Disinfector) is currently a test project. It uses the generic disinfection method combined with a heuristic scanner. These are the heuristic flags of the program: 1 Encryption. A code decryptor function found. 2 Open existing file (r/w). The program opens another executable file for write. This flag is very common in viruses as well as in normal programs (like make.exe). 3 Suspicious file access. Might be able to infect a file. AHD can give additional information about the virus type like, such as recursive infection structure (direct action). 4 Time/Date trigger routine: this virus might have an activation routine. 5 Memory-resident code. This program is a TSR. 6 Interrupt hook. When the program hooks a critical interrupt, like Int 21h, we can display all the hooked interrupts. (Int XXh .. Int YYh) 7 Undocumented Interrupt calls. AHD knows a lot of `undocumented' interrupts, so this flag will be displayed when the interrupt looks tricky, like the VSAFE/VWATCH uninstall, which is very common in modern viruses. 8 Relocation in memory. The program relocates itself in a very tricky way. 9 Looking for memory size. The program tries to modify BIOS TOP memory by overwriting the BIOS data area at location 0:413h. 10 Self-relocating code. 11 Code to search for files. The program tries to find other executable programs (*.COM,*.EXE also *.C“M, *.‚X‚ which means the same for DOS.) 12 Strange memory allocation. 13 Replication. This program overwrites the beginning of other programs. 14 Anti-debugging code. 15 Direct disk access (boot infection or damage). 16 Use of undocumented DOS features. 17 EXE/COM determinator. The program tries to check whether a file is a .COM or an .EXE file. 18 Program load trap. 19 CMOS access. The program tries to modify the CMOS data area. 20 Vector code. This is found only in viruses. The virus tries to use the cleaner as a vector. 7 DISINFECTION EXAMPLES Here are two examples of disinfection using AHD. In the first case, the virus is polymorphic. It uses the original Mutation Engine (MtE). X:\FILEVIRS\MTE\ZEPPELIN\MOTHER.COM - Encrypted code - Self-relocating code - Code to search for files - Open existing file (r/w) - Suspicious file access - Time/Date trigger routine -> Probably infected with an unknown virus 1. COM started -> E9 FC 13 53 6F 2. It changed to -> EB 3C 90 53 6F 3. Original file size: 5119 , Virus size: 4097 Virus can be removed. Next, let's take a look at a disinfection where the virus is a VCL variant. VCL (Virus Creation Laboratory) is one of the most commonly used virus-writing toolkits. X:\FILEVIRS\VCL\0379\VCL379.COM - Self-relocating code - Code to search for files - Open existing file (r/w) - Suspicious file access - Time/Date trigger routine -> Probably infected with an unknown virus 1. COM started -> E9 E5 03 90 90 2. It changed to -> 90 90 90 90 90 3. Original file size: 1000 , Virus size: 379 Virus can be removed. 8 WHAT TO DO IN THE FUTURE? We should work more on generic disinfection. It can produce surprisingly good results. It is also necessary to develop better and better emulators. New infection techniques emerge from time to time, such as the inserting method. Nexiv_Der belongs in this category: this virus uses a peculiar method of infection; tracing the execution of a victim file (using single-stepping) and randomly inserting a call to its own code in the middle of the host. This makes it difficult to use the emulation method on it [3]. Fortunately, there are not too many viruses like this, but that may change in the future. In my opinion, we should test the combination of other anti-virus techniques, too; not only heuristic scanners and generic disinfections, but generic disinfectors and integrity checkers as well. Generic disinfection is not a revolutionary idea, but I believe it will be one of the methods that will keep virus scanners alive for a few more years to come. BIBLIOGRAPHY [1] Frans Veldman, `Combating Viruses Heuristically', Proceedings of the Third International Virus Bulletin Conference, September 1993, Amsterdam. [2] Vesselin Bontchev, `Infection Techniques', Extract from Ph.D thesis, in print. [3] Peter Szor, `Nexiv_Der: Tracing the Vixen', Virus Bulletin, April 1996.

Changes in F-PROT Professional Version 2.25



Changes in F-PROT for DOS


The following problems have been corrected: F-PROT Professional 2.24 missed some samples of the Tentacle_II virus. This has been corrected. The detection of the Cordobas virus was not reliable in the earlier version. This has been fixed. VIRSTOP2.EXE used to crash if run with an invalid command- line switch. The problem has been corrected. The following false alarms have been fixed: The alarm about the Capital virus given by VIRSTOP of the file JT2023.COM. The alarm `Possibly a variant of AntiCad' given of the file CHKPC.COM. The alarm `Possibly a variant of Austr_Parasite' given of the file 2_SETUP.COM. The alarm `Infection: New or modified variant of VCL' given of the file ROARJ.COM. The alarm `Infection: TPE (?)' given of the file CC2_104.COM. The alarm `Possibly a variant of Trivial' given of the file PS.COM. Minor Improvements and Changes F-PROT now recognises .GIF files, and will not scan them even if the /ALL switch is used.

Changes in F-PROT for Windows


Many customers have wished to be able to completely overwrite the earlier settings with Autoinst (F- PROTW.CFG, .FPTs etc). Settings for AUTOINST.INI have been added to force complete overwriting of earlier configuration files on workstations. Windows versions of Autoinst now execute F-Agent immediately when enabling it. 32-bit Autoinst puts F-Agent's execution command into the registry under Windows 95, not into WIN.INI. The registry key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Run MS Word was able to open infected documents in unformatted text mode if scan on create/rename was enabled. Corrected. Because of an error in a core routine used in multiple F- PROT executables, these programs behaved incorrectly if TMP environment variable pointed to an non-existing directory. The symptoms were, e.g. loss of task names and other task settings at F-PROT startup, and Autoinst's inability to perform the actions specified in the [TSRLoad] section. Fixed. The activity time shown on Gatekeeper's splash screen used to be incorrect. Corrected Setup attempted to disable Gatekeeper when it was not enabled in the first place, resulting in error messages. Corrected. With communication directory in root of shared directory of Windows NT Server 4.0, F-Agents and main programs on Windows 3.1x and Windows NT workstations did not find the communication directory. Corrected. Error message "Error registering ring -3 callback" was seen in case the previous Windows workstation was upgraded to Windows 95 and also the existing installation of F-PROT was upgraded. Now Gatekeeper shows a more appropriate error message in that case, ("The device driver of F-PROT Gatekeeper for Windows 3.1x is loaded. Remove "device=d:\path\F-PROTW.386" from the [386Enh] section of your SYSTEM.INI."). Scanner missed some wild boot viruses (Diablo, Stat), corrected. Setting the parameter "Hide F-Agent" in preferences to true would not hide the icon in the tray. Now if this setting is checked user doesn't see an icon.

New Viruses Detected by F-PROT


The following 112 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but not identified accurately. AZ.492 Belorussia.447 Burger.405.G 560.BF Burger.560.BG Burger.560.BH Burger.609.B Burma.442.F Civil_II .438 Civil_II .440.A Civil_II .440.B Coconut.1323 Demand.666.D Demand.666.E Demand.666.F Dstar.223 Dstar.493 Exe2Win.182 Genvir.1088.A Genvir.1088.B Genvir.1152 Genvir.1168.A Genvir.1168.B Genvir.1168.C Genvir.1232 Genvir.1328 Habitat.751 HLLO.3428 HLLO.3712 HLLO.3855 HLLO.NP.4240 HLLO.4979 HLLO.4980 HLLO.6208 HLLO.7760 HLLO.Harakiri.C HLLO.12288 HLLO.15788 HLLO.17179 HLLO.17923 Iota.72 IVP.O.339 IVP.O.412 Leprosy.666.U Leprosy.666.V Leprosy.868 Milan.63 Qpa.256 Qpaxx.333 QTI.211 SillyOR.174 Terrax.1069 Trivial.27.F Trivial.30.S Trivial.31.F Trivial.32.G Trivial.33.C Trivial.35.D Trivial.36.F Trivial.37.G Trivial.42.M Trivial.42.N Trivial.45.L Trivial.45.M Trivial.51 Trivial.52.B Trivial.60.B Trivial.60.C Trivial.64.B Trivial.66.B Trivial.71.B Trivial.72.C Trivial.72.D Trivial.72.E Trivial.76 Trivial.85.B Trivial.85.C Trivial.88.C Trivial.88.D Trivial.90.B Trivial.97.C Trivial.113 Trivial.113.B Trivial.137.B Trivial.139.M Trivial.156 Trivial.212 Trivial.238 VCL.O.289 VCL.O.313 VCL.O.326.A VCL.O.326.B VCL.O.340 VCL.O.344 VCL.O.350 VCL.O.364 VCL.O.367 VCL.O.406 VCL.O.416 VCL.O.424 VCL.O.430 VCL.O.440 VCL.O.442.A VCL.O.442.B VCL.O.456 VCL.O.467.A VCL.O.467.B VCL.O.480 VCL.O.483 VCL.O.581 VCL.O.621 Ymir.145 The following 768 new viruses can now be removed. Many of them were detected by earlier versions, but are now identified accurately. _446 _525 _625 _738 _884 _974 _977 _1458.B _1468 _1614 _2248 _3449 _5632.A _5632.B _5632.C Account.873 Adsmile.1113 Amazon.473 Amazon.484 Amazon.506 Ambulance.796.F Angry.393 AOS.841 AOS.847.B AOS.850 AOS.853 AOS.856 AOS.859 AOS.862 AOS.MaryR.585 AOS.MaryR.589 AOS.MaryR.593 AOS.MaryR.597 AOS.MaryR.599 AOS.MCD.845 AOS.MCD.848 AOS.MCD.854 AOS.MCD.857 AOS.MCD.860 AOS.MCD.863 AOS.Muzak.897 AOS.Muzak.900 AOS.Muzak.903 AOS.Muzak.906 AOS.Muzak.909 AOS.Muzak.912 AOS.Muzak.915 AOS.Muzak.919 Areill.573 Aria.3076 Armagedon.1057 Ash.858 Attitude.746 Autumnal.3072 Avalanche.2820 Backing Bad_Com.557 Beer.3360 BootEXE.451.C Black Monday.928 Burglar.777 Burglar.820 Burglar.824 Burglar.833 Burglar.1150.B Butterfly.302.E BVM.831 BW.276 BW.294 BW.347 BW.472 BW.523 BW.553 BW.691 BW.754 BW.786 BW.815 BW.Mayberry.405 BW.Mayberry.727 BW.630.B BW.740 BW.790 BW.795 Bward.1024 Cascade.1701.BA Cascade.1701.BB Cascade.1701.BC Cascade.1701.BD Cascade.1701.BE Cascade.1701.BF Cascade.1701.BG Caz.1204.B Champaigne.445 Champaigne.446 Champaigne.508 Champaigne.523 Champaigne.527 Champaigne.542 Champaigne.585 Chiche.1436 CLL.947 Clonewar.921 Cluster.384 Corea.926 Corea.941 Corea.998 Corea.1036 Cpw.1460 Cypertech.224 Cypertech.224.B Dark_Apocalypse.1023 Dark_Avenger.1160.B Dark_Avenger.1802 Die.352 Die.487 Die.666.B Die.800 Die.803 Die.808 Ditwet.466 Doomsday.736 Dreamer.8869 DST.406 DST.424 DST.425 Dstar.407 Dy.275 Dy.277 Eco Eddy.1316 Eddy.1326 Eddy.1333 Eddy.1422 Eddy.1457 Eddy.1463 Eddy.1478 Eddy.1482 Eddy.1542 Eddy.1551 Eddy.1567 Eddy.1309 Eumel.345 Eumel.347.A Eumel.347.B Eumel.363.A Eumel.363.B Eumel.363.C Eumel.381 Eumel.383.A Eumel.383.B Eumel.391 Eumel.393 Fantasma.1000 Fault.9209 FaxFree.1536.AntiF Findme Flavour.911 Gandalf.240 Gandalf.440 H8.1176 Hellspawn.1138 H-Andromeda.713 H-Andromeda.749 H-Andromeda.772 H-Andromeda.826 H-Andromeda.1337 H-Andromeda.1536.C HLLC.Doren.9904 HLLP.4170 HLLP.4536 HLLP.4641 HLLP.4665 HLLP.5000.B HLLP.5701 HLLP.6253 HLLP.7000.B HLLP.7720.A HLLP.7220.B HLLP.10000 HLLP.Dupalec.B HLLP.NP.4415 Hungry.633 Hybris.1442 Immortal.2174.C Immortal.2174.D Insert.258 Inside.1011 IVP.321 IVP.516 IVP.731 IVP.872.B IVP.923 IVP.930.B IVP.931.B IVP.932 IVP.934.B IVP.925 IVP.927.B IVP.932.D IVP.2385 IVP.2385.B Jerusalem.662.B Jerusalem.1446 Jerusalem.1598 Jerusalem.1808.Noscroll Jerusalem.1808.Temp1 Jerusalem.1975 Jerusalem.Fu_Manchu.F Jerusalem.1347 Jerusalem.1455 Jerusalem.1570 Jerusalem.1589 Jerusalem.1591 Jerusalem.1653.E Jerusalem.1756 Jerusalem.1768 Jerusalem.1783 Jerusalem.1845 Jerusalem.1884 Joker3.1080 Jorgito.646 Jovial.506 JT8.1000 Kela.2103 Kela.2203 Kela.2518 Kcor.426 Kcor.436 Khizhnjak.694 Khizhnjak.726 Khizhnjak.728 Khizhnjak.759.B Khizhnjak.1112 Khizhnjak.1134 Kode_4.172 Kode_4.174 Kode_4.216 Kode_4.217 Kode_4.328 Kode_4.329 Kode_4.335 Kode_4.336 Krad_II.569 KsTro.1029 KsTro.1087 KsTro.1332 KVS.1942 Lamego.729 Lapidario.766 Lauren.632 Lauren.652 Lauren.653 Last_Hope.3000 Lemming.2247 Lesson_I.136 Lesson_I.157 Lesson_I.202 Lesson_I.213 Lesson_I.224 Lesson_I.302 Little_Brother.276.B Little_Brother.341 Little_Brother.393 Lockjaw.493.B Lockjaw.495 Lockjaw.501 Lockjaw.804 Lockjaw.808.B Los_Lobos.627 Mask.2389 Miny.218 Miny.256 Miny.300 Miny.321 Miny.333 Miny.441.F Miny.500 Miny.543 Miny.565 Miny.651 Miny.666 Miny.845 Miny.850 Minzdrav.470 Midnight.2352 Mirage_II.727 Mithrandir.447 Multiplex.822 Nado.757 Natas.4744.F Navigator.267 Navigator.270 Ninja.1610 NLA.313 Nobody.315 Npox.986 Npox.992 Npox.995 Npox.1004 Npox.1010 Npox.1584 Npox.1588 Npox.1592 Npox.1596 Npox.1600 Npox.1604 Npox.1608 Npox.1814 Nutcracker.3139 Odious.569 Old_Yankee.1961.F Oktubre.1384 Orrid.521 Pempe.1811 Pempe.1811.B PHX.1015 PHX.1295.B Pixel.300 Plvir.3759.A Plvir.3759.B Plvir.3360 Plvir.3486 Plvir.3768 Plvir.4224 Plvir.4722 Plvir.5133 Plvir.5175 Poet.860 Poltergeist.1017 Populizer.313 Populizer.314 PS-MPC.184 PS-MPC.204 PS-MPC.252.A PS-MPC.252.B PS-MPC.252.C PS-MPC.252.D PS-MPC.252.E PS-MPC.261.A PS-MPC.261.B PS-MPC.261.C PS-MPC.261.D PS-MPC.267 PS-MPC.270 PS-MPC.281.B PS-MPC.281.C PS-MPC.281.D PS-MPC.281.E PS-MPC.281.F PS-MPC.281.G PS-MPC.288.A PS-MPC.288.B PS-MPC.288.C PS-MPC.289.A PS-MPC.289.B PS-MPC.289.C PS-MPC.289.D PS-MPC.289.E PS-MPC.289.F PS-MPC.289.G PS-MPC.290.A PS-MPC.290.B PS-MPC.298.B PS-MPC.298.C PS-MPC.298.D PS-MPC.298.E PS-MPC.298.F PS-MPC.313.A PS-MPC.313.B PS-MPC.314.B PS-MPC.316 PS-MPC.317.A PS-MPC.317.B PS-MPC.317.C PS-MPC.317.D PS-MPC.317.E PS-MPC.317.F PS-MPC.325.A PS-MPC.325.B PS-MPC.325.C PS-MPC.325.D PS-MPC.325.E PS-MPC.325.F PS-MPC.325.G PS-MPC.326.A PS-MPC.326.B PS-MPC.326.C PS-MPC.326.D PS-MPC.326.E PS-MPC.335.B PS-MPC.336 PS-MPC.337 PS-MPC.341 PS-MPC.342.A PS-MPC.342.B PS-MPC.342.C PS-MPC.342.D PS-MPC.343.D PS-MPC.347.L PS-MPC.347.M PS-MPC.348.D PS-MPC.349.B PS-MPC.349.C PS-MPC.350 PS-MPC.351.C PS-MPC.351.D PS-MPC.351.E PS-MPC.352.N PS-MPC.354 PS-MPC.355.B PS-MPC.355.C PS-MPC.357.B PS-MPC.358.C PS-MPC.358.D PS-MPC.358.E PS-MPC.358.F PS-MPC.358.G PS-MPC.358.H PS-MPC.360 PS-MPC.361.B PS-MPC.362.A PS-MPC.362.B PS-MPC.362.C PS-MPC.362.D PS-MPC.362.E PS-MPC.362.F PS-MPC.362.G PS-MPC.362.H PS-MPC.362.I PS-MPC.362.J PS-MPC.362.K PS-MPC.362.L PS-MPC.362.M PS-MPC.362.N PS-MPC.362.O PS-MPC.362.P PS-MPC.369 PS-MPC.370 PS-MPC.373 PS-MPC.374.B PS-MPC.374.C PS-MPC.375 PS-MPC.378 PS-MPC.379 PS-MPC.380 PS-MPC.381 PS-MPC.383.A PS-MPC.383.B PS-MPC.383.C PS-MPC.383.D PS-MPC.384.B PS-MPC.384.C PS-MPC.384.D PS-MPC.385 PS-MPC.387 PS-MPC.392.B PS-MPC.393.D PS-MPC.393.E PS-MPC.399.B PS-MPC.399.C PS-MPC.399.D PS-MPC.399.E PS-MPC.399.F PS-MPC.399.G PS-MPC.399.H PS-MPC.399.I PS-MPC.399.J PS-MPC.399.K PS-MPC.399.L PS-MPC.399.M PS-MPC.399.N PS-MPC.399.O PS-MPC.399.P PS-MPC.399.Q PS-MPC.399.R PS-MPC.399.S PS-MPC.399.T PS-MPC.401.C PS-MPC.401.D PS-MPC.505.C PS-MPC.407 PS-MPC.410.C PS-MPC.411 PS-MPC.414.E PS-MPC.416 PS-MPC.418.B PS-MPC.420 PS-MPC.421 PS-MPC.423.C PS-MPC.424.C PS-MPC.424.D PS-MPC.438.B PS-MPC.440.B PS-MPC.441.B PS-MPC.445 PS-MPC.447.B PS-MPC.449.A PS-MPC.449.B PS-MPC.449.C PS-MPC.450.B PS-MPC.450.C PS-MPC.452 PS-MPC.453.A PS-MPC.453.B PS-MPC.453.C PS-MPC.454.B PS-MPC.454.C PS-MPC.455.B PS-MPC.455.C PS-MPC.457.A PS-MPC.457.B PS-MPC.457.C PS-MPC.458.B PS-MPC.458.C PS-MPC.458.D PS-MPC.458.E PS-MPC.468.A PS-MPC.468.B PS-MPC.468.C PS-MPC.468.D PS-MPC.468.E PS-MPC.468.F PS-MPC.468.G PS-MPC.475.E PS-MPC.477 PS-MPC.478.D PS-MPC.481 PS-MPC.482.C PS-MPC.483.B PS-MPC.483.C PS-MPC.485 PS-MPC.486.A PS-MPC.486.B PS-MPC.486.C PS-MPC.487.B PS-MPC.487.C PS-MPC.490.C PS-MPC.491.A PS-MPC.491.B PS-MPC.495.B PS-MPC.495.C PS-MPC.495.D PS-MPC.495.E PS-MPC.495.F PS-MPC.496 PS-MPC.501 PS-MPC.504.C PS-MPC.504.D PS-MPC.504.E PS-MPC.504.F PS-MPC.504.G PS-MPC.504.H PS-MPC.505.B PS-MPC.505.C PS-MPC.505.D PS-MPC.505.E PS-MPC.505.F PS-MPC.505.G PS-MPC.505.H PS-MPC.505.I PS-MPC.505.J PS-MPC.505.K PS-MPC.505.L PS-MPC.507 PS-MPC.510.C PS-MPC.519.A PS-MPC.519.B PS-MPC.521.A PS-MPC.521.B PS-MPC.525.B PS-MPC.541.B PS-MPC.541.C PS-MPC.541.D PS-MPC.541.E PS-MPC.541.F PS-MPC.541.G PS-MPC.541.H PS-MPC.541.I PS-MPC.541.J PS-MPC.541.K PS-MPC.541.L PS-MPC.542.B PS-MPC.546.B PS-MPC.549.B PS-MPC.558 PS-MPC.563.A PS-MPC.563.B PS-MPC.563.C PS-MPC.564.E PS-MPC.569.G PS-MPC.572.E PS-MPC.572.F PS-MPC.575.E PS-MPC.579.I PS-MPC.580.B PS-MPC.585.G PS-MPC.586.B PS-MPC.586.C PS-MPC.587 PS-MPC.589.B PS-MPC.591.G PS-MPC.591.H PS-MPC.592.AG PS-MPC.594.B PS-MPC.594.C PS-MPC.595.A PS-MPC.595.B PS-MPC.597.AG PS-MPC.598.T PS-MPC.598.U PS-MPC.598.V PS-MPC.599.B PS-MPC.599.C PS-MPC.599.D PS-MPC.599.E PS-MPC.599.F PS-MPC.599.G PS-MPC.599.H PS-MPC.601 PS-MPC.602.H PS-MPC.603.H PS-MPC.603.I PS-MPC.603.J PS-MPC.604.C PS-MPC.608 PS-MPC.615.C PS-MPC.622 PS-MPC.627.A PS-MPC.627.B PS-MPC.628.A PS-MPC.628.B PS-MPC.628.C PS-MPC.630 PS-MPC.631.A PS-MPC.631.B PS-MPC.636 PS-MPC.639 PS-MPC.644.B PS-MPC.676 PS-MPC.681 PS-MPC.691.B PS-MPC.789 PS-MPC.844 PS-MPC.868.B PS-MPC.885 PS-MPC.1120 PS-MPC.1703 PS-MPC.2119 PS-MPC.2163 Pure.449 Quish.399 Raine.365 Raine.474 Raine.733 Ramesy.336 Rasek.1489.B Raver.448 Relzfu.335 Remember.811 Remember.816 Remember.818 Rhubarb.215 Rift.480 Riot.467 Riot.1336 Rosebud.912 Rotceh Satan.609 Saynay.5116.A Saynay.5116.B Scitzo.1264 Selectronics.1100 SFT.771 Sierra.A Sierra.C SillyC.145 SillyC.147.B SillyC.165.B SillyC.638 SillyComp.128 SillyCR.274 Sirius.279 Sirius.541 Siskin.789 Slips.1459 SMS.480 Solar.125 Soupy.1073 SRP.296 Stdemo.820 Tankar.229 Tankar.230 Tankar.235 Tankar.236 Tankar.240 Tankar.409 Tankar.411 Tenerife.1550 Tero.308 Tef.393 Theta.527 Timber.546 Timid.263 Timid.298.B Timid.309 Tootsie Trivial.96 TV.720 Undying.703 UKTC.769 VCC.294 VCC.334 VCC.376 VCC.470 VCC.483 VCC.573 VCC.1045 VCL.309 VCL.326 VCL.380.B VCL.416 VCL.428 VCL.470 VCL.473 VCL.498 VCL.505 VCL.517 VCL.519.B VCL.524 VCL.541 VCL.559.B VCL.563 VCL.570.B VCL.623 VCL.654.B VCL.657.B VCL.658 VCL.688 VCL.709 VCL.712 VCL.718 VCL.914 VCL.1077 VCL.1083 VCL.1086 VCL.1148 VCL.1725 VCL.Comp.358 Vegeta.555 Vienna.413 Vienna.625.B Vienna.432 Vienna.495 Vienna.614 Vienna.751 Vienna.1120 Vienna.BNB.498 Vienna.BNB.M Vienna.Violator.4365 Virion.245 VLAD VSP3.493 Walrus.482 Wanderer.403 WMA.451 Xed.2869 YB.300 Year_1992.1731.D Yosha.440 Youth.991 Zhangfan.1535 The following 158 new viruses are now detected and identified but can not yet be removed. _663 _1099 _2207 _3477 Antiem.2320 Antitron.401 Antitron.527 Attidude.343 Attidude.728 AOS.MaryM.784 AOS.MaryM.786 AOS.MaryM.789 AOS.MaryM.791 AOS.MaryM.794 AOS.MaryM.796 AOS.MaryM.799 AOS.Reaper.613 AOS.Reaper.617 AOS.Reaper.621 AOS.Reaper.625 AOS.Reaper.629 AOS.Reaper.633 AOS.Reaper.637 AOS.Reaper.641 AOS.Reaper.666 Burglar.877 Burglar.1004 Burglar.1029 Burglar.1050 Burglar.1365 BW.337 BW.620 BW.709 CFFL.2560 Eumel.370 Eumel.381.B Eumel.404 Eumel.406 Eumel.708 Execav.388 Father_Mac.843 FBD.1000 HLLP.3990 HLLP.4999 HLLP.6002 HLLP.Derfnam Httm.572 IVP.926 IVP.929.A IVP.929.B IVP.930 IVP.931.A IVP.931.B IVP.932.B IVP.932.C IVP.933.A IVP.933.B IVP.934 IVP.935.A IVP.935.B IVP.936.A IVP.936.B IVP.936.C IVP.938 Jarek.1062 Kelly.779 Kov.1592 Kov.1722 Kov.1785 Kov.1798 Ksv.1144 Moloch Moonlite.351 Moonlite.355 Moonlite.359 Natas.4744.C NovaCane.279 NRLG.632 NRLG.634 NRLG.654.B NRLG.668 NRLG.672 NRLG.680 NRLG.684.B NRLG.690 NRLG.698 NRLG.696 NRLG.716 NRLG.720 NRLG.726 NRLG.742 NRLG.783 NRLG.794 NRLG.795 NRLG.795.B NRLG.798 NRLG.805.A NRLG.805.B NRLG.808 NRLG.844 NRLG.902 NRLG.935 NRLG.936.A NRLG.937 NRLG.938 NRLG.943 NRLG.950 NRLG.952 NRLG.954 NRLG.960 NRLG.968.B NRLG.969 NRLG.971 NRLG.972 NRLG.973 NRLG.976.B NRLG.982.C NRLG.985.B NRLG.986 NRLG.1008 NRLG.1021 NRLG.1024 NRLG.1144 Ornr.1006 Ornr.1024 Pharaoh.859 Plvir.4722 Predator.1449 Predator.1060 Quish.330 Rage.483 Ratboy.564 Readcat.928 RSY Rubbit.734 Serelinda.337.C Serre.337.A Serre.337.B Sirius.270 Sirius.550 Sirius.554 Skew.411 Suela.1042 TCH.1903 TCH.1912 TCH.1914 Tiny_Family.157 Topper.1024.C VCC.321 VCC.401 VCC.403 VCC.436.B VCC.447 VCC.449.B VCC.594 VCC.620 Vulture.2032 VXT.550 Wework.2588 The following 3 viruses which were identified by earlier versions can now be removed. HLLP.NP.4240 HLLP.NP.5984 HLLP.NP.6128 The following viruses have been renamed: Dupalec -> HLLP.Dupalec MSJ -> HLLP.15392 Naziphobia.A -> HLLP.NP.6128 Naziphobia.B -> HLLP.NP.5984 Naziphobia.C -> HLLP.NP.4240 Pascal.3072.A -> HLLP.3072.A Pascal.3072.B -> HLLP.3072.B AOS.581 -> AOS.MaryR.581

F-PROT Professional 2.25 Update Bulletin


F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-9-478 444, Fax +358-9-478 44 599 E-mail: F-PROT-Support@F-Secure.com, WWW: http://www.F-Secure.com/ This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.25 is mentioned. Copyright (c) 1996 F-Secure Ltd.
. .

.