F-PROT Professional Update Bulletins
F-PROT Professional 2.25 Update Bulletin
CONTENTS BRIEFLY
--- Contents 4/96
--- The F-Secure Encryption Software Family Wins the First
--- Prize in European Union's Information Technology Competition
--- F-Secure Was Selected 'Product of the Year' by the
--- Biggest Scandinavian IT Magazine
--- 200 Word Macro Viruses
--- The Global Virus Situation
--- WordMacro/Wazzu Running Free
--- The Microsoft Factor
--- WordMacro/Bandung
--- WordMacro/NPad
--- Price
--- Alfons
--- MultiAni
--- HLLC.Plane
--- Hoax alert
--- Common Questions and Answers
--- GENERIC DISINFECTION
--- Changes in F-PROT Professional Version 2.25
--- Changes in F-PROT for DOS
--- Changes in F-PROT for Windows
--- New Viruses Detected by F-PROT
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-9-478 444, Fax +358-9-478 44 599
E-mail: F-PROT-Support@F-Secure.com, WWW: http://www.F-Secure.com/
This material can be freely quoted when the source, F-PROT Professional
The F-Secure Encryption Software Family Wins the First
Prize in European Union's Information Technology Competition
F-Secure Was Selected 'Product of the Year' by the
Biggest Scandinavian IT Magazine
200 Word Macro Viruses
The Global Virus Situation
WordMacro/Wazzu Running Free
The Microsoft Factor
WordMacro/Bandung
WordMacro/NPad
Price
Alfons
MultiAni
HLLC.Plane
Hoax alert
Common Questions and Answers
GENERIC DISINFECTION (Peter Szor)
Changes in F-PROT Professional Version 2.25
New Viruses Detected by F-PROT
Never before in its history had F-Secure gained such
international recognition as it did in November, when the
Chairman of the Commission Jacques Santer handed the
first prize of the European Union's Information
Technology Competition ITEA to the representative of Data
Fellows.
The ITEA competition is a continent-wide information
technology competition. This year, 253 products from 25
European countries were submitted to the competition. 25
companies were selected for the finals, among them such
enterprises as Nokia, IBM, Hewlett-Packard and Siemens-
Nixdorf.
F-Secure took part in the competition with its new
encryption products. At the moment, there is a great need
for encryption and strong user authentication in the
global networks. Electronic business, Intranet systems
and public official services in the WWW cannot become
more common if good implementations based on strong
cryptography are not brought to the market.
It is estimated that, by 1997, there will be 75 million
users connected to the Internet. More than 50 million of
these users will be newcomers, having joined the Internet
during 1996. According to estimations made by different
consulting companies, the number of Internet users will
double during 1997, reaching 150 million. Furthermore,
the recent study by the Yankee Group shows business-to-
business Internet commerce will surge to $134 billion by
2000.
The major obstacle to the realisation of these
projections is the lack of data security in the Internet.
Security, more increasingly world-wide as trade barriers
vanish, is vital especially in electronic commerce and on
the Intranets. Firewalls are not able to secure
transactions made over publicly accessible networks such
as the Internet.
Initially, there will be five different F-Secure
products. F-Secure SSH is a client-server software which
makes it possible to create strongly authenticated and
encrypted terminal connections from Unix, Windows, OS/2
and Macintosh computers to Unix servers. F-Secure can
also be used to create secure X11 connections and to
tunnel freely selected TCP/IP protocols between
computers. For example, the software can be used to
encrypt an ODBC connection between an Excel spreadsheet
and an Oracle database.
F-Secure VPN is an encrypting router which makes it
possible to construct Virtual Private Networks over
unreliable public networks. The product can be used to
connect a company's LANs located in different offices to
each other with encrypted and authenticated tunnels. In
such a solution, all network packages transferred between
offices will be automatically encrypted, regardless of
which applications and protocols are used.
F-Secure Commerce is used for securing HTTP connections,
i.e. the connections between a WWW server and a client
software. With F-Secure Commerce, it is easy to construct
secure public services, such as banking, insurance and
official services. By using the product's Intranet
version, it is possible to create secure Intranet systems
like management's information systems etc.
By using F-Secure Desktop, a PC user can easily and
effortlessly encrypt files on the computer's hard disk.
The Desktop software is ideal for laptop users, for it
ensures that the information on the hard disk remains
secure even if the computer is stolen or lost.
The biggest Scandinavian IT magazine, MikroPC selected F-
Secure as the 'Software Product of the Year'.
MikroPC selects yearly four 'Products of the Year': two
PC hardware products, one networking product, and one PC
software product. A group of most respected Scandinavian
PC professionals select the winners among all the new
products of the global industry. So the jury considered F-
Secure to be more important than, for instance, Microsoft
Office 97 or Windows CE.
More information about the F-Secure products can be found
at our WWW server, or by contacting our local
distributor. The trial versions of our F-Secure SSH and
Desktop programs can also be freely downloaded from our
WWW server.
The number of known Microsoft Word macro viruses has
quickly risen. The first Word macro virus was found in
August 1995. By the end of 1995, we were aware of only
five Word macro viruses. During the summer 1996, new
macro viruses started to appear rapidly. By the time this
bulletin was published, three new macro viruses were
found every day globally, and the total number of Word
macro viruses was edging on 200.
It should be noted that a large percentage of known macro
viruses are actually the result of random corruption.
Word seems to corrupt a part of the macro area of a
document quite often, and the result can be a still
functional version of a virus that has infected the
document.
Number of Word macro viruses is growing quickly
The first common macro virus, WordMacro/Concept, was only
able to replicate under English versions of Word. For
many, this created the misconception that all macro
viruses will fail to operate under nationalised versions
of Word. Unfortunately, this is not true. In fact, about
half of the currently known Word macro viruses operate
under any language version of Word. In addition to that,
there are dozens of macro viruses that operate under only
under some non-English version of Word. For example,
here's a chart of macro viruses that require a specific
version of Word in order to replicate:
Language Number of viruses
Dutch 1
French 1
Italian 2
Chinese 15
German 17
Actually, most of the Chinese macro viruses have been
written in Taiwan. It is quite surprising that no macro
viruses specific to, for example, Spanish or Swedish
versions of Word have been found. This doesn't
necessarily mean that no macro viruses have been written
in these countries, as these macro viruses could have
been written to work in any language version of Word.
Microsoft has accidentally spread the WordMacro/Wazzu
virus several times during the last weeks.
WordMacro/Wazzu is a macro virus which spreads when
infected files are exchanged between computers. When such
a document is opened in Word 6 or 7, the virus executes
and infects the system macros of Word. After this, the
virus spreads to other documents that are opened or
created.
Wazzu consists of a single AutoOpen macro; this makes it
language independent, i.e. this macro virus is able to
infect localised versions of Word as well as the English
version of Word.
Unlike most other macro viruses, Wazzu has really been
seen in the wild, and it is considered common nowadays.
Wazzu is a harmful macro virus: it modifies the contents
of the documents it infects, moving words around and
occasionally inserting the text 'wazzu ' to a random
location in the document. The word `Wazzu' is reported to
be a nickname for the Washington State University.
F-PROT detects and disinfects the WordMacro/Wazzu virus.
The September edition of the Microsoft SPCD (Solution
Provider CD) had a single Word document infected with
WordMacro/Wazzu.A. This CD was distributed
internationally to Microsoft partners. The infected file
on this CD is \sia\mktools\case\ed3905a.doc. Microsoft
distributed Wazzu.A also during the Swiss ORBIT
conference on another CD called Letz Fetz on the Netz, in
a document called hotl95d.doc. An infected document was
available for download on Microsoft's WWW site in the
http://www.microsoft.com/switzerland/ hierarchy for
several days, possibly weeks. This file has now been
cleaned.
Bandung is a Word macro virus that has become common
recently.
WordMacro/Bandung consists of six macros: AutoExec,
AutoOpen, FileSave, FileSaveAs, ToolsMacro,
ToolsCustomize. The virus is language dependent, i.e. it
is able to spread only under English version of Microsoft
Word. The macros are not encrypted, but they can NOT be
viewed from the Tools/Macro menu, since the virus
replaces that menu command with it's own macro.
After the 19th of every month, when the time is after
10:00, the virus actives. At this time, it displays a
dialog which says:
Reading menu...Please wait !
After this, the virus deletes most of the files on drive
C: and creates a file called C:\PESAN.TXT. The file
contains the following text:
Anda rupanya sedang sial, semua file di mesin ini
kecuali yang berada
di direktori WINDOWS dan WINWORD telah hilang, jangan
kaget, ini
bukan ulah Anda, tapi ini hasil pekerjaan saya...Barang
siapa yang
berhasil menemukan cara menangkal virus ini, saya aka"
+ "n memberi
listing virus ini untuk Anda !!! Dan tentu saja saya
akan terus
datang kesini untuk memberi Anda salam dengan virus-
virus terbaru
dari saya...selamat ! Bandung, Tueday, 26 November
1996, Jam: 11:24.
The text is in Indonesian.
The virus also has a routine which replaces all 'a'
letters in the current document with the string: '#@'.
In addition to being in the wild in Asia, Bandung was
also found in Norway in November 1996.
WordMacro/NPad consists of a single AutoOpen macro; this
makes it language independent, i.e. this macro virus is
able to infect localised versions of Word as well as the
English Word. The AutoOpen macro is encrypted and cannot
be viewed from Tools/Macro menu.
NPad has apparently been written in Indonesia: it
contains the texts:
D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung,
Indonesia
Macro MsWord virus, multiplatform, multi versi
NPad adds an entry to WIN.INI/Registry under Windows and
uses it as generation counter. When the virus has
replicated 23 times, it scrolls the above 'D0EUNPAD94'
text on Word's status row and resets the counter to zero.
WordMacro/NPad was reported to be in the wild in Europe
during late 1996.
NPad and Bandung viruses may have been written by the
same author.
The Price virus, which is also known as 'Fischer Price
96', was spread in a file called ftplist.zip in the
Internet during the fall of 1996.
When an infected program is run, the virus infects one
COM program in the current directory and stays resident
in memory. Every now and then it puts the text
Fischer Price 96
to the keyboard buffer. Otherwise the virus only
replicates. There is no way to disinfect this virus:
infected files have to be replaced with clean ones.
Alfons is a 1344 bytes long destructive virus which was
reported to be heavily in the wild in Israel early in
1996. It was also found in the wild in Finland in
December 1996.
The virus activates on random dates. When this happens,
it displays the following text and overwrites drive C:
Alfons !
Synchronizing drive C: (Do not interrupt this
operation !): 100%
Done.
A later, 1536 byte variant is also known. Alfons is also
known by the names Alfo and Iuta99.
This Romanian boot virus was found in the wild in Italy,
Romania, Czech and Finland in December 1996. The virus
does not infect the MBR areas of hard disks; instead, it
infects the DOS boot sectors.
MultiAni can spread only on diskettes. The only way to
get an infection from an infected diskette is to attempt
to boot from it. After this, all diskettes used in the
infected machine will get the infection.
The virus replaces the DOS boot sector with a new copy
which is almost identical with a clean boot sector; only
a few bytes differ. The rest of the virus is stored later
on the first track (on hard disks) or in the root
directory area (on diskettes).
MultiAni activates randomly in December. When it
activates, it enters a perpetual loop where it displays
this text over and over again:
La multi ani !
La multi ani !
La multi ani !
'La multi ani' is Romanian and means 'Happy birthday'.
The virus contains no directly destructive code.
This companion virus is written with Turbo Pascal and is
8304 bytes in size.
When an infected file is executed, virus locates random
EXE files and copies itself to the same directory with
them, with a COM extension. Later on, these files get
executed when users run programs without specifying the
extension.
The companion files created by the virus are always 8304
bytes in size, and they are visible in the directory
listings normally. This virus does not stay resident in
memory.
HLLC.Plane activates by random. When it activates, it
shows a character-based animation of a red plane flying
past the screen and dropping a parachute in the middle of
the screen.
HLLC.Plance was reported to be in the wild in Northern
Europe in December 1996.
1.
2.
3.
4.
There have been a lot of widespread
virus hoaxes and false alerts lately. The Good Times hoax
warning about a non-existent e-mail virus has been going around
for two years already. There have been several versions of this
hoax, including Irina, Penpal Greetings,
PKZIP300 and
Deeyenda Maddick. Here's an example of an authentic Deeyenda
Maddick hoax warning, which has been passed on via e-mail in the
Internet:
******** VIRUS ALERT ******
VERY IMPORTANT INFORMATION: PLEASE READ !
There is a computer virus that is being sent across the Internet. If you
receive an email message with the subject line "Deeyenda", DO NOT read the
message, DELETE it immediately. Please read the messages below. Some
miscreant is sending email under the title "Deeyenda" nationwide, if you
get anything like this DON'T DOWNLOAD THE FILE! It has a virus that
rewrites your hard drive, obliterating anything on it. Please be careful
and forward this mail to anyone you care about.
FCC WARNING !!!!! ----- DEEYENDA PLAGUES INTERNET ----
The internet community has again been plagued by another computer virus.
This message is being spread throughout the internet, including USENET
posting, EMAIL, and other interent activities.. The reason for all the
attention is because of the nature of this virus and the potential security
risks it makes. Instead of a destructive trojan virus (most viruses!), this
virus, referred to as Deeyenda Maddick, performs a comprehensive search on
your computer, looking for valuable information, such as email and login
passwords, credit cards, personal info, etc. The Deeyenda virus also has
the capability to stay memory resident while running a host of applications
and operation systems, such as Windows 3.11 and Windows 95.
What this means to internet users is that when a login and PASSWORD are
sent to the server, this virus can COPY this information and SEND IT OUT TO
AN UNKNOWN ADDRESS (varies).
The reason for this warning is because the Deeyenda virus is virtually
undetectable. Once attacked, your computer will be unsecure. Although it
can attack any O/S, this virus is most likely to attack those users viewing
Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet Explorer 3.0+
which are running on Windows 95) . Researchers at Princeton University have
found this virus on a number of World Wide Web pages and fear its spread.
Please pass this on, for we must alert the general public at the security
risks.
The only way to fight these hoaxes
is to pass the word on them and to try to stop other users from
sending them further. However, as we can see from the Good Times
hoax, this can be very difficult.
Another recent hoax was a Warning about a virus
on Microsoft home page. This was a nasty hoax warning that
was distributed on several mailing lists and in Usenet news. The
hoax message was falsely attributed to a member of the F-PROT
Professional Support team.
This false warning urged people to stay off Microsoft's
home page and to avoid using Microsoft Internet Explorer, because
the 'Microsoft home page is possibly infected by a virus'. This
was nonsense.
In addition to the traditional e-mail chain letter
hoaxes, several innocent programs have received lots of publicity
lately as they have been accused of being trojans or viruses.
The first example of these programs was GHOST.EXE.
This is a Windows demonstration program which displayed a graveyard
and a set of ghosts in a window. On Friday the 13th, the title
of the screen was changed to 'Happy Friday the 13th!' and the
ghosts started flying around the Windows desktop. This program
was analysed and found harmless.
GHOST.EXE false alarm
SHEEP.EXE is a program which creates a cute animation
of a little sheep which wonders around the screen, eats, sleeps,
jumps etc. There were several widespread warnings that this program
was a trojan or a virus, but after SHEEP.EXE and SCMPOO16.EXE
samples were analysed, the program was found innocent. However,
during the analysis the original Japanese author of this program
was contacted, and it was found out that SHEEP.EXE is a commercial
program, and should not be passed on between users.
SHEEP.EXE or SCMPOO16.EXE false
alarm
EYES.EXE or WINEYES.EXE caused alarms similar to
GHOST and SHEEP: it's a simple demo program which has created
a lot of warnings. This program was analysed and found harmless.
EYES.EXE false alarm
Naturally, whenever any program is declared clean,
there's a risk that somebody will take the file and infect it
- since people will now trust it. To overcome this problem, you
can verify the files against the 32-bit CRC's of the confirmed
clean versions (as displayed by PKUNZIP):
Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
317792 DeflatN 117014 64% 09-12-96 08:25 683ae9da --w- SHEEP.EXE
317088 DeflatN 116749 64% 03-12-96 22:17 3662678a --w- SCMPOO16.EXE
28096 DeflatN 14145 50% 30-10-96 13:20 5dce8738 --w- GHOST.EXE
28064 DeflatN 14142 50% 13-11-96 13:45 a6839c30 --w- GHOST2.EXE
28065 DeflatX 14121 50% 11-22-96 12:11 f47d5cbd --w- GHOST3.EXE
54048 DeflatX 9157 84% 11-15-96 14:42 ba2cda0b --w- EYES.EXE
------ ------ --- -------
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You
can also contact F-Secure directly in the number 358-
0-478 444.
Written questions can be mailed to:
F-Secure Ltd
F-PROT Support
Päiväntaite 8
FIN-02210 ESPOO
FINLAND
Questions can also be sent by electronic mail to:
Internet:F-PROT@F-Secure.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
Elisa: Hyppönen Mikko.
F-PROT found a virus in the file SUHDLOG.DAT. No other
infections were detected. What is going on here? I'm
running Windows 95 on my computer.
At the time Windows 95 was installed, your
computer was infected by a boot sector virus.
During the installation, Windows 95 replaced the
infected boot sector with a clean one, and thus
removed the infection at the same time. However,
during a Windows 95 installation, the previous
boot sector is stored in the file SUHDLOG.DAT.
This file is harmless in itself, but if Windows
95 is uninstalled by using the UNINSTALL
function, the previous boot sector will be
restored - along with the virus. Therefore, the
infected SUHDLOG.DAT should be deleted from the
hard disk.
For some reason, my hard disk has been named `Ap'. It
seems that I cannot change the name. I'm running Windows
95.
Windows 95 supports long file names, but at the
same time it is compatible with the older
versions of DOS. This has been accomplished by
allocating the space needed in long names in
additional volume label entries. Normally, a
disk holds only one such entry, that which tells
the disk's name.
The additional entries cause no inconvenience,
unless the disk has not been given any name
before the installation of Windows 95. In such
cases, the disk is automatically named 'Ap' or
'Af' or something of the kind. This is annoying
but hardly dangerous.
I heard about 'The Year 2000 virus'. What is it? Does F-
PROT protect me from it?
No, F-PROT does not protect you from it.
There is no virus detected by this name by
F-PROT. However, the media sometimes talks about
the 'Year 2000 virus', referring to the problems
computers will encounter when the two last
digits of the current year change to 00 on the
1st of January, 2000.
For example, many programs calculate the age of
a person by subtracting the current year from
the birth year (for instance, 97-65 = person is
32 years old). Such a calculation on January
1st, 2000 would give the answer that the person
in our example is -65 years old.
More information about these problems is
available in the web at http://www.year2000.com/
This paper was presented by Peter Szor at the
International Virus Bulletin'96 conference. Peter
works as a senior virus analyst at F-Secure Ltd.
1 INTRODUCTION
Traditionally, anti-virus scanners have only been able to
disinfect viruses that have been analysed beforehand by
product developers. Around 10,000 viruses have been found
during the past 10 years. So far, producers of anti-virus
products have been pretty much able to keep up with the
new viruses, adding detection and disinfection routines
for most new viruses. We can expect this situation to
change in the future: when there are, say, 50,000
viruses, no vendor will be able to analyse every single
virus separately.
As the number of viruses keeps on growing, more and more
viruses are only detected, as the developers do not
consider every virus to be important enough to add
specific disinfection routines for it. Unfortunately,
some users will eventually get infected by such a virus.
It is possible (but more difficult) to disinfect unknown
viruses. There are several approaches to this problem:
one known method is to trace the execution of a possibly
infected program until the virus has restored the host to
its original state. This method works, but cannot be
considered truly reliable. An alternative is to emulate
the program and collect information on its execution,
using this information together with generic rules to do
rule-based disinfection. Although this is difficult to
implement, it produces surprisingly good results. How
many viruses can be removed this way? Testing a generic
disinfector is a very difficult task. Testing how many
particular viruses it can handle does not make sense,
because it is a generic anti-virus product. It is more
important to test how many different types of viruses we
can handle by using these kinds of methods. However, a
figure of 60% is quite possible. Most anti-virus programs
do not even come close to this percentage (for example,
my old program, called Pasteur).
2 HOW A VIRUS INFECTS A PROGRAM
Before we can talk about generic disinfection, we should
understand how a virus infects a program. In most cases,
a virus adds itself to the end of a file. If this is the
case, the virus modifies the beginning of the program to
transfer control to itself. Unless the virus is very
primitive, it saves the beginning of the file within the
virus code, because it will be necessary to execute the
victim file correctly after infection. This technique is
called the `appending' method.
CODE CODE CODE CODE CODE CODE CODE CODE CODE
CODE CODE CODE CODE CODE CODE CODE CODE CODE
CODE CODE CODE CODE CODE CODE CODE CODE CODE
a. Victim program
J ODE CODE CODE CODE CODE CODE CODE CODE CODE C
M ODE CODE CODE CODE CODE CODE CODE CODE CODE VIRUS C
P ODE CODE CODE CODE CODE CODE CODE CODE CODE C
b. Infected program
Every virus adds new functionalities to the victim. The
infected victim will execute the virus code, which will
infect other files or system areas or go resident in
memory. After this, the virus code repairs the beginning
of the victim in memory and starts it. This sounds very
simple: unfortunately, it is that, at least from the
point of view of the virus, which modifies a few bytes in
the victim file and saves a piece of the file's original
code into the virus body (in this example: `CCC').
When we started to analyse viruses, there were no
problems with conventional disinfection. We had enough
time to analyse them, because there were only a few
viruses. We could spend weeks with every new sample until
we had all the information necessary to clean them
successfully.
Basically, the cleaning process is as easy as the
infection. All we need to know is:
- how to find the virus (in most cases, with a search-
string selected from the virus)
- where the original beginning of the victim file
(`CCC') can be found in the virus body
- the size of the virus in bytes.
If we have all this information, we can remove the virus
easily: `Let's read the original beginning from the virus
code and put it back in its original place, then truncate
the file at its original end, calculating where this is
from the virus size'. That's it! This method might have
been interesting in case of the first ten viruses, but
everybody who has spent years with viruses hates it: it
is just too tedious.
So, we developed `goat' systems to make virus samples
automatically. These systems save time. We can calculate
the place of the original bytes in the virus body by
comparing many infected samples to non-infected ones,
using a special utility. This system works as long as the
virus is not encrypted, self-mutating, or polymorphic. Of
course, it must not have an anti-goat mechanism or new
infection technique which our disinfector does not know
how to handle. If one of these problems occur, we will
have to analyse the virus manually. If we are lucky, it
is enough. If not, we will have to change our anti-virus
strategy by adding new functions to it, or by modifying
already existing ones. This can take a lot of time, and
is therefore not efficient enough.
3 GENERIC DECRYPTORS
Most of the better anti-virus products have a generic
decryptor to combat polymorphic viruses, so it appears we
can solve the biggest problem that way. We can decrypt
the virus so we can use the old search-string technique
once again: this is great. Basically, the generic
decryptor method is a part of the generic disinfection
technique. There are two different generic decryptor
methods: single-stepping (by using Int 01h, Int 03h) and
emulating. Unfortunately, each has both advantages and
disadvantages.
3.1 SINGLE-STEPPING METHOD
Single-stepping is based on the Int 01h function. It is
generated automatically by the processor at the end of
each machine instruction if the trace bit (TF) in FLAGS
is set. This is what makes the T command of DEBUG work
for single-stepping.
If we are using the single-stepping method, we should not
develop a processor emulator. We should not care which
kind of operating system must be emulated, because we can
use the current one by calling the harmless interrupts
directly from the system. But the main question is: which
interrupt is harmless? We should also know which code is
not dangerous. What can we do if the virus is using anti-
debugging techniques and we start to execute it in a
controlled way? What can we do if the virus uses an
instruction which is simply buggy on the current
processor?
For example: the Finnpoly virus pushes its decryptor to
the stack and starts to execute it by a CALL SP
instruction. This instruction works on every Intel
processor except 386DX and 386SX, where the CALL goes to
offset FFFF instead of the current value in SP register.
So if we start to trace the virus by using Int 01h on a
386 system, the virus will crash, together with the
analyser. Yes, a virus like this cannot infect our
environment, because it will not work on it. But what
happens if we are scanning files on the network in a case
like this? And finally, what happens if the `controlled'
environment is buggy? In this case, the virus writer has
a chance to write a virus which can escape from the
analyser; and that is where we should stop for a second.
We should not execute the virus in a controlled way,
because we cannot be 100% sure that the virus cannot
escape from the analyser.
3.2 EMULATING METHOD
Implementing a real processor emulator requires much more
work than using the single-stepping method. The first
question: is which processor should be emulated? If we
think about it, the answer is very easy: most good anti-
virus packages will still work on an XT. Why? Because
most viruses do not use instructions from processors
other than 8086, which means that if we are developing
only 286 (or higher) products we cannot find viruses on
XT. I am sure most of the developers have not seen an XT
machine in the last five years, but many people still use
them: that is why we cannot change our system fast
enough. Unfortunately, some viruses need a 286 or a 386
to work. If a virus uses 386 code, it cannot spread on an
XT or on a 286. The 286 is still a very common platform,
especially in east-European countries.
Thus, to summarise, we should develop an emulator which
can emulate 8086, 286, and 386 code. This should be
sufficient for a long time.
Most anti-debugging tricks are based on pre-fetch queue
tricks, or on the use of Int 01h and Int 03h. If we have
an intelligent emulator, then we do not have a big
problem with such anti-debugging techniques. We can avoid
or emulate them. However, there are other problems
involved with emulating. Basically, the biggest question
is: where should we stop in the emulating process? At
first glance, it does not seem too difficult. The answer
is: we should stop when we decrypt the virus.
Unfortunately, this process is quite difficult.
Every encrypted or polymorphic virus has a different
decryptor size, which means we need to emulate different
amounts of instructions. One virus might need 1000
instructions to be emulated and decrypted, while another
may need a few million. Virus writers understood this, so
they started to use tricks against generic decryptors and
heuristic analysers. One `dirty trick' is the use of
loops before the real decryptor comes:
1112 MOV CX,FFFF
1115 LOOP 1115
Let's say the analyser starts to emulate the first 2000
instructions. If it finds some suspicious code, then it
can emulate more. If the analyser cannot recognise a
loop, however, then it cannot find the virus, because it
will stop before the loop has finished and the real virus
code has started. Fortunately, good emulators can handle
this situation easily.
There are other anti-emulating tricks which we must also
be able to handle. Every emulator stops when it
recognises that the program comes back to DOS. In the
following examples, we can see that virus writers have
started to use this phenomenon in their tricks:
CMOSDEAD.3622 virus
011A8DBC2B01 LEA DI,[SI+012B]
011EB80812 MOV AX,1208; DECREMENT SYSTEM FILE TABLE
0121CD2F INT 2F ; REFERENCE COUNT, but DI points
to 12B
0123051901 ADD AX,0119
01268BD0 MOV DX,AX
0128B9B30D MOV CX,0DB3
012BB44C MOV AH,4C
012DCD21 INT 21
Int 2Fh/AX=1208 is a DOS 3+ internal function. It
decrements one byte where ES:DI points. If the emulator
does not emulate this interrupt, then it will stop its
process at 012D, because it thinks the program comes back
to DOS. Here, DI points to 012B, which means that this
interrupt will decrement the byte at 012B from B4h to
B3h. So the MOV AH, 4C instruction at 012B changes to MOV
BL,4C (which happens to be the `Are you there' call of
this virus).
Letter_H.665 virus
05E3B80035 MOV AX,3500
05E6CD21 INT 21
05E88D941502 LEA DX,[SI+0215]
05ECB80025 MOV AX,2500
05EFCD21 INT 21
05F140 INC AX
05F2B80000 MOV AX,0000
05F5F7F0 DIV AX
05F7B8014C MOV AX,4C01
05FACD21 INT 21
Interrupt 0h (internal hardware) is automatically called
after DIV or IDIV operations that result in error or
overflow. Normally it is set by DOS to display an error
message and abort the current program. This virus hooks
Int 00h before it deliberately performs a division by
zero on purpose at 05F5h, which means it can start the
full infection process from Int 00h.
There are many other problems with the emulating method,
but it is a much safer technique than single-stepping.
Unfortunately, emulation is slow: Users will not be
pleased if they have to wait for any length of time. It
does not help to say `our product is based on emulation,
please wait a few hours', because the users will choose
other, faster anti-virus packages. A good emulator should
therefore be as fast as possible: speed is one of the
most important aspects of anti-virus products from the
users point of view.
4 HOW DOES A GENERIC DISINFECTOR WORK?
The idea of doing generic disinfection without any
information on the original file is not new; it was first
developed by Frans Veldman, more than three years ago.
Unfortunately, there is only one common generic cleaner
available: TBCLEAN. The main question is: why?
Basically, the generic disinfection method is simple but
great: the disinfector loads the infected file and starts
to emulate it until the virus restores the infected file
to its `original' form, and is ready to execute it. So
the generic disinfector can use the virus to perform the
most important part of the cleaning process. The virus
has the beginning of the original file. All we need to do
is copy the cleaned program back into the file.
However, there are still a few questions which have not
been answered:
4.1 WHICH EMULATION METHOD SHOULD WE USE?
As explained above, the generic decryptor method is very
similar to generic disinfection. We should `execute'
instructions only until the virus gives control to the
original program. In my opinion, emulating is much safer.
It is the only way to be 100% sure that the virus cannot
escape from the analyser. We need an intelligent emulator
which can emulate and control the `execution' of the
infected program. I will demonstrate what controlling
means later.
4.2 HOW CAN THE DISINFECTOR BE SURE THAT THE FILE IS
INFECTED?
We can use all the techniques we used for heuristic
scanners. In my opinion, a generic disinfector is a
combination of a heuristic scanner and a heuristic
disinfector. This way, our disinfector will not remove
the `unknown from the unknown' [1] but will remove the
virus from the unknown.
The one big problem with all heuristic products is false
alarms. If the generic disinfector removes everything
from the file which looks like a virus, it might remove
non-virulent code, too, and corrupt the file. Heuristics
is a science which is developing quickly, so we will find
better ways to reduce false-alarms.
4.3 WHERE IS THE ORIGINAL END OF THE FILE?
This question is also very important. We cannot always
just remove the part of the program that gained control;
otherwise we cannot handle viruses like One_Half. This
virus modifies the body of the original program by
putting its polymorphic decryptor in 10 blocks at random
into the original file end minus 64K. (Every One_Half-
infected file looks like a Swiss cheese. See Figure 1.)
In most cases, we can truncate the file to which the
first JMP points, but not with viruses like One_Half. If
we truncate the file in that position, we will remove too
much, and the `disinfected' program will not work
anymore. The other problematic task is removing too few
bytes from the program: in this case, other virus
scanners might find search-strings from the file after
disinfection.
We should collect information about the virus during
emulation. That way we can get a very good result.
5 HOW MANY VIRUS TYPES CAN WE HANDLE THIS WAY?
There is an almost unlimited number of methods which a
virus can use to infect programs or system areas. It is
true that we cannot handle all viruses by using only
generic disinfection techniques - but we can handle most
of them.
5.1 BOOT SECTOR INFECTORS
The PC virus problem started with a boot sector virus
(Brain). Unfortunately, it is relatively easy to write a
boot sector virus. Nowadays, file viruses outnumber boot
sector viruses with a big margin: only about 5% of all
viruses infect boot sectors. So, it is not a very big
problem to handle boot sector viruses with conventional
methods. However, if a new virus is found in the wild, it
is more likely to be a boot sector virus than a file
infector, because boot sector viruses are usually better
spreaders. Fortunately, most virus writers have not
recognised this situation. Also, there have been very few
polymorphic boot sector viruses so far, which is
fortunate, since they are obviously much more difficult
to handle.
We can also use generic methods to detect and disinfect
boot sector viruses. We should emulate the boot sector
code as we did for files. There are at least 12 different
techniques which can be used to infect boot sectors or
Master Boot Sectors. Most of these involve saving the
original boot sector somewhere before changing the code
in the boot sectors. If we can find the virus
heuristically, it is possible to locate the original boot
sector, too. In case of diskettes it can often be found
at the end of the root-directory, at the very end of the
disk, or in areas marked as bad sectors. In the case of
MBR infectors, it can usually be found on the Track 0.
Most anti-virus products have a function for locating the
original boot record, so it is not necessary to have pre-
defined information about the disinfection. There are
boot sector viruses which do not save the original boot
sector or master boot sector anywhere before infecting.
In such cases, the boot record should be overwritten with
clean, generic code.
5.2 FILE INFECTORS
There are many more possible ways to infect files,
because there are so many different file structures. The
biggest problem is the overwriting method, in which the
virus overwrites the beginning of the file with its body,
without saving the original code. Such viruses are
impossible to disinfect without information about the
file structure before infection. So, while it is not
possible to disinfect viruses like this, it is easy to
detect them using heuristics. Around 10% of viruses are
overwriting, and cannot be disinfected.
There are also other problematic cases, such as: Windows
application infectors, device driver infectors, cluster
infectors, batch file infectors, object file infectors
and macro infectors. Together, these account for only
about 1% of all viruses.
Several other viruses cause problems for heuristic
techniques. Such viruses use different infection
techniques, with `dirty tricks' specifically designed to
make detection and disinfection with generic methods
difficult. These viruses make up to 15% of all viruses.
When we combine overwriting viruses and other special
cases, the result is that about 30% of all viruses cannot
be handled with generic methods easily, or at all. A
listing of all infection techniques and whether or not
they are suitable to be handled by generic methods would
go beyond the scope of this paper.
There remains only one problem with viruses against which
we can easily use generic disinfection techniques. If the
part of the virus code where the virus repairs the
infected program cannot gain control during emulation,
then the disinfector cannot get the necessary
information. We should control the `execution' of the
virus code very intelligently. For example, when the
virus make its `Are you there?' call, the emulator should
give the answer the virus wants. This way, the virus
thinks that its code is already resident in memory, and
repairs the host file.
6 HEURISTIC FLAGS IN AHD
AHD (Advanced Heuristic Disinfector) is currently a test
project. It uses the generic disinfection method combined
with a heuristic scanner. These are the heuristic flags
of the program:
1 Encryption. A code decryptor function found.
2 Open existing file (r/w). The program opens another
executable file for write. This flag is very common
in viruses as well as in normal programs (like
make.exe).
3 Suspicious file access. Might be able to infect a
file. AHD can give additional information about the
virus type like, such as recursive infection
structure (direct action).
4 Time/Date trigger routine: this virus might have an
activation routine.
5 Memory-resident code. This program is a TSR.
6 Interrupt hook. When the program hooks a critical
interrupt, like Int 21h, we can display all the
hooked interrupts. (Int XXh .. Int YYh)
7 Undocumented Interrupt calls. AHD knows a lot of
`undocumented' interrupts, so this flag will be
displayed when the interrupt looks tricky, like the
VSAFE/VWATCH uninstall, which is very common in
modern viruses.
8 Relocation in memory. The program relocates itself in
a very tricky way.
9 Looking for memory size. The program tries to modify
BIOS TOP memory by overwriting the BIOS data area at
location 0:413h.
10 Self-relocating code.
11 Code to search for files. The program tries to
find other executable programs (*.COM,*.EXE also
*.C“M, *.‚X‚ which means the same for DOS.)
12 Strange memory allocation.
13 Replication. This program overwrites the beginning
of other programs.
14 Anti-debugging code.
15 Direct disk access (boot infection or damage).
16 Use of undocumented DOS features.
17 EXE/COM determinator. The program tries to check
whether a file is a .COM or an .EXE file.
18 Program load trap.
19 CMOS access. The program tries to modify the CMOS
data area.
20 Vector code. This is found only in viruses. The
virus tries to use the cleaner as a vector.
7 DISINFECTION EXAMPLES
Here are two examples of disinfection using AHD. In the
first case, the virus is polymorphic. It uses the
original Mutation Engine (MtE).
X:\FILEVIRS\MTE\ZEPPELIN\MOTHER.COM
- Encrypted code
- Self-relocating code
- Code to search for files
- Open existing file (r/w)
- Suspicious file access
- Time/Date trigger routine
-> Probably infected with an unknown virus
1. COM started -> E9 FC 13 53 6F
2. It changed to -> EB 3C 90 53 6F
3. Original file size: 5119 , Virus size: 4097
Virus can be removed.
Next, let's take a look at a disinfection where the virus
is a VCL variant. VCL (Virus Creation Laboratory) is one
of the most commonly used virus-writing toolkits.
X:\FILEVIRS\VCL\0379\VCL379.COM
- Self-relocating code
- Code to search for files
- Open existing file (r/w)
- Suspicious file access
- Time/Date trigger routine
-> Probably infected with an unknown virus
1. COM started -> E9 E5 03 90 90
2. It changed to -> 90 90 90 90 90
3. Original file size: 1000 , Virus size: 379
Virus can be removed.
8 WHAT TO DO IN THE FUTURE?
We should work more on generic disinfection. It can
produce surprisingly good results. It is also necessary
to develop better and better emulators. New infection
techniques emerge from time to time, such as the
inserting method. Nexiv_Der belongs in this category:
this virus uses a peculiar method of infection; tracing
the execution of a victim file (using single-stepping)
and randomly inserting a call to its own code in the
middle of the host. This makes it difficult to use the
emulation method on it [3]. Fortunately, there are not
too many viruses like this, but that may change in the
future.
In my opinion, we should test the combination of other
anti-virus techniques, too; not only heuristic scanners
and generic disinfections, but generic disinfectors and
integrity checkers as well. Generic disinfection is not a
revolutionary idea, but I believe it will be one of the
methods that will keep virus scanners alive for a few
more years to come.
BIBLIOGRAPHY
[1] Frans Veldman, `Combating Viruses Heuristically',
Proceedings of the Third International Virus
Bulletin Conference, September 1993, Amsterdam.
[2] Vesselin Bontchev, `Infection Techniques', Extract
from Ph.D thesis, in print.
[3] Peter Szor, `Nexiv_Der: Tracing the Vixen', Virus
Bulletin, April 1996.
The following problems have been corrected:
F-PROT Professional 2.24 missed some samples of the
Tentacle_II virus. This has been corrected.
The detection of the Cordobas virus was not reliable in
the earlier version. This has been fixed.
VIRSTOP2.EXE used to crash if run with an invalid command-
line switch. The problem has been corrected.
The following false alarms have been fixed:
The alarm about the Capital virus given by VIRSTOP of the
file JT2023.COM.
The alarm `Possibly a variant of AntiCad' given of the
file CHKPC.COM.
The alarm `Possibly a variant of Austr_Parasite' given of
the file 2_SETUP.COM.
The alarm `Infection: New or modified variant of VCL'
given of the file ROARJ.COM.
The alarm `Infection: TPE (?)' given of the file
CC2_104.COM.
The alarm `Possibly a variant of Trivial' given of the
file PS.COM.
Minor Improvements and Changes
F-PROT now recognises .GIF files, and will not scan them
even if the /ALL switch is used.
Many customers have wished to be able to completely
overwrite the earlier settings with Autoinst (F-
PROTW.CFG, .FPTs etc). Settings for AUTOINST.INI have
been added to force complete overwriting of earlier
configuration files on workstations.
Windows versions of Autoinst now execute F-Agent
immediately when enabling it.
32-bit Autoinst puts F-Agent's execution command into the
registry under Windows 95, not into WIN.INI. The
registry key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run
MS Word was able to open infected documents in
unformatted text mode if scan on create/rename was
enabled. Corrected.
Because of an error in a core routine used in multiple F-
PROT executables, these programs behaved incorrectly if
TMP environment variable pointed to an non-existing
directory. The symptoms were, e.g. loss of task names
and other task settings at F-PROT startup, and Autoinst's
inability to perform the actions specified in the
[TSRLoad] section. Fixed.
The activity time shown on Gatekeeper's splash screen
used to be incorrect. Corrected
Setup attempted to disable Gatekeeper when it was not
enabled in the first place, resulting in error messages.
Corrected.
With communication directory in root of shared directory
of Windows NT Server 4.0, F-Agents and main programs on
Windows 3.1x and Windows NT workstations did not find the
communication directory. Corrected.
Error message "Error registering ring -3 callback" was
seen in case the previous Windows workstation was
upgraded to Windows 95 and also the existing installation
of F-PROT was upgraded. Now Gatekeeper shows a more
appropriate error message in that case, ("The device
driver of F-PROT Gatekeeper for Windows 3.1x is loaded.
Remove "device=d:\path\F-PROTW.386" from the [386Enh]
section of your SYSTEM.INI.").
Scanner missed some wild boot viruses (Diablo, Stat),
corrected.
Setting the parameter "Hide F-Agent" in preferences to
true would not hide the icon in the tray. Now if this
setting is checked user doesn't see an icon.
The following 112 viruses are now identified, but can not
be removed as they overwrite or corrupt infected files.
Some of them were detected by earlier versions of F-PROT,
but not identified accurately.
AZ.492
Belorussia.447
Burger.405.G 560.BF
Burger.560.BG
Burger.560.BH
Burger.609.B
Burma.442.F
Civil_II .438
Civil_II .440.A
Civil_II .440.B
Coconut.1323
Demand.666.D
Demand.666.E
Demand.666.F
Dstar.223
Dstar.493
Exe2Win.182
Genvir.1088.A
Genvir.1088.B
Genvir.1152
Genvir.1168.A
Genvir.1168.B
Genvir.1168.C
Genvir.1232
Genvir.1328
Habitat.751
HLLO.3428
HLLO.3712
HLLO.3855
HLLO.NP.4240
HLLO.4979
HLLO.4980
HLLO.6208
HLLO.7760
HLLO.Harakiri.C
HLLO.12288
HLLO.15788
HLLO.17179
HLLO.17923
Iota.72
IVP.O.339
IVP.O.412
Leprosy.666.U
Leprosy.666.V
Leprosy.868
Milan.63
Qpa.256
Qpaxx.333
QTI.211
SillyOR.174
Terrax.1069
Trivial.27.F
Trivial.30.S
Trivial.31.F
Trivial.32.G
Trivial.33.C
Trivial.35.D
Trivial.36.F
Trivial.37.G
Trivial.42.M
Trivial.42.N
Trivial.45.L
Trivial.45.M
Trivial.51
Trivial.52.B
Trivial.60.B
Trivial.60.C
Trivial.64.B
Trivial.66.B
Trivial.71.B
Trivial.72.C
Trivial.72.D
Trivial.72.E
Trivial.76
Trivial.85.B
Trivial.85.C
Trivial.88.C
Trivial.88.D
Trivial.90.B
Trivial.97.C
Trivial.113
Trivial.113.B
Trivial.137.B
Trivial.139.M
Trivial.156
Trivial.212
Trivial.238
VCL.O.289
VCL.O.313
VCL.O.326.A
VCL.O.326.B
VCL.O.340
VCL.O.344
VCL.O.350
VCL.O.364
VCL.O.367
VCL.O.406
VCL.O.416
VCL.O.424
VCL.O.430
VCL.O.440
VCL.O.442.A
VCL.O.442.B
VCL.O.456
VCL.O.467.A
VCL.O.467.B
VCL.O.480
VCL.O.483
VCL.O.581
VCL.O.621
Ymir.145
The following 768 new viruses can now be removed. Many of
them were detected by earlier versions, but are now
identified accurately.
_446
_525
_625
_738
_884
_974
_977
_1458.B
_1468
_1614
_2248
_3449
_5632.A
_5632.B
_5632.C
Account.873
Adsmile.1113
Amazon.473
Amazon.484
Amazon.506
Ambulance.796.F
Angry.393
AOS.841
AOS.847.B
AOS.850
AOS.853
AOS.856
AOS.859
AOS.862
AOS.MaryR.585
AOS.MaryR.589
AOS.MaryR.593
AOS.MaryR.597
AOS.MaryR.599
AOS.MCD.845
AOS.MCD.848
AOS.MCD.854
AOS.MCD.857
AOS.MCD.860
AOS.MCD.863
AOS.Muzak.897
AOS.Muzak.900
AOS.Muzak.903
AOS.Muzak.906
AOS.Muzak.909
AOS.Muzak.912
AOS.Muzak.915
AOS.Muzak.919
Areill.573
Aria.3076
Armagedon.1057
Ash.858
Attitude.746
Autumnal.3072
Avalanche.2820
Backing
Bad_Com.557
Beer.3360
BootEXE.451.C
Black Monday.928
Burglar.777
Burglar.820
Burglar.824
Burglar.833
Burglar.1150.B
Butterfly.302.E
BVM.831
BW.276
BW.294
BW.347
BW.472
BW.523
BW.553
BW.691
BW.754
BW.786
BW.815
BW.Mayberry.405
BW.Mayberry.727
BW.630.B
BW.740
BW.790
BW.795
Bward.1024
Cascade.1701.BA
Cascade.1701.BB
Cascade.1701.BC
Cascade.1701.BD
Cascade.1701.BE
Cascade.1701.BF
Cascade.1701.BG
Caz.1204.B
Champaigne.445
Champaigne.446
Champaigne.508
Champaigne.523
Champaigne.527
Champaigne.542
Champaigne.585
Chiche.1436
CLL.947
Clonewar.921
Cluster.384
Corea.926
Corea.941
Corea.998
Corea.1036
Cpw.1460
Cypertech.224
Cypertech.224.B
Dark_Apocalypse.1023
Dark_Avenger.1160.B
Dark_Avenger.1802
Die.352
Die.487
Die.666.B
Die.800
Die.803
Die.808
Ditwet.466
Doomsday.736
Dreamer.8869
DST.406
DST.424
DST.425
Dstar.407
Dy.275
Dy.277
Eco
Eddy.1316
Eddy.1326
Eddy.1333
Eddy.1422
Eddy.1457
Eddy.1463
Eddy.1478
Eddy.1482
Eddy.1542
Eddy.1551
Eddy.1567
Eddy.1309
Eumel.345
Eumel.347.A
Eumel.347.B
Eumel.363.A
Eumel.363.B
Eumel.363.C
Eumel.381
Eumel.383.A
Eumel.383.B
Eumel.391
Eumel.393
Fantasma.1000
Fault.9209
FaxFree.1536.AntiF
Findme
Flavour.911
Gandalf.240
Gandalf.440
H8.1176
Hellspawn.1138
H-Andromeda.713
H-Andromeda.749
H-Andromeda.772
H-Andromeda.826
H-Andromeda.1337
H-Andromeda.1536.C
HLLC.Doren.9904
HLLP.4170
HLLP.4536
HLLP.4641
HLLP.4665
HLLP.5000.B
HLLP.5701
HLLP.6253
HLLP.7000.B
HLLP.7720.A
HLLP.7220.B
HLLP.10000
HLLP.Dupalec.B
HLLP.NP.4415
Hungry.633
Hybris.1442
Immortal.2174.C
Immortal.2174.D
Insert.258
Inside.1011
IVP.321
IVP.516
IVP.731
IVP.872.B
IVP.923
IVP.930.B
IVP.931.B
IVP.932
IVP.934.B
IVP.925
IVP.927.B
IVP.932.D
IVP.2385
IVP.2385.B
Jerusalem.662.B
Jerusalem.1446
Jerusalem.1598
Jerusalem.1808.Noscroll
Jerusalem.1808.Temp1
Jerusalem.1975
Jerusalem.Fu_Manchu.F
Jerusalem.1347
Jerusalem.1455
Jerusalem.1570
Jerusalem.1589
Jerusalem.1591
Jerusalem.1653.E
Jerusalem.1756
Jerusalem.1768
Jerusalem.1783
Jerusalem.1845
Jerusalem.1884
Joker3.1080
Jorgito.646
Jovial.506
JT8.1000
Kela.2103
Kela.2203
Kela.2518
Kcor.426
Kcor.436
Khizhnjak.694
Khizhnjak.726
Khizhnjak.728
Khizhnjak.759.B
Khizhnjak.1112
Khizhnjak.1134
Kode_4.172
Kode_4.174
Kode_4.216
Kode_4.217
Kode_4.328
Kode_4.329
Kode_4.335
Kode_4.336
Krad_II.569
KsTro.1029
KsTro.1087
KsTro.1332
KVS.1942
Lamego.729
Lapidario.766
Lauren.632
Lauren.652
Lauren.653
Last_Hope.3000
Lemming.2247
Lesson_I.136
Lesson_I.157
Lesson_I.202
Lesson_I.213
Lesson_I.224
Lesson_I.302
Little_Brother.276.B
Little_Brother.341
Little_Brother.393
Lockjaw.493.B
Lockjaw.495
Lockjaw.501
Lockjaw.804
Lockjaw.808.B
Los_Lobos.627
Mask.2389
Miny.218
Miny.256
Miny.300
Miny.321
Miny.333
Miny.441.F
Miny.500
Miny.543
Miny.565
Miny.651
Miny.666
Miny.845
Miny.850
Minzdrav.470
Midnight.2352
Mirage_II.727
Mithrandir.447
Multiplex.822
Nado.757
Natas.4744.F
Navigator.267
Navigator.270
Ninja.1610
NLA.313
Nobody.315
Npox.986
Npox.992
Npox.995
Npox.1004
Npox.1010
Npox.1584
Npox.1588
Npox.1592
Npox.1596
Npox.1600
Npox.1604
Npox.1608
Npox.1814
Nutcracker.3139
Odious.569
Old_Yankee.1961.F
Oktubre.1384
Orrid.521
Pempe.1811
Pempe.1811.B
PHX.1015
PHX.1295.B
Pixel.300
Plvir.3759.A
Plvir.3759.B
Plvir.3360
Plvir.3486
Plvir.3768
Plvir.4224
Plvir.4722
Plvir.5133
Plvir.5175
Poet.860
Poltergeist.1017
Populizer.313
Populizer.314
PS-MPC.184
PS-MPC.204
PS-MPC.252.A
PS-MPC.252.B
PS-MPC.252.C
PS-MPC.252.D
PS-MPC.252.E
PS-MPC.261.A
PS-MPC.261.B
PS-MPC.261.C
PS-MPC.261.D
PS-MPC.267
PS-MPC.270
PS-MPC.281.B
PS-MPC.281.C
PS-MPC.281.D
PS-MPC.281.E
PS-MPC.281.F
PS-MPC.281.G
PS-MPC.288.A
PS-MPC.288.B
PS-MPC.288.C
PS-MPC.289.A
PS-MPC.289.B
PS-MPC.289.C
PS-MPC.289.D
PS-MPC.289.E
PS-MPC.289.F
PS-MPC.289.G
PS-MPC.290.A
PS-MPC.290.B
PS-MPC.298.B
PS-MPC.298.C
PS-MPC.298.D
PS-MPC.298.E
PS-MPC.298.F
PS-MPC.313.A
PS-MPC.313.B
PS-MPC.314.B
PS-MPC.316
PS-MPC.317.A
PS-MPC.317.B
PS-MPC.317.C
PS-MPC.317.D
PS-MPC.317.E
PS-MPC.317.F
PS-MPC.325.A
PS-MPC.325.B
PS-MPC.325.C
PS-MPC.325.D
PS-MPC.325.E
PS-MPC.325.F
PS-MPC.325.G
PS-MPC.326.A
PS-MPC.326.B
PS-MPC.326.C
PS-MPC.326.D
PS-MPC.326.E
PS-MPC.335.B
PS-MPC.336
PS-MPC.337
PS-MPC.341
PS-MPC.342.A
PS-MPC.342.B
PS-MPC.342.C
PS-MPC.342.D
PS-MPC.343.D
PS-MPC.347.L
PS-MPC.347.M
PS-MPC.348.D
PS-MPC.349.B
PS-MPC.349.C
PS-MPC.350
PS-MPC.351.C
PS-MPC.351.D
PS-MPC.351.E
PS-MPC.352.N
PS-MPC.354
PS-MPC.355.B
PS-MPC.355.C
PS-MPC.357.B
PS-MPC.358.C
PS-MPC.358.D
PS-MPC.358.E
PS-MPC.358.F
PS-MPC.358.G
PS-MPC.358.H
PS-MPC.360
PS-MPC.361.B
PS-MPC.362.A
PS-MPC.362.B
PS-MPC.362.C
PS-MPC.362.D
PS-MPC.362.E
PS-MPC.362.F
PS-MPC.362.G
PS-MPC.362.H
PS-MPC.362.I
PS-MPC.362.J
PS-MPC.362.K
PS-MPC.362.L
PS-MPC.362.M
PS-MPC.362.N
PS-MPC.362.O
PS-MPC.362.P
PS-MPC.369
PS-MPC.370
PS-MPC.373
PS-MPC.374.B
PS-MPC.374.C
PS-MPC.375
PS-MPC.378
PS-MPC.379
PS-MPC.380
PS-MPC.381
PS-MPC.383.A
PS-MPC.383.B
PS-MPC.383.C
PS-MPC.383.D
PS-MPC.384.B
PS-MPC.384.C
PS-MPC.384.D
PS-MPC.385
PS-MPC.387
PS-MPC.392.B
PS-MPC.393.D
PS-MPC.393.E
PS-MPC.399.B
PS-MPC.399.C
PS-MPC.399.D
PS-MPC.399.E
PS-MPC.399.F
PS-MPC.399.G
PS-MPC.399.H
PS-MPC.399.I
PS-MPC.399.J
PS-MPC.399.K
PS-MPC.399.L
PS-MPC.399.M
PS-MPC.399.N
PS-MPC.399.O
PS-MPC.399.P
PS-MPC.399.Q
PS-MPC.399.R
PS-MPC.399.S
PS-MPC.399.T
PS-MPC.401.C
PS-MPC.401.D
PS-MPC.505.C
PS-MPC.407
PS-MPC.410.C
PS-MPC.411
PS-MPC.414.E
PS-MPC.416
PS-MPC.418.B
PS-MPC.420
PS-MPC.421
PS-MPC.423.C
PS-MPC.424.C
PS-MPC.424.D
PS-MPC.438.B
PS-MPC.440.B
PS-MPC.441.B
PS-MPC.445
PS-MPC.447.B
PS-MPC.449.A
PS-MPC.449.B
PS-MPC.449.C
PS-MPC.450.B
PS-MPC.450.C
PS-MPC.452
PS-MPC.453.A
PS-MPC.453.B
PS-MPC.453.C
PS-MPC.454.B
PS-MPC.454.C
PS-MPC.455.B
PS-MPC.455.C
PS-MPC.457.A
PS-MPC.457.B
PS-MPC.457.C
PS-MPC.458.B
PS-MPC.458.C
PS-MPC.458.D
PS-MPC.458.E
PS-MPC.468.A
PS-MPC.468.B
PS-MPC.468.C
PS-MPC.468.D
PS-MPC.468.E
PS-MPC.468.F
PS-MPC.468.G
PS-MPC.475.E
PS-MPC.477
PS-MPC.478.D
PS-MPC.481
PS-MPC.482.C
PS-MPC.483.B
PS-MPC.483.C
PS-MPC.485
PS-MPC.486.A
PS-MPC.486.B
PS-MPC.486.C
PS-MPC.487.B
PS-MPC.487.C
PS-MPC.490.C
PS-MPC.491.A
PS-MPC.491.B
PS-MPC.495.B
PS-MPC.495.C
PS-MPC.495.D
PS-MPC.495.E
PS-MPC.495.F
PS-MPC.496
PS-MPC.501
PS-MPC.504.C
PS-MPC.504.D
PS-MPC.504.E
PS-MPC.504.F
PS-MPC.504.G
PS-MPC.504.H
PS-MPC.505.B
PS-MPC.505.C
PS-MPC.505.D
PS-MPC.505.E
PS-MPC.505.F
PS-MPC.505.G
PS-MPC.505.H
PS-MPC.505.I
PS-MPC.505.J
PS-MPC.505.K
PS-MPC.505.L
PS-MPC.507
PS-MPC.510.C
PS-MPC.519.A
PS-MPC.519.B
PS-MPC.521.A
PS-MPC.521.B
PS-MPC.525.B
PS-MPC.541.B
PS-MPC.541.C
PS-MPC.541.D
PS-MPC.541.E
PS-MPC.541.F
PS-MPC.541.G
PS-MPC.541.H
PS-MPC.541.I
PS-MPC.541.J
PS-MPC.541.K
PS-MPC.541.L
PS-MPC.542.B
PS-MPC.546.B
PS-MPC.549.B
PS-MPC.558
PS-MPC.563.A
PS-MPC.563.B
PS-MPC.563.C
PS-MPC.564.E
PS-MPC.569.G
PS-MPC.572.E
PS-MPC.572.F
PS-MPC.575.E
PS-MPC.579.I
PS-MPC.580.B
PS-MPC.585.G
PS-MPC.586.B
PS-MPC.586.C
PS-MPC.587
PS-MPC.589.B
PS-MPC.591.G
PS-MPC.591.H
PS-MPC.592.AG
PS-MPC.594.B
PS-MPC.594.C
PS-MPC.595.A
PS-MPC.595.B
PS-MPC.597.AG
PS-MPC.598.T
PS-MPC.598.U
PS-MPC.598.V
PS-MPC.599.B
PS-MPC.599.C
PS-MPC.599.D
PS-MPC.599.E
PS-MPC.599.F
PS-MPC.599.G
PS-MPC.599.H
PS-MPC.601
PS-MPC.602.H
PS-MPC.603.H
PS-MPC.603.I
PS-MPC.603.J
PS-MPC.604.C
PS-MPC.608
PS-MPC.615.C
PS-MPC.622
PS-MPC.627.A
PS-MPC.627.B
PS-MPC.628.A
PS-MPC.628.B
PS-MPC.628.C
PS-MPC.630
PS-MPC.631.A
PS-MPC.631.B
PS-MPC.636
PS-MPC.639
PS-MPC.644.B
PS-MPC.676
PS-MPC.681
PS-MPC.691.B
PS-MPC.789
PS-MPC.844
PS-MPC.868.B
PS-MPC.885
PS-MPC.1120
PS-MPC.1703
PS-MPC.2119
PS-MPC.2163
Pure.449
Quish.399
Raine.365
Raine.474
Raine.733
Ramesy.336
Rasek.1489.B
Raver.448
Relzfu.335
Remember.811
Remember.816
Remember.818
Rhubarb.215
Rift.480
Riot.467
Riot.1336
Rosebud.912
Rotceh
Satan.609
Saynay.5116.A
Saynay.5116.B
Scitzo.1264
Selectronics.1100
SFT.771
Sierra.A
Sierra.C
SillyC.145
SillyC.147.B
SillyC.165.B
SillyC.638
SillyComp.128
SillyCR.274
Sirius.279
Sirius.541
Siskin.789
Slips.1459
SMS.480
Solar.125
Soupy.1073
SRP.296
Stdemo.820
Tankar.229
Tankar.230
Tankar.235
Tankar.236
Tankar.240
Tankar.409
Tankar.411
Tenerife.1550
Tero.308
Tef.393
Theta.527
Timber.546
Timid.263
Timid.298.B
Timid.309
Tootsie
Trivial.96
TV.720
Undying.703
UKTC.769
VCC.294
VCC.334
VCC.376
VCC.470
VCC.483
VCC.573
VCC.1045
VCL.309
VCL.326
VCL.380.B
VCL.416
VCL.428
VCL.470
VCL.473
VCL.498
VCL.505
VCL.517
VCL.519.B
VCL.524
VCL.541
VCL.559.B
VCL.563
VCL.570.B
VCL.623
VCL.654.B
VCL.657.B
VCL.658
VCL.688
VCL.709
VCL.712
VCL.718
VCL.914
VCL.1077
VCL.1083
VCL.1086
VCL.1148
VCL.1725
VCL.Comp.358
Vegeta.555
Vienna.413
Vienna.625.B
Vienna.432
Vienna.495
Vienna.614
Vienna.751
Vienna.1120
Vienna.BNB.498
Vienna.BNB.M
Vienna.Violator.4365
Virion.245
VLAD
VSP3.493
Walrus.482
Wanderer.403
WMA.451
Xed.2869
YB.300
Year_1992.1731.D
Yosha.440
Youth.991
Zhangfan.1535
The following 158 new viruses are now detected and
identified but can not yet be removed.
_663
_1099
_2207
_3477
Antiem.2320
Antitron.401
Antitron.527
Attidude.343
Attidude.728
AOS.MaryM.784
AOS.MaryM.786
AOS.MaryM.789
AOS.MaryM.791
AOS.MaryM.794
AOS.MaryM.796
AOS.MaryM.799
AOS.Reaper.613
AOS.Reaper.617
AOS.Reaper.621
AOS.Reaper.625
AOS.Reaper.629
AOS.Reaper.633
AOS.Reaper.637
AOS.Reaper.641
AOS.Reaper.666
Burglar.877
Burglar.1004
Burglar.1029
Burglar.1050
Burglar.1365
BW.337
BW.620
BW.709
CFFL.2560
Eumel.370
Eumel.381.B
Eumel.404
Eumel.406
Eumel.708
Execav.388
Father_Mac.843
FBD.1000
HLLP.3990
HLLP.4999
HLLP.6002
HLLP.Derfnam
Httm.572
IVP.926
IVP.929.A
IVP.929.B
IVP.930
IVP.931.A
IVP.931.B
IVP.932.B
IVP.932.C
IVP.933.A
IVP.933.B
IVP.934
IVP.935.A
IVP.935.B
IVP.936.A
IVP.936.B
IVP.936.C
IVP.938
Jarek.1062
Kelly.779
Kov.1592
Kov.1722
Kov.1785
Kov.1798
Ksv.1144
Moloch
Moonlite.351
Moonlite.355
Moonlite.359
Natas.4744.C
NovaCane.279
NRLG.632
NRLG.634
NRLG.654.B
NRLG.668
NRLG.672
NRLG.680
NRLG.684.B
NRLG.690
NRLG.698
NRLG.696
NRLG.716
NRLG.720
NRLG.726
NRLG.742
NRLG.783
NRLG.794
NRLG.795
NRLG.795.B
NRLG.798
NRLG.805.A
NRLG.805.B
NRLG.808
NRLG.844
NRLG.902
NRLG.935
NRLG.936.A
NRLG.937
NRLG.938
NRLG.943
NRLG.950
NRLG.952
NRLG.954
NRLG.960
NRLG.968.B
NRLG.969
NRLG.971
NRLG.972
NRLG.973
NRLG.976.B
NRLG.982.C
NRLG.985.B
NRLG.986
NRLG.1008
NRLG.1021
NRLG.1024
NRLG.1144
Ornr.1006
Ornr.1024
Pharaoh.859
Plvir.4722
Predator.1449
Predator.1060
Quish.330
Rage.483
Ratboy.564
Readcat.928
RSY
Rubbit.734
Serelinda.337.C
Serre.337.A
Serre.337.B
Sirius.270
Sirius.550
Sirius.554
Skew.411
Suela.1042
TCH.1903
TCH.1912
TCH.1914
Tiny_Family.157
Topper.1024.C
VCC.321
VCC.401
VCC.403
VCC.436.B
VCC.447
VCC.449.B
VCC.594
VCC.620
Vulture.2032
VXT.550
Wework.2588
The following 3 viruses which were identified by earlier
versions can now be removed.
HLLP.NP.4240
HLLP.NP.5984
HLLP.NP.6128
The following viruses have been renamed:
Dupalec -> HLLP.Dupalec
MSJ -> HLLP.15392
Naziphobia.A -> HLLP.NP.6128
Naziphobia.B -> HLLP.NP.5984
Naziphobia.C -> HLLP.NP.4240
Pascal.3072.A -> HLLP.3072.A
Pascal.3072.B -> HLLP.3072.B
AOS.581 -> AOS.MaryR.581
F-PROT Professional 2.25 Update Bulletin
F-Secure Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-9-478 444, Fax +358-9-478 44 599
E-mail: F-PROT-Support@F-Secure.com, WWW: http://www.F-Secure.com/
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.25 is mentioned. Copyright (c) 1996 F-Secure Ltd.
.
.
.
|
|
![](/images/pixel.gif"){kind=tracking}
