F-Secure: Be Sure

Select local site

F-PROT Professional Update Bulletin - Version: 226

F-PROT Professional Update Bulletin 2.26

Editorial

NT - New Technology

F-Secure releases real time virus scanning for both NT Workstation and NT servers. Windows NT is quickly gaining popularity as the default operating system used by enterprises in both servers and workstations. The information security features of NT computers are significantly more advanced than those of normal Windows systems, but at the same time the computers are more complicated to manage. F-Secure is keeping up with this trend, and we have invested strongly on the development of NT products in both our virus protection and encryption products.

This version of F-PROT features a real-time virus protection capability for the NT environment: F-PROT Gatekeeper for Windows NT. We support Microsoft Windows 3.50, 3.51 and 4.0. To guarantee the highest degree of reliability and performance, the NT version of Gatekeeper has been programmed as a low-level file system driver, FSD. This technique makes it possible for the server version of F-PROT NT to check files even when they are used over the network by a workstation. The workstation version is shipped to all registered NT users. Please inquire from our sales for the sever version.

In the new NT version of the program, F-Agent has also been changed to a Service program. That way, it can run scheduled virus checks even when no one is logged into the computer.

You can expect other significant innovations in the F-PROT product family as well. These will include, for instance, support for automatic SMS installations and SNMP-based reporting over LANs and WANs.

The Global Virus Situation

The Word Macro Virus Situation

Microsoft released Office 97 in February 1997. Compared to Word 6 or 7, it has improved anti-virus capabilities, but it is still not foolproof. The number of Word macro viruses continues to increase, and at the time this was written it was already over 300 (February 1997).

ShareFun - a mix of macro virus and a chain letter

WordMacro/ShareFun is a Word macro virus, loosely based on WordMacro/Wazzu. The only noteworthy thing about it is that it attempts to spread over e-mail attachments. Every time an infected file is opened, there is a 1/4 chance that the virus will activate.

If Microsoft Mail is running, the virus attempts to send e-mail messages to three random people listed in the local MS Mail alias list. The subject of these messages is:

You have GOT to see this!

The messages contain no text, only a file attachment called DOC1.DOC which is infected by the virus. The document itself is the document that the user happened to have open when the virus activated.

If the recipient double-clicks on the attachment, his or her computer will get infected by the virus. The virus will then spread further by using the MS Mail in the computer. Thus, ShareFun can be considered to be mix between a macro virus and an automatic chain letter.

Do notice that this is not an "e-mail virus". You do not get infected just by reading e-mail - you need to actively use an attachment file, and you should therefore always use attachment files with caution.

ShareFun also has code to protect itself. If a user tries to analyze a sample of the virus via Tools/Macro or File/Templates menus, the virus will execute and infect the NORMAL.DOT template.

ShareFun was found in the wild in USA, in February 1997.

F-PROT 2.26 detects and disinfects the WordMacro/ShareFun. A virus. F-PROT Gatekeeper will deny access to the attachment files sent by the virus and therefore stop the virus before it has a chance to spread.

WordMacro/Kompu

WordMacro/Kompu is the first Word macro virus which has been written in Estonia (a small country separated from Soviet Union in the early 1990’s).

WordMacro/Kompu was found from Estonia in December 1996. It spreads when infected DOC files are opened in Word. After this, all other documents will get infected when they are opened or closed.

On the 6th or 8th of any month, the virus activates. If any document is opened on these dates, the virus will display a dialog box with the title "Mul on paha tuju!" and requests "Tahan kommi!".

These texts are in Estonian and mean "I'm in a bad mood" and "Give me a candy". The virus will not let the user continue working until he writes the word 'komm' (candy) to the window. After this, the virus changes the Word status bar text to read:

Namm-Namm-Namm-Namm-Amps-Amps-Klomps-Kraak!

WordMacro/Kompu has been reported in several countries in northern Europe.

WordMacro/Showoff

WordMacro/Showoff was found in USA at the end of 1996. It has since become common all over the world. The virus is also known as SHOWOFXX.

Showoff consists of three encrypted macros: AUTOOPEN, CFXX and SHOW. It infects documents whenever they are opened or closed.

Showoff contains code to display messages like:

ra ono we, U can delete this mess later

The virus does not contain any directly harmful code.

After Concept and Wazzu, WordMacro/Showoff.B has been one of the most frequently reported macro viruses in Europe.

Latest Hoax: NaughtyRobot

This is not a virus but a widespread hoax. Somebody has been distributing e-mail messages like the one below in the Internet. The messages are possibly created by an automatic e-mail robot. The sender of the message has been faked, and it is usually the e-mail address of the recipient of the message.

Subject: EMERGENCY - security breached by NaughtyRobot This message was sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web.

NaughtyRobot exploits a security bug in HTTP and has visited your host system to collect personal, private, and sensitive information.

It has captured your Email and physical addresses, as well as your phone and credit card numbers. To protect yourself against the misuse of this information, do the following:

   

  1. alert your server SysOp,

  2. contact your local police,

  3. disconnect your telephone, and

  4. report your credit cards as lost.

Act at once. Remember: only YOU can prevent DATA fires. This has been a public service announcement from the makers of NaughtyRobot -- CarJacking its way onto the Information SuperHighway.

Ignore the message - this is just a hoax.

The Cruel Virus Shipped on CD-ROM Driver Floppies

A virus called Cruel has been shipped internationally on the driver diskettes of Maverick 12X CD-ROM drives by Optics Storage.

Have you seen this floppy? If so, check your system.

Cruel is a boot sector virus originating from Hungary. Unlike most other boot sector infectors, it overwrites the DOS boot sector. Upon activation, the virus occasionally corrupts the CMOS setup information. This can cause the loss of hard drive settings or even turn on the BIOS password protection with a random password.

The virus is able to spread from the driver diskettes only if the computer is booted with the diskette in drive A:.

Optics Storage from Singapore is aware of this incident, and has made sure the current master diskettes are clean.

F-PROT detects several different Cruel variants, including this one.

Linux Viruses Are Here

Roughly two years after Linux-specific viruses were predicted, the first real-world samples have been found. Two functional Linux viruses have been discovered. Although these are not yet a cause for concern for the average Unix administrator, they do remind us to watch carefully over our systems, regardless of the operating system.

Linux/Staog

This virus spreads only under the Linux operating system, infecting Elf-style executables. Found in the fall of 1996, Staog is the first known Linux virus.

Staog is written in assembler. It attempts to stay resident and infect binaries as they are executed by any user. Staog tries to subvert root access via three known vulnerabilities (mount buffer overflow, tip buffer overflow and one suidperl bug).

Staog contains several text strings, including:

Staog by Quantum / VLAD

/dev/kmemx/etc/mtab~

/sbin/mount

/tmp/t.dip

/bin/sh

/sbin/dip /tmp/t.dip

chatkey

/tmp/hs

#!/bin/sh\nchmod 666 /dev/kmem\n/tmp/hs

#!/usr/bin/suidperl -U\n$ENV{PATH}=\"/bin:/usr/bin\";

\n$>=0;$<=0;\nexec(\"chmod 666 /dev/kmem\");\n

VLAD is an Australian virus group which has also written the first Windows 95 virus, Boza.

At the time this was written, Staog was not known to be in the wild (February 1997).

Linux/Bliss

This virus spreads only under Linux operating system, infecting Elf-style executables. Found in the wild in February 1997, Bliss is the second known Linux virus.

Bliss locates binaries with write access and overwrites them with its own code. When an infected file is executed, the original program does not gain control at all. However, it is still possible to clean infected files.

Bliss does not try to subvert any additional user rights, but it does have some basic worm-like features, looking for new hosts to infect via the /etc/hosts.equiv file.

Bliss contains several text strings, including:

dedicated to rkd

infected by bliss

skipping, infected with same vers or different type

replacing older version

replacing ourselves with newer version

infect() returning success

successfully (i hope) disinfected

rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s'

doing do_worm_stuff()

/etc/hosts.equiv

Compiled on Sep 28 1996 at 22:24:03

Written by electric eel.

help? hah! read the source!

bliss was run %d sex ago, rep_wait=%d

/usr/spool/news

GCC: (GNU) 2.7.2.l.2

Bliss does contain potentially harmful code, but it is not clear whether it is executed or not.

Bliss will disinfect itself if an infected binary is executed with the --bliss-disinfect-files-please switch. F-PROT 2.26 will detect and disinfect the infected binaries, but the program will scan Linux binaries only if you include all files in the scan.

HLLP.3263

This virus, which is also known as Gremlin and Weed, was posted to the popular SimTel ftp site in January 1997. After that, it has been reported in the wild several times.

HLLP.3263 overwrites the beginning of the files it infects. It can sometimes be disinfected but often not - F-PROT will not attempt to remove it. Instead, you should delete infected files and reinstall them.

The code of HLLP.3263 has been compressed with LZEXE.

HLLP.3263 contains the text:

WEED - v1.0

Spanska

Spanska was distributed in several usenet newsgroups in Internet in January 1997. It is a simple direct action infector of COM files.

Spanska activates occasionally, displaying this text:

Remember those who died for Madrid

No Pasaran! Virus (c) Spanska 1996

The text is displayed on a screen which contains an animation of flames. The text seems to refer to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. She said the famous "No Pasaran" ("They shall not pass") phrase in her radio speech in 1936.

A later 1000-byte variant, with minor differences is also known. The displayed text has been changed to:

Remember those who died for Madrid

No Pasaran! Virus v2 by Spanska 1997

Spanska is a good example of a simple virus which could never have made it ‘in the wild’ without Internet-wide distribution.

Common Questions and Answers

If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact F-Secure directly via phone at +358-9-478 444.

Written questions can be e-mailed to:

F-PROT-Support@F-Secure.com

Or mailed to:

F-Secure Ltd
F-PROT Support
Päiväntaite 8
02210 ESPOO
FINLAND

In my new computer, I have the OSR2 version of Windows 95 with the new FAT32 file system. Will F-PROT work under it?

Yes. However, we recommend that you create DOS-based boot diskettes in some other computer for emergency use. In an OSR2 computer, it is not possible to create a boot diskette which would in itself be sufficient for booting the computer.

I installed the Service Pack 2 (SP2) update in my Windows NT 4.0 computer. I have heard that it may cause problems with anti-virus programs. Is it compatible with the Windows NT version of F-PROT?

Yes. Microsoft has also published several corrections, so-called Hotfix packages, for SP2. You can find out more about them at: www.microsoft.com.

I found a document infected by a macro virus. F-PROT reported the infection as a new version and would not remove it, whereas another product identified it as a normal Concept virus and disinfected it. What’s going on here?

The infection was most probably caused by an altered version of the Concept virus. F-PROT performs an exact identification on macro viruses also, in other words it calculates a 32-bit checksum from the virus’ code and is therefore able to detect even slight alterations in its functioning. This way, F-PROT can avoid damaging files during disinfection. New, unknown variants can often be disinfected just like the previous versions of the same virus, but this can not be relied on. When encountering new variants of viruses, samples should always be sent to F-PROT support for analysis. The incorporation of the disinfection procedure for a new macro virus can usually be done while you wait.

Does F-PROT for DOS support the detection and disinfection of macro viruses?

No. The OLE2 engine used by F-PROT requires so much memory that it cannot be used by the DOS version of the program (F-PROT.EXE and VIRSTOP.EXE). F-PROT.EXE has a limited ability to detect some of the most common macro viruses, but we recommend that you always use F-PROT for Windows for combating macro viruses. An alternative is to use the program F-MACRO.EXE under DOS. F-MACRO.EXE contains the macro virus search engine used by F-PROT for Windows, compiled into a DOS program.

Known macro viruses spread only under Windows.

Changes in F-PROT Professional Version 2.26

A massive renaming of viruses has taken place in order to make F-PROT conform more closely to the CARO virus naming standard. The list of renamed viruses can be found at the end of this document.

Changes in F-PROT for DOS

The program used to give the false alarm ‘Possibly a new variant of Jerusalem’ about the file ONGUARD.COM. This has now been corrected.

Changes in F-PROT for Windows

Iomega ZIPdrive and other similar removable drives were not scanned if a task was set to scan the drive (the scan did work if the task was set to scan the root directory of the drive). The drive did not appear in the list of drives in the Task Settings dialog, either. This has been corrected.

A GPF occurred when a document file in a directory with an "abnormally" long pathname was scanned. An example of such a directory:

c:\This is a Test 1\This is a Test 2\This is a Test 3\This is a Test 4\This is a Test 5\This is a Test 6\This is a Test 7\This is a Test 8\

Note that such a directory cannot be created under DOS, but does not pose any problems in Windows 95 or Windows NT.

Support for MACRO.DEF has been added to F-PROT for Windows 3.x, 95 and NT and Gatekeeper 3.1. Gatekeeper 95 and NT will start to support MACRO.DEF in the next released version. Users can now update the macro scan engine very frequently by downloading the latest MACRO.DEF from http://www.F-Secure.com/. Also the DOS-based F-MACRO.EXE program supports it.

Changes in F-PROT for Windows NT

F-PROT for Windows NT now includes the Gatekeeper active protection. You need administrator rights to install it. Gatekeeper is not turned on during default installation.

F-Agent is now running as a Service.

Autoinstaller supports NT Gatekeeper installation. The usual

[Gatekeeper]
Enable=

-setting applies.

Autoinst and setup wait for 5 seconds after terminating F-Agent before starting to copy new files, in order to allow DFSAV32.DLL time to unload. This will correct the "unable to copy DFSAV32.DLL" bug.

Autow32 used to create shortcuts (program items) incorrectly under NT 4: no quotes were placed around the executable name. Now they are created properly (like in Windows 95).

Support for NT Gatekeeper and NT F-Agent Service installation has been added.

Changes in F-PROT for Windows 3.x

In some configurations (especially when NETDDE.EXE was loaded), a GPF occurred in DFWIN.DLL when the main program was closed. This has been corrected.

The detection problem F-PROT Gatekeeper suffered from when an infected file was opened from Word in certain conditions has been fixed.

Changes in F-PROT for Windows 95

The memory scan of F-PROT Gatekeeper had problems with finding viruses. This has been corrected.

F-PROT Gatekeeper 95 did not scan XLS files by default. It does now.

. . .