F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us


F-PROT Professional Update Bulletin 3.01


Data Fellows
PL 24, FIN-02231 Espoo, Finland

Anti-Virus-Sales@F-Secure.com
Anti-Virus-Support@F-Secure.com

tel +358 9 859 900
fax +358 9 8599 0599

This material can be freely quoted, when the source, F-PROT Professional Bulletin 3.01, is mentioned.

F-Secure Announces Breakthrough with F-Secure Anti-Virus

F-Secure made three significant announcements in the Virus Bulletin conference on the 2nd of October in San Francisco. An exclusive strategic alliance with the leading anti-virus technology company AVP will greatly increase F-Secure product development resources and shorten time-to-market for new products.

At the same time F-Secure announced two new product groups. The F-Secure Anti-Virus product family is the first to use two top quality scanning engines within the same product, extending the product’s detection rate to theoretical limits. Another industry breakthrough, F-Secure Anti-Virus Macro Control is the first software to detect and eliminate all possible existing or new macro viruses completely, using a revolutionary new concept.

What does this mean to you, our valued F-PROT Professional customer?

In a nutshell, F-PROT development continues exactly as before, but with the benefit of our new architecture.

You, as an existing F-PROT Professional customer, also have the unique option to upgrade to the dual engine F-Secure Anti-Virus product using both the F-PROT and the AVP scanning engines.

As the user interface and all configuration settings remain identical to the current F-PROT, and the F-Secure Anti-Virus installs with the total transparency of a normal F-PROT update, there is no downside to upgrading to F-Secure Anti-Virus.

The F-Secure Anti-Virus products will all ship before the end of the year. Please contact your local F-Secure Anti-Virus distributor for further information. Please also visit our website for more details on the F-Secure Anti-Virus and F-Secure Macro Control products:

http://www.F-Secure.com/solutions/

Strategic alliance extends detection rate to theoretical limits

F-Secure has formed an exclusive strategic alliance with another superior anti-virus technology team: the AVP development team led by Eugene Kaspersky. Together these companies combine the best minds in the anti-virus world, the foundation of the revolutionary new F-Secure Anti-Virus CounterSign™ Technology from Data Fellows.

F-Secure Anti-Virus - the world’s first anti-virus product to use multiple scanning engines

F-Secure’ popular F-PROT Professional for Windows can be upgraded to a multi-layered virus protection system performing multiple simultaneous scans with multiple scanning engines, including on-demand and real-time scans, thanks to the ground-breaking CounterSign™ technology invented by F-Secure. This new CounterSign™ technology allows F-Secure Anti-Virus to be the first line of anti-virus software to combine multiple virus scanning engines into a single framework by using both the F-PROT and AVP anti-virus engines simultaneously.

As operating systems evolve and networks grow more complex, a comprehensive strategy has become necessary to combat the threat of viruses. Using CounterSign™ technology, F-Secure Anti-Virus brings anti-virus products together to work within a common framework. The idea is that what one virus scanner misses, another will find.

F-Secure understands that organizations have invested substantially in anti-virus protection. The F-Secure Anti-Virus installs automatically on top of an existing F-PROT installation and uses all existing settings. Installations are easy to automate even in the largest networks. Future versions of F-Secure Anti-Virus will allow users to combine installed anti-virus products with the F-Secure Anti-Virus framework that is the basis of this new, revolutionary CounterSign™ technology. In addition, F-Secure Anti-Virus will use an advanced heuristic analysis to detect unknown viruses, virtually eliminating the risk of false alarms. To manage the framework’s central point, F-Secure Anti-Virus offers a wealth of network management and distribution features. These include:

  • Installing desktop versions of F-Secure Anti-Virus for multiple platforms from a single workstation automatically.
  • Sending updates to users with a single mouse click.
  • Receiving reports from workstations when a virus is found.
  • Receiving copies of infected or suspected files from workstations automatically.

F-Secure is offering related products under the F-Secure Anti-Virus umbrella. One program, F-Secure Anti-Virus for Firewalls, scans and removes viruses before they have any chance to enter a network. This product is OPSEC compliant with seamless integration achieved via CVP (Content Vectoring Protocol). Coupled with F-Secure Network Management, it is the ideal solution for Internet-borne viruses. Another program, F-Secure Anti-Virus E-Mail Gateway, delivers e-mail anti-virus protection to stop viruses at the gateway. And finally, F-Secure Anti-Virus Macro Control checks for certified and approved macros within organizations.

F-Secure Macro Control finally solves the macro virus problem

While traditionally anti-virus products have scanned documents for macros by identifying only viral code, F-Secure Macro Control radically changes the rules. As the number of macro viruses keeps growing, it is far easier to track trusted macros. A typical organization has a finite number of macros which relate to their business. These are easy to certify, as the persons responsible for writing macros for in-house work would be able to identify approved corporate macros easily. These macros are not likely to change once they are deployed throughout the organization. Instead of detecting viruses, F-Secure Anti-Virus Macro Control works on a simple concept. If a macro is present in a document, then it must be certified. This idea then eliminates the possibility of new macros and macro viruses entering into an organization. It works much like a corporate security system, which only allows those employees into the company who carry a security badge.

Let's examine how F-Secure Anti-Virus Macro Control works.

  • A virus enters the users system through the corporate e-mail system
  • It is then checked by the real-time protection module of F-Secure Anti-Virus Macro Control
  • If a macro is found, it is checked against a series of database entries
  • First, it is checked against the infected database. If a match is found, the user is warned about an infected document and will offer to disinfect it.
  • Then it is checked against the "certified" database
  • Finally it is checked against the known or "approved" database. This database contains vendor specific and trusted macros
  • If a match is found in one of the two known "safe" macro databases, the user is allowed to open the document with all macros intact. No messages will be shown to the user.
  • If no matches are found, the user is only allowed to open the document after removing the unknown macros.

At F-Secure, we have built our organization on solving problems around data security around the world. With these new product launches we can do it better than ever before.

F-Secure Ltd Is Moving

Our company grew out of its present Helsinki area facilities, which is why we will be moving to new offices on the 20th of October.

New Mailing Address

PL 24
FIN-02231 Espoo
Finland

New Point-of-Visit Address

Pyyntitie 7
FIN-02230 Espoo
Finland

New Telephone Switchboard

+358 9 859 900

New Fax Number

+358 9 8599 0599

New Number for F-PROT Technical Support

+358 9 8599 0544

New Fax Number for F-PROT Technical Support

+ 358 9 8599 0744

The Global Virus Situation

Crew.2480

The Crew.2480 virus was first discovered in 1988. It had apparently been created already in 1987, which would make it one of the first file viruses: the very first PC virus, Brain, was discovered only a year earlier.

Crew has managed to spread quite far. Its heyday was at the beginning of the 90s.

In spite of the fact that the Crew virus is already going on its tenth year, it is still going strong. This was proven when a report of a Crew.2480.A infection was received from Finland this spring.

It is hard to imagine that any program written in 1987 could still be functional and not completely obsolete. However, this simple computer virus has managed to remain functional, and apparently even retained a degree of effectiveness.

Crew.2480 is simple COM file infector. When an infected program is executed, the virus will sometimes display the following message on the screen:

This program is cracked by

Notice this: TS ain’t smart at all.

Distribution since 11-06-1987 (or 06-11-1987)

Press any key

There are several variants of this virus, and the message varies depending on the variant. In addition to the message, the text ‘European Cracking Crew’, implemented with character graphics, is also displayed on the screen.

Note that this virus has nothing to do with the "Join The Crew" hoax message.

Spanska.4250

Spanska.4250 (also known as Elvira or SpanskaII) is a complex and difficult PC virus which has spread over Internet in binary postings addressed to several newsgroups during September 1997. These postings have been addressed at least to the groups alt.sex, alt.binaries.pictures and alt.cracks.

There are hundreds of thousands people following these newsgroups. Infections have been reported in USA, Australia, Asia, Africa and Europe.

Spanska.4250 is a stealth virus which infects COM and EXE files. While the virus is resident, the changes in file sizes are not visible to the end user. Spanska.4250 is a DOS virus, but it is also able to spread in DOS boxes under Windows 3.x and Windows 95.

The virus is polymorphic, but its polymorphic engine is limited. However, the virus makes up for this by using several tricks in its decryptor to avoid detection by most (but not all) of the heuristic analyzers. The main virus body has an anti-heuristic structure as well.

Spanska.4250 does not infect files which start with the letters:

TB (TBSCAN)
VI (VIRUSAFE)
AV (AVAST, AVP)
NA (NAV)
VS (VSHIELD)
FI (FINDVIRU)
F- (F-PROT)
FV (FINDVIRU)
IV (INVIRCIBLE)
DR (DRWEB)
SC (SCAN)
GU (GUARD)
CO (COMMAND.COM)

The virus disables its stealth routine when a file starting with one of the following letter combinations is executed:

PK (PKZIP)
AR (ARJ)
RA (RAR)
LH (LHA)
BA (BACKUP)

Spanska does not infect the file COMMAND.COM or any other COM file which is either smaller than 500 bytes or bigger than 56000 bytes. When executed, Spanska.4250 immediately infects the \WINDOWS\WIN.COM file.

If an infected file is executed when the minutes value is 30, and the value in the seconds field is equal to or less than 16, Spanska.4250 activates. Upon activation, the virus displays a moving message, similar to the text at the beginning of the movie ‘Star Wars’.

The message may have one of the following three contents:

ELVIRA !

Black and White Girl

from Paris

You make me feel alive.

ELVIRA !

Pars. Reviens. Respire.

Puis repars.

J’aime ton mouvement.

ELVIRA !

Bruja con ojos verdes

eres un grito de vida,

un canto de libertad.

The first version of the Spanska virus, Spanska.1120, was discussed in more detail in F-PROT Update Bulletin 2.16.

Spanska is a good example of a virus which would never have been able to go ‘wild’, had it not been spread deliberately over Internet.

Baboon

Baboon is a boot sector virus which contains certain special functions.

Baboon infects the boot sectors of diskettes and MBRs (Master Boot Records) of hard disks.

Baboon does not save the original boot sector or MBR anywhere. The virus searches for the active boot sector in the MBR data area, reads the active boot sector and gives control to it. This way it can retain the general functionality of the MBR code.

When a PC is booted from an infected diskette, the virus will likewise read the active boot sector on the hard drive and give control to it. No error messages like "non-system disk" will be displayed, and the PC will proceed to boot directly from the hard disk.

Baboon activates both randomly and on the 11th of September. At this time, it overwrites the MBR of the hard drive and the first 9 sectors of the active partition. As a result, the PC will not boot.

Baboon was reported to be in the wild in September 1997, but the virus does not seem to be especially common. When the virus activates, it also overwrites its own code, thus limiting its own spreading.

Cabanas

The Cabanas virus is designed for 32-bit Windows systems. It can function in Windows 3.x extended with Win32s, Windows 95, Windows NT Server and Windows NT Workstation. It is, therefore, the second known virus which can spread in Windows NT environments and infect the 32-bit NT program files (the first such virus was Jacky, which was discovered during the summer of 1997).

When a file infected by the Cabanas virus is executed, the virus hunts up a couple of EXE files and infects them. After this, it tries to go resident in memory. However, in the Windows NT environment this is possible only if the user has administrator privileges. If the virus manages to slip into memory, it will infect all EXE files that are executed in the computer. Cabanas incorporates also certain stealth characteristics; the changes in the sizes of infected files will not be visible as long as the virus remains in memory.

In spite of Cabanas’ wide variety of functionalities, the virus is only 3500 bytes in size. However, Cabanas does not function very well - among other things, it prevents an infected computer from being booted. Therefore, Cabanas cannot really spread very far, even in theory. The virus does not attempt to do anything else besides spreading.

The author of the Cabanas virus is apparently the same person who created the common WordMacro/CAP macro virus. The author’s real name and whereabouts remain unknown.

The Cabanas virus hasn’t been discovered in the wild, nor is that likely to happen as long as the virus remains in its present form. The only known copies of the virus are test samples spread by its author.

The Situation with Word Macro Viruses

The number of Word macro viruses continues to grow - at the time this was written, it was fast approaching 1500. However, F-PROT is updated daily against new macro viruses, and it can detect practically all known viruses at any given time. New update files can be downloaded at your convenience from F-Secure’ WWW server. The address is

http://www.F-Secure.com/gallery/

The update file MACRO.DEF contains routines for detecting and disinfecting macro viruses. The file is updated approximately once a day. While you are visiting our server, you can also download the free GETMAC system, which can be used to automate daily updates to all the computers in even a large organization.

WordMacro/Pesan

WordMacro/Pesan.A is a simple Word Macro virus. It activates every five minutes and displays one of the following messages:

MicroSoft Warning!!!

You are about Formatting Hardisk, Are you sure?

FORMAT WARNING !!!

You have just activate the format.exe trigger,

all command will FORMAT your hardisk

SYSTEM DAMAGE WARNING !!!

System detected ‘Bandung.d_t’ VIRUS, all system will be

Damage Permanently !!! May God Have Mercy On you ....!!!

Otherwise Pesan.A only spreads itself. The virus does not destroy any data.

WordMacro/Pesan.B is a later variant which contains a destructive activation routine. The virus does not display any messages, but it attempts to delete the following files:

c:\dos\chkdsk.exe
c:\dos\format.com
c:\dos\defrag.exe
c:\dos\scandisk.exe
c:\msdos\chkdsk.exe
c:\msdos\format.com
c:\msdos\defrag.exe
c:\msdos\scandisk.exe

After deleting a file, Pesan.B creates a similarly named BAT file. When this batch file is executed, it runs the DELTREE command and deletes all files from drive C:.

The activation routine fails if the hard disk’s directory tree does not contain either a ‘C:\DOS’ or a ‘C:\MSDOS’ directory (most Windows 95 and NT systems do not have such directories).

WordMacro/Demon

The WordMacro/Demon.A virus consists of three macros. The virus does not contain any destructive activation routines, but it may cause some incompatibility problems. The virus stores some of its own settings in WIN.INI.

The virus contains a routine with which the author of the virus can easily check whether a machine is infected or not. If the words "Dark Master calling" are written in Word, and they are selected with the mouse, the virus will show the following message on the screen:

The WordMacro/Demon macro virus was reported in the wild during the summer of 1997.

Hoaxes

In recent months, we have seen especially many messages about the old Penpal Greetings and Join the Crew hoax alarms. This time around, there have been attempts to give the hoaxes credibility by claiming that the alarms have been sent by IBM, Microsoft or some other such party.

If these message chains are followed back, it can be seen that a warning has, indeed, passed through Microsoft or a comparable company. However, it should also be noted the warning hasn’t been sent by the company’s security division, but by the janitor’s holiday stand-in or some other such notable personage. Irrespective of that, the sender’s e-mail address reads name@microsoft.com, and this is often enough to give an old hoax completely new gravity.

To sum it up: Penpal Greetings and Join the Crew are not viruses, but widely spread hoaxes. Do not spread them further. Note also that the Join the Crew hoax has nothing to do with the Crew virus.

Common Questions and Answers

If you have questions about information security or virus prevention, contact your local F-PROT distributor. You may also contact F-Secure directly at the number + 358 9 859 900.

Written questions can be mailed to:

F-Secure Ltd.
Anti-Virus Support
PL 24
FIN-02231 Espoo
Finland

Questions may be sent by electronic mail to:
Anti-Virus-Support@F-Secure.com

What is the difference between F-PROT’s Windows NT Workstation and Windows NT Server versions?

First of all, the Server version has been optimized for server usage and is better suited for the heavy use NT Servers are often subject to.

An important difference can be found in the background protection driver, F-PROT Gatekeeper. The Gatekeeper part of the Workstation version will only scan files that are accessed locally (i.e. by the user who is holding the machine’s keyboard).

The Gatekeeper in the Server version will do this and it will also scan files that are accessed from other machines - for example, by users who have mounted a server disk in their own machine.

Can I install the NT Workstation version of F-PROT in an NT Server? Or, on the other hand, can I install the NT Server version in an NT Workstation?

Both installations are possible. Do notice, though, that the programs have separate licenses, and that the NT Server version is considerably more expensive.

If you install the Workstation version in a Server, bear in mind that it will not prevent users from copying viruses to the server. Also notice that the Server version does not guarantee that the local hard drives of the workstations are clean - it only protects the server. You’ll need to install F-PROT to workstations as well.

I just received the latest F-PROT update but it was on CD and I don't have a CD drive! What should I do?

Fill in the card that was included in the shipment and mail it to us. In the future, we will send you updates either on diskettes or via Internet.

Changes in F-PROT Professional Version 3.01

Changes in F-PROT for DOS

There are no changes except the new viruses that have been added.

Changes in F-PROT for Windows

  • The MACRO.DEF creation date is now shown on scan reports.
  • The RTF extension has been added to the scanning extensions for document files; this will be added automatically to existing installations.
  • F-PROT’s code has been changed in a number of places to prevent toolbar corruption.
  • Accented characters (non-English versions) are now displayed in the virus help dialog even when the source texts were taken from program resources instead of from the virus help file.
  • The "Show task settings on lower pane" setting can be enabled without a general protection fault in the 32-bit version of F-PROT 3.0 and with right menu types in the 16-bit version.
  • It is now possible to exit F-PROT or start a new scan. When a Scan Folder or Scan File task is started from the Program Manager or Explorer, and then cancelled by clicking Cancel in the directory/file selection dialog, F-PROT does not remain hidden but active.
  • The disinfection of files whose owner was not the user causes no problems when scanning files on Unix mounted drives.
  • F-PROT does not cause any GPF in a Windows language DLL (LANGSPA.DLL, LANGSCA.DLL).
  • Localized versions (e.g. Finnish) do not cause a GPF when certain Dead babe-infected files are scanned.
  • Office97 documents (Word or Excel) do not cause any "Stack Overflow" error.
  • The TimeLock feature is temporarily disabled in the normal shipping version because of configuration files in write-protected directories.

 

Changes in F-PROT for Windows NT

  • A bug that caused a general protection fault (GPF) during the F-PROT Gatekeeper installation has been corrected.
  • If no setting is present for the extensions of executable or document files (for the Scanning preferences) in the file F-PROTW.CFG, F-PROT will use the proper default settings, making it possible for users of F-PROT for NT to upgrade since version 2.25 or earlier (i.e. using the Update installation method of Setup) without losing the detection of macro viruses by NT Gatekeeper.
  • The settings of a task (such as "Scan A:") can be modified even when there is not a diskette in the target drive, without an error message being given, stating that the drive is not ready.
  • Because of lacking common controls in NT 3.50 (they were introduced first in 3.51), F-PROT didn’t start at all in NT 3.50. Instead, an "ImagaList_ReplaceIcon" error in COMCTL32.DLL was reported. This has been corrected. The present version of F-PROT starts with the old-style task list under 3.50. When F-Agent (95 and NT) is started, it executes the programs specified in FPW- PREF.INI ExecuteX entries.
  • The main program (95 and NT) will now pass the version number of the scanning engine to the splash DLL.
  • The number of scanned boot sectors is now shown in reports (95 and NT).

 

Changes in F-PROT for Windows 3.x

The scan engine version letter is now properly displayed in F-PROT Gatekeeper splash screen.

Changes in F-PROT for Windows 95

  • The boot sector reading routine now supports 3-mode (1.25MB) diskette drives used in Japan.
  • The Finnish language On-line Help is now functional.
  • When a scheduled task started by F-Agent found a virus, it displays the scan progress dialog at the end of scan (and the report window also, if the user clicked the Report button).
  • After the progress dialog or report window is closed, the main F-PROT window is opened at its previous position instead of being minimized to the task bar.
  • F-PROT Gatekeeper now scans files whose names contain double byte characters (DBCS).
  • The start-up splash screen display has been corrected.
  • When scanning inside archives, F-PROT will pass the file extensions to the scanner. If the task setting is to scan executables and document files only, FPWM 3.0 will scan executables and document files only, even inside archives.
  • When F-Agent (95 and NT) is started, it executes the programs specified in FPW- PREF.INI ExecuteX entries.
  • The main program (95 and NT) will now pass the version number of the scanning engine to the splash DLL.
  • The number of scanned boot sectors is now shown in reports (95 and NT).

Changes in AutoInstaller

  • Autow32 will prompt the user to restart NT if F-PROT Gatekeeper has been updated. The prompt can be disabled by setting the [Gatekeeper] NoRebootMessageAfterNTGKUpdate= setting to a non-zero value.
  • A generic program group creation feature has been added, making it possible to create a program icon (shortcut) to any program, not only F-PROT.

New Viruses Detected by F-PROT

This version adds detection and disinfection of 325 new file and boot viruses and 300 new macro viruses.