F-PROT Professional Update Bulletin 3.01
Data
Fellows
PL 24, FIN-02231 Espoo, Finland
Anti-Virus-Sales@F-Secure.com
Anti-Virus-Support@F-Secure.com
tel
+358 9 859 900
fax +358 9 8599 0599
This
material can be freely quoted, when the source, F-PROT
Professional Bulletin 3.01, is mentioned.
F-Secure
Announces Breakthrough with F-Secure Anti-Virus
F-Secure made
three significant announcements in the Virus Bulletin conference
on the 2nd of October in San Francisco. An exclusive strategic
alliance with the leading anti-virus technology company AVP will
greatly increase F-Secure product development resources and
shorten time-to-market for new products.
At the same time
F-Secure announced two new product groups. The
F-Secure Anti-Virus product family is the first to use two
top quality scanning engines within the same product, extending
the product’s detection rate to theoretical limits. Another
industry breakthrough, F-Secure Anti-Virus Macro Control is the
first software to detect and eliminate all possible existing or
new macro viruses completely, using a revolutionary new concept.
What does this
mean to you, our valued F-PROT Professional customer?
In a nutshell,
F-PROT development continues exactly as before, but with the
benefit of our new architecture.
You, as an
existing F-PROT Professional customer, also have the unique
option to upgrade to the dual engine F-Secure Anti-Virus product
using both the F-PROT and the AVP scanning engines.
As the user
interface and all configuration settings remain identical to the
current F-PROT, and the F-Secure Anti-Virus installs with the
total transparency of a normal F-PROT update, there is no
downside to upgrading to F-Secure Anti-Virus.
The F-Secure
Anti-Virus products will all ship before the end of the year.
Please contact your local F-Secure Anti-Virus distributor for
further information. Please also visit our website for more
details on the F-Secure Anti-Virus and F-Secure Macro Control
products:
http://www.F-Secure.com/solutions/
Strategic alliance
extends detection rate to theoretical limits
F-Secure has
formed an exclusive strategic alliance with another superior
anti-virus technology team: the AVP development team led by
Eugene Kaspersky. Together these companies combine the best minds
in the anti-virus world, the foundation of the revolutionary new
F-Secure Anti-Virus CounterSign™ Technology from Data
Fellows.
F-Secure Anti-Virus
- the world’s first anti-virus product to use multiple
scanning engines
F-Secure’
popular F-PROT Professional for Windows can be upgraded to a
multi-layered virus protection system performing multiple
simultaneous scans with multiple scanning engines, including
on-demand and real-time scans, thanks to the ground-breaking
CounterSign™ technology invented by F-Secure. This new
CounterSign™ technology allows F-Secure Anti-Virus to
be the first line of anti-virus software to combine multiple
virus scanning engines into a single framework by using both the
F-PROT and AVP anti-virus engines simultaneously.
As operating
systems evolve and networks grow more complex, a comprehensive
strategy has become necessary to combat the threat of viruses.
Using CounterSign™ technology, F-Secure Anti-Virus
brings anti-virus products together to work within a common
framework. The idea is that what one virus scanner misses,
another will find.
F-Secure
understands that organizations have invested substantially in
anti-virus protection. The F-Secure Anti-Virus installs
automatically on top of an existing F-PROT installation and uses
all existing settings. Installations are easy to automate even in
the largest networks. Future versions of F-Secure Anti-Virus will
allow users to combine installed anti-virus products with the
F-Secure Anti-Virus framework that is the basis of this new,
revolutionary CounterSign™ technology. In addition,
F-Secure Anti-Virus will use an advanced heuristic analysis
to detect unknown viruses, virtually eliminating the risk of
false alarms. To manage the framework’s central point,
F-Secure Anti-Virus offers a wealth of network management and
distribution features. These include:
- Installing
desktop versions of F-Secure Anti-Virus for multiple
platforms from a single workstation automatically.
- Sending
updates to users with a single mouse click.
- Receiving
reports from workstations when a virus is found.
- Receiving
copies of infected or suspected files from workstations
automatically.
F-Secure is
offering related products under the F-Secure Anti-Virus
umbrella. One program, F-Secure Anti-Virus for Firewalls,
scans and removes viruses before they have any chance to enter a
network. This product is OPSEC compliant with seamless
integration achieved via CVP (Content Vectoring Protocol).
Coupled with F-Secure Network Management, it is the ideal
solution for Internet-borne viruses. Another program,
F-Secure Anti-Virus E-Mail Gateway, delivers e-mail
anti-virus protection to stop viruses at the gateway. And
finally, F-Secure Anti-Virus Macro Control checks for certified
and approved macros within organizations.
F-Secure
Macro Control finally solves the macro virus problem
While
traditionally anti-virus products have scanned documents for
macros by identifying only viral code, F-Secure Macro Control
radically changes the rules. As the number of macro viruses keeps
growing, it is far easier to track trusted macros. A typical
organization has a finite number of macros which relate to their
business. These are easy to certify, as the persons responsible
for writing macros for in-house work would be able to identify
approved corporate macros easily. These macros are not likely to
change once they are deployed throughout the organization.
Instead of detecting viruses, F-Secure Anti-Virus Macro
Control works on a simple concept. If a macro is present in a
document, then it must be certified. This idea then eliminates
the possibility of new macros and macro viruses entering into an
organization. It works much like a corporate security system,
which only allows those employees into the company who carry a
security badge.
Let's examine how
F-Secure Anti-Virus Macro Control works.
- A virus
enters the users system through the corporate e-mail
system
- It is then
checked by the real-time protection module of F-Secure
Anti-Virus Macro Control
- If a macro is
found, it is checked against a series of database entries
- First, it is
checked against the infected database. If a match is
found, the user is warned about an infected document and
will offer to disinfect it.
- Then it is
checked against the "certified" database
- Finally it is
checked against the known or "approved"
database. This database contains vendor specific and
trusted macros
- If a match is
found in one of the two known "safe" macro
databases, the user is allowed to open the document with
all macros intact. No messages will be shown to the user.
- If no matches
are found, the user is only allowed to open the document
after removing the unknown macros.
At F-Secure,
we have built our organization on solving problems around data
security around the world. With these new product launches we can
do it better than ever before.
F-Secure
Ltd Is Moving
Our company grew
out of its present Helsinki area facilities, which is why we will
be moving to new offices on the 20th of October.
New Mailing
Address
PL 24
FIN-02231 Espoo
Finland
New Point-of-Visit
Address
Pyyntitie 7
FIN-02230 Espoo
Finland
New Telephone
Switchboard
+358 9 859 900
New Fax Number
+358 9 8599 0599
New Number for
F-PROT Technical Support
+358 9 8599 0544
New Fax Number for
F-PROT Technical Support
+ 358 9 8599 0744
The Global
Virus Situation
Crew.2480
The Crew.2480
virus was first discovered in 1988. It had apparently been
created already in 1987, which would make it one of the first
file viruses: the very first PC virus, Brain, was discovered only
a year earlier.
Crew has managed
to spread quite far. Its heyday was at the beginning of the 90s.
In spite of the
fact that the Crew virus is already going on its tenth year, it
is still going strong. This was proven when a report of a
Crew.2480.A infection was received from Finland this spring.
It is hard to
imagine that any program written in 1987 could still be
functional and not completely obsolete. However, this simple
computer virus has managed to remain functional, and apparently
even retained a degree of effectiveness.
Crew.2480 is
simple COM file infector. When an infected program is executed,
the virus will sometimes display the following message on the
screen:
This
program is cracked by
Notice
this: TS ain’t smart at all.
Distribution
since 11-06-1987 (or 06-11-1987)
Press
any key
There are several
variants of this virus, and the message varies depending on the
variant. In addition to the message, the text ‘European
Cracking Crew’, implemented with character graphics, is also
displayed on the screen.
Note that this
virus has nothing to do with the "Join The Crew" hoax
message.
Spanska.4250
Spanska.4250 (also
known as Elvira or SpanskaII) is a complex and difficult PC virus
which has spread over Internet in binary postings addressed to
several newsgroups during September 1997. These postings have
been addressed at least to the groups alt.sex,
alt.binaries.pictures and alt.cracks.
There are hundreds
of thousands people following these newsgroups. Infections have
been reported in USA, Australia, Asia, Africa and Europe.
Spanska.4250 is a
stealth virus which infects COM and EXE files. While the virus is
resident, the changes in file sizes are not visible to the end
user. Spanska.4250 is a DOS virus, but it is also able to spread
in DOS boxes under Windows 3.x and Windows 95.
The virus is
polymorphic, but its polymorphic engine is limited. However, the
virus makes up for this by using several tricks in its decryptor
to avoid detection by most (but not all) of the heuristic
analyzers. The main virus body has an anti-heuristic structure as
well.
Spanska.4250 does
not infect files which start with the letters:
TB
(TBSCAN)
VI (VIRUSAFE)
AV (AVAST, AVP)
NA (NAV)
VS (VSHIELD)
FI (FINDVIRU)
F- (F-PROT)
FV (FINDVIRU)
IV (INVIRCIBLE)
DR (DRWEB)
SC (SCAN)
GU (GUARD)
CO (COMMAND.COM)
The virus
disables its stealth routine when a file starting with one of the
following letter combinations is executed:
PK (PKZIP)
AR (ARJ)
RA (RAR)
LH (LHA)
BA (BACKUP)
Spanska does not
infect the file COMMAND.COM or any other COM file which is either
smaller than 500 bytes or bigger than 56000 bytes. When executed,
Spanska.4250 immediately infects the \WINDOWS\WIN.COM file.
If an infected
file is executed when the minutes value is 30, and the value in
the seconds field is equal to or less than 16, Spanska.4250
activates. Upon activation, the virus displays a moving message,
similar to the text at the beginning of the movie ‘Star
Wars’.
The message may
have one of the following three contents:
ELVIRA
!
Black
and White Girl
from
Paris
You
make me feel alive.
ELVIRA
!
Pars.
Reviens. Respire.
Puis
repars.
J’aime
ton mouvement.
ELVIRA
!
Bruja
con ojos verdes
eres
un grito de vida,
un
canto de libertad.
The first version
of the Spanska virus, Spanska.1120, was discussed in more detail
in F-PROT Update Bulletin 2.16.
Spanska is a good
example of a virus which would never have been able to go
‘wild’, had it not been spread deliberately over
Internet.
Baboon
Baboon is a boot
sector virus which contains certain special functions.
Baboon infects the
boot sectors of diskettes and MBRs (Master Boot Records) of hard
disks.
Baboon does not
save the original boot sector or MBR anywhere. The virus searches
for the active boot sector in the MBR data area, reads the active
boot sector and gives control to it. This way it can retain the
general functionality of the MBR code.
When a PC is
booted from an infected diskette, the virus will likewise read
the active boot sector on the hard drive and give control to it.
No error messages like "non-system disk" will be
displayed, and the PC will proceed to boot directly from the hard
disk.
Baboon activates
both randomly and on the 11th of September. At this time, it
overwrites the MBR of the hard drive and the first 9 sectors of
the active partition. As a result, the PC will not boot.
Baboon was
reported to be in the wild in September 1997, but the virus does
not seem to be especially common. When the virus activates, it
also overwrites its own code, thus limiting its own spreading.
Cabanas
The Cabanas virus
is designed for 32-bit Windows systems. It can function in
Windows 3.x extended with Win32s, Windows 95, Windows NT Server
and Windows NT Workstation. It is, therefore, the second known
virus which can spread in Windows NT environments and infect the
32-bit NT program files (the first such virus was Jacky, which
was discovered during the summer of 1997).
When a file
infected by the Cabanas virus is executed, the virus hunts up a
couple of EXE files and infects them. After this, it tries to go
resident in memory. However, in the Windows NT environment this
is possible only if the user has administrator privileges. If the
virus manages to slip into memory, it will infect all EXE files
that are executed in the computer. Cabanas incorporates also
certain stealth characteristics; the changes in the sizes of
infected files will not be visible as long as the virus remains
in memory.
In spite of
Cabanas’ wide variety of functionalities, the virus is only
3500 bytes in size. However, Cabanas does not function very well
- among other things, it prevents an infected computer from being
booted. Therefore, Cabanas cannot really spread very far, even in
theory. The virus does not attempt to do anything else besides
spreading.
The author of the
Cabanas virus is apparently the same person who created the
common WordMacro/CAP macro virus. The author’s real name and
whereabouts remain unknown.
The Cabanas virus
hasn’t been discovered in the wild, nor is that likely to
happen as long as the virus remains in its present form. The only
known copies of the virus are test samples spread by its author.
The Situation with
Word Macro Viruses
The number of Word
macro viruses continues to grow - at the time this was written,
it was fast approaching 1500. However, F-PROT is updated daily
against new macro viruses, and it can detect practically all
known viruses at any given time. New update files can be
downloaded at your convenience from F-Secure’ WWW
server. The address is
http://www.F-Secure.com/gallery/
The update file
MACRO.DEF contains routines for detecting and disinfecting macro
viruses. The file is updated approximately once a day. While you
are visiting our server, you can also download the free GETMAC
system, which can be used to automate daily updates to all the
computers in even a large organization.
WordMacro/Pesan
WordMacro/Pesan.A
is a simple Word Macro virus. It activates every five minutes and
displays one of the following messages:
MicroSoft
Warning!!!
You are
about Formatting Hardisk, Are you sure?
FORMAT
WARNING !!!
You have
just activate the format.exe trigger,
all
command will FORMAT your hardisk
SYSTEM
DAMAGE WARNING !!!
System
detected ‘Bandung.d_t’ VIRUS, all system will
be
Damage
Permanently !!! May God Have Mercy On you ....!!!
Otherwise Pesan.A
only spreads itself. The virus does not destroy any data.
WordMacro/Pesan.B
is a later variant which contains a destructive activation
routine. The virus does not display any messages, but it attempts
to delete the following files:
c:\dos\chkdsk.exe
c:\dos\format.com
c:\dos\defrag.exe
c:\dos\scandisk.exe
c:\msdos\chkdsk.exe
c:\msdos\format.com
c:\msdos\defrag.exe
c:\msdos\scandisk.exe
After deleting a
file, Pesan.B creates a similarly named BAT file. When this batch
file is executed, it runs the DELTREE command and deletes all
files from drive C:.
The activation
routine fails if the hard disk’s directory tree does not
contain either a ‘C:\DOS’ or a ‘C:\MSDOS’
directory (most Windows 95 and NT systems do not have such
directories).
WordMacro/Demon
The
WordMacro/Demon.A virus consists of three macros. The virus does
not contain any destructive activation routines, but it may cause
some incompatibility problems. The virus stores some of its own
settings in WIN.INI.
The virus contains
a routine with which the author of the virus can easily check
whether a machine is infected or not. If the words "Dark
Master calling" are written in Word, and they are selected
with the mouse, the virus will show the following message on the
screen:
The
WordMacro/Demon macro virus was reported in the wild during the
summer of 1997.
Hoaxes
In recent months,
we have seen especially many messages about the old Penpal
Greetings and Join the Crew hoax alarms. This time around, there
have been attempts to give the hoaxes credibility by claiming
that the alarms have been sent by IBM, Microsoft or some other
such party.
If these message
chains are followed back, it can be seen that a warning has,
indeed, passed through Microsoft or a comparable company.
However, it should also be noted the warning hasn’t been
sent by the company’s security division, but by the
janitor’s holiday stand-in or some other such notable
personage. Irrespective of that, the sender’s e-mail address
reads name@microsoft.com, and this is often enough to give
an old hoax completely new gravity.
To sum it up:
Penpal Greetings and Join the Crew are not viruses, but widely
spread hoaxes. Do not spread them further. Note also that the
Join the Crew hoax has nothing to do with the Crew virus.
Common
Questions and Answers
If you have
questions about information security or virus prevention, contact
your local F-PROT distributor. You may also contact F-Secure
directly at the number + 358 9 859 900.
Written questions
can be mailed to:
F-Secure Ltd.
Anti-Virus Support
PL 24
FIN-02231 Espoo
Finland
Questions may be
sent by electronic mail to:
Anti-Virus-Support@F-Secure.com
What is
the difference between F-PROT’s Windows NT Workstation and
Windows NT Server versions?
First of all, the
Server version has been optimized for server usage and is better
suited for the heavy use NT Servers are often subject to.
An important
difference can be found in the background protection driver,
F-PROT Gatekeeper. The Gatekeeper part of the Workstation version
will only scan files that are accessed locally (i.e. by the user
who is holding the machine’s keyboard).
The Gatekeeper in
the Server version will do this and it will also scan files that
are accessed from other machines - for example, by users who have
mounted a server disk in their own machine.
Can I
install the NT Workstation version of F-PROT in an NT Server? Or,
on the other hand, can I install the NT Server version in an NT
Workstation?
Both installations
are possible. Do notice, though, that the programs have separate
licenses, and that the NT Server version is considerably more
expensive.
If you install the
Workstation version in a Server, bear in mind that it will not
prevent users from copying viruses to the server. Also notice
that the Server version does not guarantee that the local hard
drives of the workstations are clean - it only protects the
server. You’ll need to install F-PROT to workstations as
well.
I just
received the latest F-PROT update but it was on CD and I don't
have a CD drive! What should I do?
Fill in the card
that was included in the shipment and mail it to us. In the
future, we will send you updates either on diskettes or via
Internet.
Changes in
F-PROT Professional Version 3.01
Changes in
F-PROT for DOS
There are no
changes except the new viruses that have been added.
Changes in
F-PROT for Windows
- The MACRO.DEF
creation date is now shown on scan reports.
- The RTF
extension has been added to the scanning extensions for
document files; this will be added automatically to
existing installations.
- F-PROT’s
code has been changed in a number of places to prevent
toolbar corruption.
- Accented
characters (non-English versions) are now displayed in
the virus help dialog even when the source texts were
taken from program resources instead of from the virus
help file.
- The
"Show task settings on lower pane" setting can
be enabled without a general protection fault in the
32-bit version of F-PROT 3.0 and with right menu types in
the 16-bit version.
- It is now
possible to exit F-PROT or start a new scan. When a Scan
Folder or Scan File task is started from the Program
Manager or Explorer, and then cancelled by clicking
Cancel in the directory/file selection dialog, F-PROT
does not remain hidden but active.
- The
disinfection of files whose owner was not the user causes
no problems when scanning files on Unix mounted drives.
- F-PROT does
not cause any GPF in a Windows language DLL (LANGSPA.DLL,
LANGSCA.DLL).
- Localized
versions (e.g. Finnish) do not cause a GPF when certain
Dead babe-infected files are scanned.
- Office97
documents (Word or Excel) do not cause any "Stack
Overflow" error.
- The TimeLock
feature is temporarily disabled in the normal shipping
version because of configuration files in write-protected
directories.
Changes in
F-PROT for Windows NT
- A bug that
caused a general protection fault (GPF) during the F-PROT
Gatekeeper installation has been corrected.
- If no setting
is present for the extensions of executable or document
files (for the Scanning preferences) in the file
F-PROTW.CFG, F-PROT will use the proper default settings,
making it possible for users of F-PROT for NT to upgrade
since version 2.25 or earlier (i.e. using the Update
installation method of Setup) without losing the
detection of macro viruses by NT Gatekeeper.
- The settings
of a task (such as "Scan A:") can be modified
even when there is not a diskette in the target drive,
without an error message being given, stating that the
drive is not ready.
- Because of
lacking common controls in NT 3.50 (they were introduced
first in 3.51), F-PROT didn’t start at all in NT
3.50. Instead, an "ImagaList_ReplaceIcon" error
in COMCTL32.DLL was reported. This has been corrected.
The present version of F-PROT starts with the old-style
task list under 3.50. When F-Agent (95 and NT) is
started, it executes the programs specified in FPW-
PREF.INI ExecuteX entries.
- The main
program (95 and NT) will now pass the version number of
the scanning engine to the splash DLL.
- The number of
scanned boot sectors is now shown in reports (95 and NT).
Changes in
F-PROT for Windows 3.x
The scan engine
version letter is now properly displayed in F-PROT Gatekeeper
splash screen.
Changes in
F-PROT for Windows 95
- The boot
sector reading routine now supports 3-mode (1.25MB)
diskette drives used in Japan.
- The Finnish
language On-line Help is now functional.
- When a
scheduled task started by F-Agent found a virus, it
displays the scan progress dialog at the end of scan (and
the report window also, if the user clicked the Report
button).
- After the
progress dialog or report window is closed, the main
F-PROT window is opened at its previous position instead
of being minimized to the task bar.
- F-PROT
Gatekeeper now scans files whose names contain double
byte characters (DBCS).
- The start-up
splash screen display has been corrected.
- When scanning
inside archives, F-PROT will pass the file extensions to
the scanner. If the task setting is to scan executables
and document files only, FPWM 3.0 will scan executables
and document files only, even inside archives.
- When F-Agent
(95 and NT) is started, it executes the programs
specified in FPW- PREF.INI ExecuteX entries.
- The main
program (95 and NT) will now pass the version number of
the scanning engine to the splash DLL.
- The number of
scanned boot sectors is now shown in reports (95 and NT).
Changes in
AutoInstaller
- Autow32 will
prompt the user to restart NT if F-PROT Gatekeeper has
been updated. The prompt can be disabled by setting the
[Gatekeeper] NoRebootMessageAfterNTGKUpdate= setting to a
non-zero value.
- A generic
program group creation feature has been added, making it
possible to create a program icon (shortcut) to any
program, not only F-PROT.
New Viruses
Detected by F-PROT
This version adds
detection and disinfection of 325 new file and boot viruses and
300 new macro viruses.
