F-PROT Professional 2.20 Update Bulletin ======================================== Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.20 is mentioned. Copyright (c) 1995 Data Fellows Ltd. ------------------------------------------------------------------------------ Contents 5/95 ============= Vesselin Bontchev to join F-PROT Development Macro Viruses The Global Virus Situation Peter_II Die_Hard Finnish.378 Quicky A New Macintosh Virus News in Short F-PROT Gatekeeper Praised by PC Plus New Features in Data Fellows Ltd's Web Server Questions and Answers Changes in Version 2.20 Vesselin Bontchev to join F-PROT Development --------------------------------------------- We're happy to tell you that one of the worlds most respected virus researcher, research associate Vesselin Bontchev from the Virus Test Center in Hamburg, has started working full-time with F-PROT. Vesselin has moved from Germany to Iceland, and started working at Frisk Software International in September. Vesselin Bontchev is originally a Bulgarian. He graduated from the Sofia Technical University in 1985, with an MSc in Computer Science. After graduating, he spent a year working at the university's Laboratory for Microprocessors and Microcomputers. After that, he worked for five years at the Institute of Industrial Cybernetics and Robotics in the Bulgarian Academy of Science, building expert systems. Bontchev became interested in computer viruses in 1988. Two years later, he became the Director of the Computer Virology Laboratory in the Bulgarian Academy of Science. He has just finished his PhD thesis (about viruses, what else) at the Virus Test Center (VTC) in Hamburg. Vesselin is very well known for the excellent technical papers he has written, as well as for the work he has done in testing different anti-virus programs. VTC tests are one of the most respected tests in the industry. We're especially happy about starting to work with Vesselin because he is respected by all parties in the anti-virus industry - and that he chose to start working with F-PROT. Macro Viruses ------------- Macro viruses are a new kind of a threat to computer systems. This newly emergent enemy attacks computer users from a blind side, infecting document files instead of programs. Not to worry, though - new features in F-PROT make it able to detect macro viruses as well as ordinary ones. Macro Viruses: a New Kind of Enemy ---------------------------------- Macro viruses are not a new concept - they were predicted as early as the late eighties. At that time, the first studies about the possibility of writing viruses with the macro languages of certain applications were made. However, macro viruses are not just a theory any more. Currently, there are three known macro viruses. They have all been written with WordBasic, the powerful macro language of Microsoft Word. These viruses spread through Word documents - Word's advanced template system makes it an opportune environment for viral mischief. This is problematic, because people exchange document a lot more than executables or floppy disks. Macro viruses are also very easy to create or modify. Although other word processors like WordPerfect and Ami Pro do support reading Word documents, they can not be infected by these viruses. It is not impossible to write similar viruses for these systems, however. WordMacro.DMV ------------- WordMacro.DMV is probably the first WinWord macro virus to have been written. It is test virus, written by a person called Joel McNamara to study the behavior of macro viruses. As such, it is no threat - it announces its presence in the system, and keeps the user informed of its actions. Mr. McNamara wrote WordMacro.DMV for over a year ago, in fall 1994 - at the same time, he published a detailed study about macro viruses. He kept his test virus under wraps until a real macro virus, WordMacro.Concept, was recently discovered. At that time, he decided to make WordMacro.DMV known to the public. We oppose to such behaviour; although it can be argued that spreading such information will educate the public, we can also except to see new variants of the DMV virus, as well as totally new viruses inspired by the techniques used in this virus. McNamara also published a skeleton for a virus to infect Microsoft Excel spreadsheet files. F-PROT is able to the detect the WordMacro.DMV macro virus. WordMacro.Concept ----------------- WordMacro.Concept - also known as Word Prank Macro or WW6Macro - is a real macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild. WordMacro.Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files. This is a quite ominous development - so far, people have only had to worry about infections in their program files. The situation is made worse by the fact that WordMacro.Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS. The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functioning. If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT. WordMacro.Concept displays the above dialog during inital infection After the virus has managed to infect the global template, it infects all documents that are created with the "Save As" command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template. The virus consists of the following macros: AAAZAO AAAZFS AutoOpen FileSaveAs PayLoad Picture of the Tools/Macro menu in an infected copy of Word Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous. It contains the text: Sub MAIN REM That's enough to prove my point End Sub However, the "PayLoad" macro is not executed at any time. You can detect the presence of the WordMacro.Concept macro virus in your system by simply selecting the command Macro from Word's Tools menu. If the macro list contains a macro named "AAAZFS", your system is infected. You could prevent the virus from infecting your system by creating a macro named "PayLoad" that doesn't have to do anything. The virus will then consider your system already infected, and will not try to infect the global template NORMAL.DOT. This is only a temporary solution, though - somebody may modify the viruse's "AutoOpen" macro to infect the system regardless of whether NORMAL.DOT contains the macros "FileSaveAs" or "PayLoad". There is also a anti-macro virus package called WVFIX available. This package will detect if your copy of Word is infected, and will clean it if needed. It can also modify your Word settings so that this specific macro virus will be unable to infect it. WVFIX is available on the F-PROT for DOS diskette. Concept is quite widespread. It has been found from several CD-ROMs, including one sent out by Microsoft. F-PROT is able to the detect the WordMacro.Concept macro virus. WordMacro.Nuclear ----------------- WordMacro.Nuclear is the latest discovered macro virus. Like WordMacro.DMV and WordMacro.Concept, it spreads through Microsoft Word documents. The new virus was first spotted on a FTP site in Internet, in a publicly accessible area which has in the past been a notorious distribution site for viral code. Apparently, the viruse's distributor has some sense of irony; the virus was attached to a document which described an earlier Word macro virus, WordMacro.Con- cept. Whereas WordMacro.DMV is a test virus and WordMacro.Concept is only potentially harmful, WordMacro.Nuclear is destructive, harmful and generally obnoxious. It consists of a number of Word macros attached to documents. When an infected document is opened, the virus is executed and tries to infect Word's global document template, NORMAL.DOT. Unlike WordMacro.Concept - which pops up a dialogue box when it infects NORMAL.DOT - WordMacro.Nuclear does not announce its arrival in the system. Instead, it lays low and infects every document created with the "Save As" function by attaching its own macros to it. The virus tries to hide its presence by switching off the "Prompt to save NORMAL.DOT" option (in the Options dialogue, opened from Tools menu) every time a document is closed. That way, the user is no longer asked whether changes in NORMAL.DOT should be saved, and the virus is that more likely to go unnoticed. Many users relied on this option to protect themselves against the WordMacro.Concept virus, but it obviouisly no longer works against Nuclear. WordMacro.Nuclear contains several potentially destructive and irritating routines. The next time Word is started after initial infection, one of its constituent macros, "DropSuriv", looks up the time in the computer's clock. If the time is between 17.00 and 17.59, the virus tries to inject a more traditional DOS/Windows file virus called "Ph33r" into the system (as the viruse's author has commented in the viruse's code: "5PM - approx time before work is finished"). "Suriv" is, of course, "Virus" spelled backwards. However, due to an error, this routine does not work as intended in any of the popular operating environments. Another of the viruse's macros, "PayLoad", tries to delete the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth of April. And finally, the virus adds the following two lines: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC at the end of approximately every twelfth document printed or faxed from Word. Since the text is added at print-time only, the user is unlikely to notice this embarassing change. This function is handled by the viral macro "InsertPayload". The virus can be detected by selecting the Macro command from the Tools menu and checking whether the macro list contains any curiously named macros. "DropSuriv" and "InsertPayload" are obvious giveaways. F-PROT is able to the detect the WordMacro.Nuclear virus. Protecting yourself against macro viruses ----------------------------------------- There is a generic way to protect your Word against currently known macro viruses. Select the command Macro from the Tools menu and create a new macro called "AutoExec". Write the following commands to the macro and save it: Sub MAIN DisableAutoMacros MsgBox "AutoMacros are now turned off.", "Virus protection", 64 End Sub This macro will be executed automatically when Word starts. It will disable the feature which Concept, DMV and Nuclear use to attack the system. However, there are ways to create future macro viruses that are able to bypass such protection. Currently known Word macro viruses are not able to infect certain nationalized versions on Word. In these programs, the macro language commands have been translated to the national language, and therefore macros created with the English version of Word will not work. Since these viruses consists of macros, they will be unable to function. Do note that although F-PROT for DOS and F-PROT for Windows do detect the known macro viruses, VIRSTOP and F-PROT Gatekeeper do not yet support the scanning of DOC files. This will be implemented in a future version. The Global Virus Situation -------------------------- Peter_II -------- Peter_II is a boot sector virus which infects diskette boot sectors and hard disk Master Boot Records. As is normal for boot sector viruses, Peter_II can infect a hard disk only if the computer is booted from an infected diskette. After the initial Master Boot Record infection, Peter_II will go resident in high DOS memory every time the computer is booted from the hard disk. Once Peter_II has managed to install itself into memory, it will infect practically all non-write protected diskettes used in the computer. Peter_II is also a stealth virus - if you try to examine the boot record in an infected computer, the virus will show you the original, clean record. Peter_II activates every year on the 27th of February. When the computer is booted, the virus displays the following message: Good morning,EVERYbody,I am PETER II Do not turn off the power, or you will lost all of the data in Hardisk!!! WAIT for 1 MINUTES,please... After this, the virus encrypts the whole hard disk by issuing XOR 7878h to every byte on each sector. Having done that, the virus continues by displaying the following questionnaire: Ok. If you give the right answer to the following questions, I will save your HD: A. Who has sung the song called "I`ll be there" ? 1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4): B. What is Phil Collins ? 1.A singer 2.A drummer 3.A producer 4.Above all(1-4): C. Who has the MOST TOP 10 singles in 1980`s ? 1.Michael Jackson 2.Phil Collins (featuring Genesis) 3.Madonna 4.Whitney Houston(1-4): If the user gives correct answers to every question, the virus decrypts the hard disk and displays the following message: CONGRATULATIONS !!! YOU successfully pass the quiz! AND NOW RECOVERING YOUR HARDISK ...... The user can then continue using the computer normally. However, if incorrect answers are given, the virus will not decrypt the hard disk. Instead, it will just display the following message: Sorry!Go to Hell.Clousy man! In case you do not find out about the infection until the virus starts its mischief, the correct answers are 4, 4 and 2. Of course, it is better to take care of the matter beforehand; F-PROT is able to detect and disinfect the Peter_II virus. Die_Hard -------- Die_Hard is a resident fast infector which targets COM and EXE files. It is known to be in the wild especially in India, where it was found in September 1994. Die_Hard has also been sighted in Singapore, Indonesia, USA and in many parts of Europe. When the virus is executed, it goes resident in memory, decreasing the available DOS memory by 9232 bytes. Die_Hard infects all executed or opened COM and EXE files. The infected files grow by exactly 4000 bytes. Die_Hard hides beneath several layers of encryption. When the virus is decrypted, the following texts can be seen: SW DIE HARD 2 SW Error Since the virus does not utilize polymorphic encryption techniques, it is quite easy to find. Die_Hard activates on the 3rd, 11th, 15th, or 28th of any month, provided the day is Tuesday and the virus has already infected at least 13 files. The virus will then wait until some program changes the screen to graphics mode. At this time the virus will display an animation of large `S' and `W' characters on the screen. It will also deny write access to files, displaying text "SW Error". Picture of the activation routine of the Die_Hard virus Besides infecting COM and EXE files, Die_Hard trojanizes ASM and PAS source files when they are accessed; in other words, the virus inserts source code Trojan horses in these files. F-PROT is able to detect the Die_Hard virus. Finnish.378 ----------- A new variant of the Finnish virus was found in August 1995, about four years after the first version of the virus was discovered. The new variant was named Finnish.378, signifying the length of the virus in bytes. The two previously known versions are, respectively, 709 and 357 bytes in length. They have been described in more detail in previous Update Bulletins. The new virus has clearly been derived from the 357 variant. In most ways, it is functionally very similar to the earlier version. The following changes have been made, however: - The virus beeps every time it infects a file. The beep routine has increased the viruse's size by 21 bytes. - The new virus uses the code 90h instead of 93h to recognize the files it has already infected. The corresponding commands are NOP and XCHG. The recognition byte is placed so that it is the first command in infected files. - The internal order of many commands has been changed: this has apparently been done in order to render the virus undetectable by some anti-virus scanners. F-PROT is able to detect the Finnish.378 virus. Quicky ------ Quicky is a badly programmed memory-resident virus which infects EXE files. The infection takes place whenever a file is closed after an operation, so files get infected when they are executed, copied, read or otherwise accessed. However, if a file's read-only attribute is on, the virus infects it only when it is executed. The virus contains a routine which is supposed to slowly corrupt information on the hard disk. Fortunately, the viruse's code is so bug-ridden that the routine does not function. Quicky also tries to attack various integrity checkers by deleting their checksum databases. The Quicky virus has been found on some Prosonic/Micropilot depth- finder machines' original utility diskettes. F-PROT is able to detect the Quicky virus. A New Macintosh Virus --------------------- A new, relatively harmless Macintosh virus has been discovered. The virus - known as HC-9507 - does not infect actual program files. Instead, it spreads through applications created with the HyperCard application generator. The viruse's victim of choice is the so-called homestack application, which can be found in all HyperCard installations. HC-9507 is not picky, however - it infects also other stacks when they are executed, and randomly selects and infects stacks on the boot disk. The virus spreads itself as source code, inserting its own code among the program code in its victim stacks. HC-9507 may also give visible indications of its presence in the system: depending on what day of the week it is, it either blacks out the screen or adds the word "pickle" among the text written on the keyboard. The Disinfectant anti-virus program will not be updated to deal with the HC-9507 virus. The threat posed by HC-9507 is considered relatively small, and in any case, Disinfectant is designed to check program files, not stacks. If you suspect an infection, you can easily verify the matter by checking the scripts in the homestack. There are also some products which can detect the virus, for instance the Datawatch Virex software. With the Disinfectant anti-virus software, you can protect the Macintosh workstations in your organization against other Macintosh viruses. We will supply our F-PROT customers with Disinfectant without a separate charge. For more information, contact your local F-PROT distributor or Data Fellows LTD's F-PROT Support. News in Short ------------- F-PROT Gatekeeper Praised by PC Plus ------------------------------------ The British PC Plus magazine evaluated F-PROT Gatekeeper in it's October issue and gave it a very favorable rating. The evaluators found Gatekeeper's speed, low memory consumption, effectiveness in finding polymorphic viruses and ease of use especially noteworthy. Gatekeeper was also praised for its ability to function seamlessly between DOS and Windows. Well, we agree on all points. New Features in Data Fellows Ltd's Web Server --------------------------------------------- We have overhauled our popular WWW service, and it is now even more user-friendly than before. A number of new features have been added: for instance, it is now possible to make free text searches among all virus descriptions. One search takes about 15-25 seconds, depending on the server's load. Statistics about virus description accesses and visitors to the service are also available (during August, the description about the Monkey virus proved the most popular; over 400 accesses). It is somewhat surprising that, although the server itself is located in Finland, only 5% of our visitors hailed from Finland itself (and there is no shortage of net surfers here). A mirroring service from USA to our server is now under construction; we do not want European users to be trampled underfoot by visitors from overseas. Currently, our server receives about 100.000 document requests a month. In its role as a distribution site for latest news, our WWW server has fulfilled all expectations. For instance, we were able to tell the public about the notorious Word macro viruses over a week before the news was published in magazines or newspapers. It pays to stay in touch with our WWW pages. We have switched to a more uniform Internet address policy; all our services have been gathered under the domain name datafellows.com. However, the old datafellows.fi addresses can also be used. You are welcome to visit our server at: http://www.datafellows.com/ The new graphics and layout of the system have been designed by Pixel Vision Oy. Common Questions and Answers ---------------------------- If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact Data Fellows directly in the number +358-0-478 444. Written questions can be mailed to: Data Fellows Ltd F-PROT Support P„iv„ntaite 8 FIN-02210 ESPOO FINLAND Questions can also be sent by electronic mail to: Internet:F-PROT@DataFellows.com X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi I would like to see what happens when F-PROT Gatekeeper really finds a virus. How can I arrange that? The correct operation of F-PROT Gatekeeper and other F-PROT products can be tested with a special test file. This is a dummy file which F- PROT treats exactly like if it were a virus. The file is known as EICAR Standard Anti-virus Test file (EICAR is the European Institute of Computer Anti-virus Research). With this file, the operation several other anti-virus products can also be tested in a similar manner. You can make the EICAR test file in the following manner: use a text editor to create a new file, and write the text: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* to the file on a single line. You can give the file any name you want, as long as you save it with a COM extension. For example, EICAR.COM is a suitable name. Make sure you save the file in standard MS-DOS ASCII format. Now you can use this file to test what happens when F-PROT encounters a "real" virus. Naturally, the file is not a virus. When executed, EICAR.COM will simply display the text `EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' and exit. F-PROT's DOS-, Windows- and OS/2-versions - including VIRSTOP and Gatekeeper - support the EICAR test file. I was installing Windows'95 from diskettes, but the setup failed at the second diskette. No matter what I did, it failed again and again. Finally, I began to suspect that the reason for the failure might be in my computer instead of on the setup diskettes, and tried various things to resolve the problem. Among other things, I ran an anti- virus program, and it promptly reported that my computer was infected with a virus! I immediately scanned recently used diskettes and found the same virus on the Win95 setup floppies! Did Microsoft infect my machine? No, it's the other way around. The Win95 diskettes were clean, but your hard drive wasn't. This seems to be a very common problem among users who install Windows 95 from diskettes. If the computer is infected with a boot sector virus (almost any boot sector virus will do), the installation will fail and the user is left with irreparable setup diskettes. The reason for this is the non-standard format of Win95 setup diskettes. The diskettes contain almost 1.7MB of files instead of the usual 1.44MB, so they have practically no free space left at all. Since almost all boot sector viruses (Da'Boys is one exception) use up additional sectors on the diskettes they infect, they will permanently overwrite part of the data on Win95 setup diskettes - there really is no free space left for the virus to use. Such infected setup diskettes can not be repaired, as information is overwritten; they will have to be replaced. Microsoft has confirmed that they are shipping thousands of replacement diskettes daily for just this very reason. The first Windows 95 setup diskette uses the normal 1.44MB format. Therefore, it will usually not be corrupted by an active virus, although it will be infected just like the others. The setup diskettes are not usually write-protected by default. In any case, the installation program writes registration information on the second floppy during installation (user and company name etc.). For this reason, most users with a boot sector infection will run into the problem during the setup of the second diskette. Again, the problem is not caused by infected setup diskettes - but by people who have a virus and don't bother to scan their hard drives before starting the Win95 setup process. I'm setting up VIRSTOP, and have been going through the different parameters. Is it a good idea to use the /FREEZE parameter with VIRSTOP? In most cases, the /FREEZE option is not a good idea. For example, imagine that you have been working on a document for an hour. Finally you are satisfied, and try to save the document on a diskette - which happens to be infected by a virus. Tough luck; VIRSTOP will report the infection and freeze the computer - you won't be able to save the text at all! On the other hand, if you do not use /FREEZE, you'll just get the message; you can then save the document on another diskette. The /FREEZE parameter has it's uses in environments such as schools where the administration might not otherwise get the message about an infection, but in normal use it is not recommended. I missed one F-PROT update. Can I update version 2.18 directly to 2.20, or do I have to update it to version 2.19 first? You can skip versions freely. Every F-PROT update diskette contains all the parts necessary for F-PROT's operation. Changes in F-PROT Professional 2.20 ----------------------------------- F-PROT 2.19 had a false alarm on some Japanese NEC computers, the program gave an alarm about the Hallow virus during memory scan. This has been corrected. A New Installation Program -------------------------- A new installation program, SETUP.EXE, is shipped with F-PROT for Windows. The new program functions in the same way in all Windows environments (3.1x, NT, 95) and in OS/2. The program's appearance is also uniform in all environments. The F-PROT files on the installation diskette have been packed in a new, more efficient way; this has made it possible to put both F-PROT Professional for Windows and F-PROT Gatekeeper on the same diskette. Only one file, SIGN.DEF, did not fit in. This file is located on the F-PROT Professional for DOS installation diskette. During installation, the installation program will ask you to insert the F-PROT Professional for DOS diskette in the computer. Changes in F-PROT for DOS ------------------------- F-PROT Professional for DOS now scans document files (DOC, DOT) by default. This enables it to detect known macro viruses. The program itself, however, is not yet able to disinfect such viruses; you can use the WVFIX package provided on the F-PROT Professional for DOS installation diskette for disinfection. If you are certain you do not want to check document files, you can override this with the /NODOC command line parameter or deselect the setting from the Scan menu. Changes and Additions to AUTOINST --------------------------------- If the "PreferencesFrom=" entry was missing, configuration files were not copied from the directory specified in the "InstallRemote=" entry. This has been corrected. Program Manager group creation has been implemented for Autoinst/Windows (Autow31). There is more information about new settings in the file SETUP.TXT on the F-PROT Professional for DOS diskette. Autow31 will wait for the memory scan to terminate before copying installed files: this makes it possible to put Autoinst in Program Manager's Startup group with Gatekeeper. Autoinst has been changed so that it recognizes different Windows platforms (Windows 3.1x, Windows 95, Windows NT). The program can now be configured to make installations on specific platforms only. The DOS version of Autoinst now uses the WINDIR environment variable (when available) for locating the Windows directory. If the WINDIR variable has been set, this will make it easier to run Autoinst in a DOS session under Windows. Changes in F-PROT for Windows ----------------------------- The program can now detect also macro viruses. A checkbox called "Document Macro Viruses" has been added to the "Look for:" group in the task settings dialog. When this option is turned on, F-PROT for Windows will search for known macro viruses from files with DOC and DOT extensions, even if the task is set to scan executables only. If files with other extensions need to be scanned for macro viruses, the appropriate extensions must be added to the extensions list in Scanning preferences. Another way is to set a task to scan all files. However, the "Document Macro Viruses" option must be turned on in such cases also; otherwise F-PROT for Windows will not look for macro viruses. The option is turned on by default; tasks created before the 2.20 update will have this setting turned on as well. Note that F-PROT for Windows is as yet unable to disinfect macro viruses; the WVFIX package on the F- PROT for DOS installation diskette can be used for the purpose. Boot sector (but not MBR) scanning has been implemented for Japanese NEC PCs; disinfection is not available yet. The "Create Distribution Diskette..." command has been replaced with the command "Distribute F-PROT Installations...". The new command makes it possible for the administrator to: (a) Create modified copies of the installation diskette. This makes installations with preset configurations possible (in this respect, the new command acts like an enhanced version of the "Create Distribution Diskette..." command). The "Distribute F-PROT Installations..." command also supports the new installation program. (b) Copy the entire F-PROT for Windows setup to an installation directory, from which users can install the program by using Autoinst. If an attempt to read an empty diskette drive was made, Gatekeeper used to show a Retry/Cancel message box. This has been corrected. Gatekeeper's memory usage mechanism has been changed to prevent system crashes. The following DLLs are now memory-locked, so they cannot be paged out to virtual memory: SSLDR.DLL, SCAN_S.DLL, F- PROTWI.DLL and FPW386.DLL. Gatekeeper (more precisely, the file A-PROT.EXE) will refuse to load in Windows 95 and Windows NT environments. The program will also show an appropriate error message. Minor Improvements and Changes ------------------------------ If F-Agent fails to execute F-PROTW.EXE, the program will show an error message that explains the cause of the problem (earlier versions used to display only an error code). When the program receives or sends an update, it displays a window which shows the progress of copying files. Occasionally, F-Agent left F-PROTW.CFG decrypted after reading it. This has been corrected. In Windows NT, the texts in reports and tasklist headers were too small (a 6-pt font was used). The font has now been enlarged. If Windows was set to use large fonts (in the display driver's settings), the text on Gatekeeper's splash screen was too large to fit into the window. This has been corrected. Gatekeeper's memory scanner now shows an hourglass cursor while the program executes the non-yielding part of the code. F-PROTW.EXE displays a descriptive error message if it fails to launch FPWM.DLL. The earlier versions of the program used to show only an error code. When the semaphore file (TMP.~NF) is created at the communications directory, the user's and workstation's names (in that order) are written to the file. If the semaphore file is not removed for some reason, the administrator can obtain the information from the file itself, and determine which worksta-tion caused the problem. New Viruses Detected by F-PROT ------------------------------ The following 17 new viruses can now be removed. Many of them were detected by earlier versions, but are now identified accurately. Ache Barrotes.1176 Barrotes.840 Bit_Addict.512.B Cascade.1701.AK Danish_tiny.163.D Faca Finnish.378 Hates.166 HLL.Commo IVP.Gwynned Jackal.3120 Jerusalem.2224 Keypress.1280 Korea_Stranger Major Vivian The following 10 new viruses are now detected and identified but can not yet be removed. Anston.1960 Apocalipse Bit_Addict.512.A KY Newboot_1 RPS2 _1121 WordMacro.Concept WordMacro.DMV WordMacro.Nuclear Word.Macro viruses can be removed with WVFIX package on the F-PROT Professional for DOS diskette. ------------------------------------------------------------------------------ F-PROT Professional 2.20 Update Bulletin ======================================== Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.20 is mentioned. Copyright (c) 1995 Data Fellows Ltd. ------------------------------------------------------------------------------