F / W I N 4 . 0 2 ===================================== HEURISTIC DETECTION OF WINDOWS, WINDOWS 95 AND MACRO VIRUSES Author of F/WIN --------------- Stefan Kurtzhals D”rrenberg 42 42899 Remscheid Germany E-Mail: kurtzhal@uni-wuppertal.de Fido: 2:2480/8849.2 United States Authorized Agent ------------------------------ Computer Virus Solutions C/O Gary Martin P.O. Box. 30802 Gahanna, Ohio 43230 Voice: (614) 337-0995 E-mail: fwin@fwin.com WWW: http://www.fwin.com TABLE OF CONTENTS ================= 1.0 OVERVIEW OF F/WIN 1.1 Tips for using this documentation 1.2 What "Heuristic" detection is 1.3 What F/WIN can detect - for Non-technical users 1.4 What F/WIN can detect - for Technical users 1.5 What F/WIN can clean - for Non-Technical users 1.6 What F/WIN can clean - For Technical users 1.7 False alarms 2.0 HOW TO USE F/WIN 2.1 From a DOS prompt 2.2 From Windows 3.x 2.3 From Windows '95 2.4 From OS/2 Warp 2.5 Choices F/WIN provides when a suspected virus is found 2.6 Situations in which F/WIN should N-O-T be run 3.0 HOW TO ORDER A REGISTERED VERSION OF F/WIN 3.1 Extras in the registered version 3.2 In Germany 3.3 In the United States 3.4 In other countries 3.5 Stefan Kurtzhals PGP public key (Germany) 3.6 Gary Martin's PGP public key (USA) 4.0 WINDOWS EXE VIRUSES 4.1 For NON-technical readers 4.1.1 F/WIN's detection of 4.2 For Technical readers 4.2.1 F/WIN's detection of 5.0 MACRO VIRUSES 5.1 What they are 5.2 History of 5.3 Why they pose such a threat to your data 5.4 F/WIN's detection of 5.5 How the viruses are removed 6.0 COPYRIGHT, LICENSE TERMS AND DISCLAIMER 7.0 GLOSSARY OF TERMS USED IN THIS DOCUMENTATION 1.0 OVERVIEW OF F/WIN ================================================================= 1.1 Tips for using this documentation ----------------------------------------------------------------- a. Do a character string search for what you're looking for. This may be the fastest way to locate the needed information. b. Check the Table of Contents, then do a character string search on the section number. c. In several sections, there are two versions of the documentation. One is for novice users, the other for people who are fairly familiar with virus and other technical terminology. We thought about splitting these two types of documentation up into different files, but decided against doing it. We suspect that many less experienced users will want to take a crack at trying to understand the technical explanations, and keeping them grouped together by topic will make that easier to do. d. In the novice sections, there are key words and phrases that appear in all uppercase, and are enclosed in brackets {}. These terms are defined in the Glossary. 1.2 What "Heuristic" detection is ----------------------------------------------------------------- F/WIN doesn't use {scan strings} to detect viruses. This method is fast but won't detect {unknown viruses}. Instead, it uses heuristic scanning techniques. Scan strings searches look for strings (combinations) of characters that are unique to a particular virus. Heuristic analysis look for any kind of dangerous code or virus like code, regardless of what particular virus it may belong to, or what the macro name is. For instance, the virus is typically located by searching for the macro names that it uses. Those macro names are: AAAZAO AAAZFS AutoOpen Payload In this example, F/WIN would look for potentially dangerous commands within each macro and flag them. It also notifies the user of any macros that could be run automatically, such as those that are run when files are opened, closed, saved, etc. Macro viruses often use these automatic or "system" macros to spread themselves, or to carry out destructive activities. These are the messages you would see when F/WIN's heuristic scanner finds the virus: D:\VIRUS\CONCEPT.DOC (...A 1.9.1995 13:21:06 17920 bytes) þ Known virus found: "Concept.A" þ This macro virus is similar to "Concept" þ Word 6.0/7.0 document stream found (5100 bytes) þ Contains 4 macros (1968 bytes) þ Contains macros but has the file extension .DOC þ Copy macros in a suspicious way þ Copy macros from the current document into the global template þ Copy macros from the global template into other documents þ Macros do access itself þ Converts documents into templates þ Uses the macro command 'FileSaveAs' þ Redefines Word internal commands þ Uses Auto-macros þ Modifies settings in .INI files þ Displays message windows þ Contains the following macros: "AAAZAO" (Size: 742,suspicious,accessed by virus) "AAAZFS" (Size: 435,suspicious,accessed by virus) "PAYLOAD" (Size: 49,suspicious,accessed by virus) "AUTOOPEN" (Size: 742,suspicious,accessed by virus) ANY macro that contained the kind of coding flagged above would be flagged as being possibly virus infected, not just but also unknown macro viruses. 1.3 What F/WIN can detect - for Non-Technical users ----------------------------------------------------------------- F/WIN uses heuristic scanning techniques to detect: a. Macro viruses in Microsoft Word release 6.0 and 7.0 documents. The current release will not detect viruses or trojans in Word 2.0 files. However, F/WIN will produce a warning if it detects a Word 2.0 document which is named ".DOC" and has macros inside. F/WIN will scan all files that appear in the selected directory and all of its sub-directories looking for viruses. F/WIN CAN N-O-T DETECT THE PRESENCE OF MACRO VIRUSES IN MICROSOFT WORD DOCUMENTS THAT ARE ENCRYPTED WITH A PASSWORD. If you suspect that a password protected document is infected, copy the document onto a PC where it won't matter if a virus destroys data and open and scan it there. Or send it to your regular anti-virus company, or to the author of F/WIN to check and clean it. F/WIN will produce a warning if it detects a password encrypted Word document which contains macros. b. A special kind of virus that infects EXE files for Windows or Windows '95. "EXE" files are executable files and usually have the file extension ".EXE" or ".DLL". The ".EXE" file extension (last three characters of the file name) is reserved by DOS and Windows for executable files only. DOS EXE files are structured differently than Windows EXE files. F/WIN locates viruses that have infected Windows executable files only. (Exception: the DOS executables infected by will also be detected, but not with heuristics.) 1.4 What F/WIN can detect - for Technical users ----------------------------------------------------------------- Windows executables are quite different from the normal DOS EXE files. Windows 3.x uses the NE-EXE format (New Executable) and Windows 95 uses PE-EXE (Portable Executable) which is also used by Windows NT. Because the new file structures are so different from the standard DOS EXE format, most virus coders never manage to write real Windows viruses. However, some virus coders from Australia finally managed to write a fully functional Windows 3.x virus, namely and later . The used infection scheme is much more "advanced" in some ways so that it's likely that other virus coders will copy it. NE-EXE viruses are detected by analyzing the program header of any NE-EXE file found. The NE-EXE viruses modify the programs in a special way which allows a reliable detection of this virus type. It doesn't matter if the virus is polymorphic, F/WIN doesn't check any program code at all! In other words, it can detect, in a general or generic way, that a virus is likely present. But F/WIN can't tell you exactly which virus it is. Still, this feature of F/WIN is quite valuable because of it's ability to detect unknown viruses, and let you know that you have a problem sooner, rather than later. It detects specifically the infection scheme that and use. These were the first really "functional" Windows executables viruses, and their techniques will most likely be copied by other virus authors. F/WIN also detects the only known PE-EXE virus for Windows 95 using a similar approach. Because only one PE-EXE virus exist so far, it really can't be said how good the heuristic detection is, but F/WIN will of course be updated in order to catch newer variants if they are undetectable by the current heuristic approach. All three known variants are detected by F/WIN. F/WIN detected all the known NE-EXE and PE-EXE viruses which use the described infection mechanism. If however you should happen to come across one that is not detected by F/WIN, please e-mail a copy of it to the author of F/WIN for analysis. See SENDVIR.TXT for more information. F/WIN uses an advanced heuristic analysis to detect Word macro viruses. It analyse the contents of every macro in a template and checks if a macro can perform suspicious and virus like actions. The heuristic allows F/WIN to detect both known and unknown macro viruses and has very little false positives. Please note that F/WIN can not detect macro viruses in password encrypted documents. 1.5 What F/WIN can clean - for Non-Technical users ----------------------------------------------------------------- Macro viruses in Microsoft Word documents F/WIN doesn't remove suspected viruses without asking the user or taking some precautions. First it makes a backup copy of the file before disinfecting it. The backup file will have the same file name, except that it will have a file extension (end with) .VIR. So an infected file named PAYROLL.WK1 would have a backup file called PAYROLL.VIR. If there are more files with the same name, F/WIN will use file extensions like ".VI1", ".VI2" etc.. Next F/WIN overwrites the virus's macro code with harmless code and wipes the offending macro names from the macro list. It is not possible to reactivate deleted macros. If a document already contained macros before the infection, F/WIN will only remove the virus macros (see parameter description, /CLEAN:n). DON'T FORGET TO REMOVE ALL THE .Vnn FILES WHEN YOU'RE FINISHED WITH THEM. We suggest also using a product like Norton Utilities WIPEINFO.EXE to wipe the FREE SPACE (not the whole drive) on the entire hard drive after all macro virus files are cleaned and removed. If the files are just deleted, in many cases, they can simply be undeleted and reused by someone with bad intentions. Wiping all the free space on the entire hard drive will prevent someone from recovering a virus infected file by undeleting it, or by using a disk editor. Windows EXE files ----------------- F/WIN can clean most of the known Windows 3.x (NE-EXE) and Windows 95 (PE-EXE) viruses like Boza, Ph33r, Winlame, Wintiny, Tentacle and Tentacle_II (alias: Shell). The cleaning is generic which means that F/WIN will also clean most of the future viruses which use the same infection scheme. 1.6 What F/WIN can clean - for Technical users ----------------------------------------------------------------- Macro viruses in Microsoft Word documents ----------------------------------------- F/WIN doesn't remove suspected viruses without asking the user or taking some precautions. First it makes a backup copy of the file before disinfecting it. Actually, F/WIN won't start the cleaning process if it can't create the backup file! The backup file will have the same file name, except that it will have a file extension (end with) ".VIR" (if there are duplicate file names, F/WIN will use ".VI1", ".VI2" etc.). F/WIN will detect which macros actually belongs to the virus and will remove them by wiping the macro code and deleting the macro entry in the document structure. It is not possible to reactivate deleted macros. If a document already contained macros before the infection, F/WIN will only remove the virus macros (see parameter description, /CLEAN:n). Also note that DOC files are OLE 2.0 objects. An OLE 2.0 object could be internally split up in several parts. Like hard disk clusters, these parts can be fragmented and worst of all, they have a slack area like real clusters. This is quite a security hole, and Microsoft already offers an update for OLE2 for Windows 95 which correctly handle this 'slack areas'. Windows .EXE files ------------------ F/WIN can detect and clean the only known PE-NE (Windows 95 virus), and any future ones that use similar infection schemes. It can also detect and clean several of the newer NE-EXE (Windows 3.x) viruses, which use the same infection scheme as Ph33r. These viruses add a relocation entry add the end of the file which is used by F/WIN to locate the original entry point of the program. The cleaning method used by F/WIN is generic and will even clean certain encrypted or polymorphic NE-EXE viruses as the relocation entry can't get encrypted by the virus. Some of the known NE-EXE viruses use other ways to store this information and can't be cleaned by the current cleaning approach of F/WIN. 1.7 False alarms ----------------------------------------------------------------- Every heuristic analysis will cause either false positives or {false negatives}. Of course this is also true for F/WIN. This means that F/WIN may flag some harmless files as infected and on the other hand will miss some of the more unusual viruses. We tried everything to keep the amount of both the false positives and negatives as low as possible, but we can't completely avoid them. There is a small percentage of Microsoft Word users who write legitimate, useful macros that may use some of the commands that F/WIN detects. Especially the experienced user quite often uses macros to speed up the work with Winword. In general, if you know that you have not written any macros and that you've not received any documents with known macros in them, then it's highly likely that you do have a virus if F/WIN detects the presence of suspicious macro code in your Microsoft Word documents or templates. This is especially true if possible infections are detected in multiple documents. If legitimate macros are present in your environment that trigger warnings from F/WIN, make a note of what commands F/WIN is finding and flagging and make sure your macros are supposed to contain those commands. F/WIN shows exactly how many macros are present within a template and what size they have. This makes it quite easy to spot unwanted modifications. Windows .EXE files ------------------ F/WIN may on rare occasions trigger a false alarm on Windows EXE files. Should you experience one, please send a copy of the file that was flagged in error to the author of F/WIN for evaluation. F/WIN will either be modified to stop triggering the false alarm, or a new file will be created listing known false alarms. So far, the most false positives were caused by device drivers or special DLLs. 2.0 HOW TO USE F/WIN ================================================================= In general, it's important that you don't run Microsoft Word itself at the same time as F/WIN. F/WIN is able to check already opened files, but it can't clean them because it will not get write access to such files. So, if your NORMAL.DOT or other document is infected with a macro virus, you must exit Word before running F/WIN. 2.1 From a DOS prompt ----------------------------------------------------------------- If you run F/WIN without parameters, you will see a menu which allows to run the quick scan mode or to view the command line parameter help. In the quick scan mode, F/WIN will scan all local hard drives (similar to F4 /LOCAL) There are three levels of scanning that F/WIN does for Macro viruses and trojans. It is important to understand which is right for your needs before choosing the one you want. LEVEL 0: F/WIN detects and produces warning messages for obvious virus and trojan files. However, no trojans are detected with the shareware version. All currently known Word 6.0 and 7.0 viruses are detected at this level. This is the default level of scanning when the /MODE, /PARANOID and /EXTENDED parameters are not used. This level detects viruses and trojans that are fully functional. "Fully functional" means that they contain all the components that would normally be present in a virus or trojan. LEVEL 1: Level 1 detection does everything Level 0 does, and MORE. To use extended mode, specify either /MODE=1 or /EXTENDED. This is called "Extended Mode" Level 1 will produce warning messages even if all the conditions specified in level 0 are not met. To use LEVEL 1 scanning, use the /MODE=1 parameter. The "Extended Mode" might cause more false positives than the standard scanning mode and is only available in the registered version of F/WIN. LEVEL 2: Level 2 detection does everything Level 1 does, and MORE. Use the /MODE=2 or /PARANOID parameter to get the most comprehensive scanning F/WIN can deliver. F/WIN does not perform checks to avoid false positives in this mode. If you're not sure which level to use, start with the highest level, and work your way backwards if you get a lot of false alarms. For instance: 1. Start by using /PARANOID or /MODE=2. If you get too many false alarms, then: 2. Use /MODE=1 or /EXTENDED. If you still get too many false alarms, then: 3. Run F/WIN without specifying either the /MODE=n, /EXTENDED or /PARANOID commands. The syntax for F/WIN is as follows. Parameters enclosed in [ ]'s are optional: FWIN path [/?] [/H] [/HELP] [/REPORT=+Name] [/REPORT] [/LOGALL] [/NODETAIL] [/ANALYSE] [/A] [/DOC] [/NOSUB] [/LOCAL] [/REMOTE] [/CLEANALL] [/RENAMEALL] [/MOVEALL] [/IGNOREALL] [/MOVE=path] [/CLEAN:1] [/CLEAN:2] [/MODE:1] [/MODE:2] [/EXTENDED [/PARANOID] [/NOSIG] [/NOHEUR] [/NOBREAK] [/BEEP] path The directory and all of its sub-directories to be scanned. Specify just the drive name if the entire drive is to be scanned. Wild-cards in the dataset name are allowed. You may specify only one drive or path name at a time. CD-ROM drives names may also be specified. F/WIN accepts Windows 95 long file name paths, but keep in mind that the DOS command-line only can handle 128 chars. Path names with spaces must be enclosed in quotation marks. /? or /H Will display a short help screen. /REPORT=... The path and file name for a text file that contains a report of the files that F/WIN checked. The report option is only available in the registered version. For instance: /REPORT=C:\FWINCDRV.RPT. By default, F/WIN will only log suspicious files. If you want to log all files, use /LOGALL. /REPORT=+.. F/WIN will add the current log to an existing report file. If the file does not exists, F/WIN will create it. /REPORT Like /REPORT=..., but F/WIN will use the default report name "FWIN.RPT". /LOGALL F/WIN will add all files to the report, not only the suspicious ones. /NODETAIL F/WIN will not log the full analysis of every virus found. /ANALYSE F/WIN will at once display the analysis /A window when it detects a suspicious file. /DOC F/WIN scans only .DOC and .DOT files. The default is to scan ALL files. This will increase the scan speed, but F/WIN will only detect macro viruses with this option enabled. /NOSUB F/WIN will not check sub-directories. /LOCAL F/WIN will check all local drives excluding floppy and CD-ROM drives. /LOCAL can be used together with /REMOTE. /REMOTE F/WIN will check all remote (network) drives. You can combine /REMOTE with /LOCAL. /CLEANALL By default, F/WIN prompts for what action to take on an infected file as it encounters each one. This switch tells F/WIN to not prompt for action on each file, but instead, to go ahead and remove the virus from all infected files. F/WIN will analyse the template and removes only macros which belong to the virus. You can override this by using /CLEAN:1. If /CLEANALL is used, you MUST also use the /REPORT= option. /RENAMEALL F/WIN renames all suspicious files it detects without prompting for user input. /MOVEALL All suspicious files will be moved into a directory that you can specify by using /MOVE=path. /IGNOREALL Like /RENAMEALL, /MOVEALL and /CLEANALL, F/WIN will not stop and prompt for user input if it detects suspicious files. When you use /IGNOREALL, the suspicious files will stay untouched. /IGNOREALL can only be used with /REPORT and can be used in DOS batch files. /MOVE=... When F/WIN removes any virus or trojan it first makes a backup copy of the infected file. By default, F/WIN makes the backup copy in the same directory as the file from which the virus/trojan was removed. For instance, if F/WIN cleaned a file in C:\WINWORD\INFECTED.DOC, it would, by default, make a backup file called C:\WINWORD\INFECTED.VIR. If you use the /MOVEALL parameter or select MOVE in the interactive mode and did not specified a directory, F/WIN will use the default "C:\VIRUS". /MODE=n Enables the advanced scanning modes. n = 1 : Extended mode. This is the same as using the /EXTENDED parameter. n = 2 : Paranoid. This is the same as using the /PARANOID parameter. /EXTENDED By default, F/WIN checks macros carefully and will try to minimize the chance of false positives. However, this keeps F/WIN from detecting some trojan macros. If you enable the extended mode, F/WIN will also report documents which contain suspicious macros but doesn't seem to contain a complete macro virus or trojan. /EXTENDED is equal to /MODE:1 and only available in the registered version. /PARANOID By default, F/WIN checks macros carefully and will try to minimize the chance of false positives. However, this keeps F/WIN from detecting some trojan macros. If you enable the paranoid mode, F/WIN will also report macros which are only partially suspicious but will also report more false positives. /PARANOID and /MODE:2 perform exactly the same functions. The /PARANOID parameter was included because it might be easier for some users to remember than /MODE:2. If you don't use Word macros at all, /PARANOID or /MODE:2 is a very good choice. /CLEAN:1 By default F/WIN does automatically decide which macros must be deleted. If you use /CLEAN:1, F/WIN will remove -all- macros from an infected template. If the file extension is ".DOC", the file is converted back to the regular Word document format. /CLEAN:2 F/WIN will only remove the suspicious macros from infected templates if you use this parameter. However, if all the macros in a template belong to the virus, F/WIN will temporary switch to /CLEAN:1. /NOSIG F/WIN will not use signatures to detect macro viruses. /NOHEUR In this scan mode, F/WIN will only detect known macro viruses but will also scan at a much higher speed. /NOBREAK F/WIN does not allow to interrupt the virus scanning. /BEEP F/WIN will make a warn signal if a virus is found. /BEEP gets disabled if you use one of the batch modes (/CLEANALL etc.). When using F/WIN in a DOS Batch file, it will return the following error levels that can be checked in a DOS batch file: 0 - F/WIN finished the scan without finding suspicious files. 1 - F/WIN detected suspicious files during the scan process. 250 - A invalid combination of parameters were used. 253 - F/WIN was not able to create the /MOVE= directory. 254 - F/WIN was not able to create the report file. Here are some examples of how to execute F/WIN: F4 D: (scans the entire D: drive) F4 "C:\MSOffice\WinWord\Template\My templates" (Scan the "My templates" subdirectory and all directories below it. Note that the parameters passed to FWIN had to be enclosed in quotes in this case because of the space that appears between "My" and "templates") F4 A:\ /REPORT=C:\FWIN.RPT (scans the entire A: drive, and puts a report of what it found into the file C:/FWIN.RPT) F4 D:\ /REPORT=A:\FWIN.RPT /PARANOID /DOC (scans the entire D: drive, and puts a report of what it found in A:/FWIN.RPT, and checks ONLY macros in files that end in .DOC or .DOT) F4 C:\ /REPORT=A:\FWIN.RPT /MODE:2 /CLEANALL (scans the entire C: drive in the Paranoid mode and puts a report of what it found in A:/FWIN.RPT, and cleans all files infected with Word macro viruses or trojans.) F4 /LOCAL /REMOTE /DOC /NOBREAK (F/WIN will scan all local and remote drives for .DOC/.DOT files only and doesn`t allow interrupting by pressing . ) F4 /? (F/WIN displays help information) F4 C:\*.DO? (Will scan all *.DO? files on drive C:) F4 C: /REPORT=C:\FWIN_C.RPT /IGNOREALL (Scan the C: drive, and put the results of the scan in a file called FWIN_C.RPT on the C: drive root directory. F/WIN doesn't stop scanning for any viruses found (/IGNOREALL), just keeps scanning and only reports what is found. 2.2 From Windows 3.x ----------------------------------------------------------------- Option #1: Click on the "MS-DOS PROMPT" icon in the "MAIN" window and follow the previous instructions for running from a DOS prompt. Option #2: On the PROGRAM MANAGER screen, click on "FILE", then on "RUN". Point to where FWIN is stored, then add the appropriate parms to run it the way you want it to. For instance, in the box that says "COMMAND LINE", you would enter: "C:\FWIN C:" to scan the C: drive, assuming that FWIN was being stored in the root directory of the C: drive. In either of the above two options, F/WIN will prompt you for the path to scan if it isn't specified. 2.3 From Windows '95 ----------------------------------------------------------------- Option #1: Run it from DOS. There are three ways to get to it. First way: Click on "START" Click on "RUN" Key in the appropriate FWIN command. Use the previous instructions for running F- WIN in DOS. For instance, enter: C:\FWIN A: to scan the A: drive. Click on "OK" Second way: Click on "START" Click on "PROGRAMS" Click on "MS-DOS PROMPT" Key in the appropriate FWIN command. Use the previous instructions for running F- WIN in DOS. For instance, enter: C:\FWIN A: to scan the A: drive. Third way: Click on "START" Click on "PROGRAMS" Click on "MAIN" Click on "MS-DOS PROMPT" Key in the appropriate FWIN command. Use the previous instructions for running F- WIN in DOS. For instance, enter: C:\FWIN A: to scan the A: drive. You may also set up icons to run FWIN with from the Windows 95 Menu. In these example below, FWIN will scan the A: drive: Copy FWIN.EXE into whatever directory you want to run it from. In this example, it is run from the C:\ directory. Click on "START" Click on "SETTINGS" Click on "TASKBAR" Click on "START MENU PROGRAMS" Click on "ADD" Key in "C:\FWIN.EXE A:" in the box labeled "Command Line", then press ENTER Click on "NEXT" Key in "FWIN (scan A drive)" in the box labeled "Select a name for the shortcut", then press ENTER Click on the icon of your choice, or use the FWIN.ICO file that came with F/WIN. Click on "FINISH", then "OK" To run what you just set up: Click on "START" Click on "PROGRAMS" Click on "FWIN (scan A drive)" 2.4 From OS/2 Warp ----------------------------------------------------------------- Open an OS/2 DOS window. Then execute F/WIN exactly the same way you would as if you were running it in DOS. 2.5 Choices F/WIN provides when a suspected virus is found ----------------------------------------------------------------- If F/WIN detected a suspicious files, it will stop scanning and display some messages. At the bottom of this text you will get a display similar to the examples below: CONCEPT .DOC - Infected with: "Concept.A" (Macros: 4, Size: 1968) [A]nalysis [C]lean [R]ename [M]ove [S]kip [E]nd scan [O]ptions You choose options by pressing the letter enclosed in brackets (F/WIN will display this chars in another color) or by using the cursor keys and pressing SPACEBAR or ENTER. The options explained in detail: Analysis ~~~~~~~~ F/WIN will display a window containing a detailed report about the detected virus. You can use the cursor up and down keys to scroll the window. Like in the regular display, F/WIN will display the following options. Clean ~~~~~ F/WIN will backup the file and remove the virus from it. If F/WIN was not able to create the backup, the file is left unmodified. If you clean a Word macro virus and the document already contained harmless macros before the infection, F/WIN might prompt you for either removing all or only the suspicious macros. Rename ~~~~~~ F/WIN will not clean the virus but renames it to another file extension like "MYTEXT.DOC" to "MYTEXT.VIR". Move ~~~~ The suspicious file is moved to a directory that you must specify by using /MOVE=path. If you have not set this directory, F/WIN will use "C:\VIRUS" as the default setting. Skip ~~~~ F/WIN will simply skip this file and does not modifiy it. End scan ~~~~~~~~ The virus scanning will be aborted at once if you select this option. Options ~~~~~~~ This choice displays another window in which you can select if F/WIN should repeat your selected action on more than one file: Use your choice on: Current file Current directory Current directory including sub-dirs Current drive All further suspicious files You must use the cursor keys and SPACE or ENTER to select an option. For example, if you selected "Current directory including sub-directories" and used the "Clean" action after this, F/WIN will clean all further files in the current directory and all of it sub-directories. This batch modes are useful if you have to handle large amounts of infections. 2.6 Situations in which FWIN should N-O-T be run ----------------------------------------------------------------- If you suspect that a DOS, Windows 95 or OS/2 virus is memory resident, do N-O-T run F/WIN until you are confident that the virus is no longer memory resident. If a virus is memory resident, and it's a "fast infector", running F/WIN can cause it to infect every executable file it's capable of infecting during F/WIN's scan. F/WIN is not a full-blown scanner that can check to see if DOS and Windows viruses are resident in memory. It is a specialized scanner that supplements the regular scanner you already have. Use your regular scanner to make sure there are no memory resident viruses before running F/WIN or better yet, boot from a clean system disk. These precautions are only necessary against resident DOS, Windows 95 or OS/2 file or boot sector viruses. Macro viruses are 'resident' too as long as Word is executing, but they don't directly interfere with a running of those three operating systems programs. 3.0 HOW TO ORDER A REGISTERED VERSION OF FWIN ================================================================= 3.1 Extras in the registered version The following extra features will appear in the registered version that aren't active in the shareware version. a) Cleaning of files is not delayed b) /REPORT switch will be activated c) /MODE and /PARANOID switches are available d) /CLEANALL and the other batch modes are available 3.2 In Germany Orders can be submitted using e-mail or normal way. Please fill in the file REGISTER.TXT and send it to: Stefan Kurtzhals D”rrenberg 42 42899 Remscheid Germany E-Mail: kurtzhal@uni-wuppertal.de The registered version will be sent either on a 3,5" disk or by PGP encrypted E-Mail. Please don't forget to add your public PGP key if you want to receive the registered version by E-Mail! You will receive a PKZIP archive which will contain the latest version of F/WIN and a personal key file. The latest German shareware version of F/WIN can be downloaded from: - http://www.fwin.com - http://www.psnw.com/~joe - http://www.cyberbox.north.de - Cyberbox BBS (V32b: 0441-3990032, V34: 0441-3990033, ISDN: 0441-9396977) - VHM II BBS (V34/ISDN: 08638-881108) 3.3 In the United States PAYING FOR THE REGISTERED VERSION --------------------------------- Print and fill out the file ORDER.TXT, then mail to: Computer Virus Solutions Order Processing P.O. Box 30802 Gahanna, Ohio 43230 United States of America Please include a check or money-order payable to: "COMPUTER VIRUS SOLUTIONS" At this time, we are not yet set up to accept credit card orders, but we should be in the future. HOW TO RECEIVE THE SOFTWARE AND KEY FILE ---------------------------------------- Option #1 --------- Download the shareware version from an FTP site. After receiving your payment by mail, we'll send you your unique key file which turns the shareware version into the registered version. You may receive your key file in any of the following ways: a. By mail on a floppy diskette. b. By e-mail as a PGP encrypted binary file attachment (make sure you're e-mail system allows this) c. A UUENCODE'd e-mail message (must be PGP encrypted, though) d. A PGP ASCII file sent in an e-mail message e. PKZIP password protected file that's been UUENCODED. If you wish to receive your key file by e-mail, you must make sure to send us your PGP public key. We will not send an unencrypted key file through the internet. With the exception of the diskette option, the file you'll receive will a self-extracting PKZIP compressed file. Option #2 --------- 2. All software sent on a diskette. Getting Updates --------------- Updates (which is the shareware version) can be downloaded from the following web sites (see below). As long as you have a valid, legal FWIN.KEY file, you can download the "shareware" versions from these sites to upgrade your copy of F/WIN. The FWIN.EXE file by itself is the "shareware" version. When FWIN.EXE and FWIN.KEY are used together, collectively they make up the fully-functional "registered" version. Here's how this works. When you run F/WIN Anti-Virus, the FWIN.EXE program looks to see if a valid FWIN.KEY file exists where it expects it to be. If FWIN.KEY is missing, FWIN.EXE is programmed to avoid activating some features. If a valid FWIN.KEY is found, then FWIN.EXE will activate all of its features. So you can keep downloading updated shareware versions, and have the most up-to-date registered version as well because of your FWIN.KEY file. See the price list in the ordering files for what it costs to receive update diskettes by mail 4 times a year. We also have an auto-responder set up that will allow you to send an e-mail message (with nothing in the subject or message; a completely blank message) to our WWW site, and have it automatically send you back through e-mail a UUENCODE'd version of the latest shareware release. This will allow anyone with internet e-mail access to get their updates (and the original shareware version) by e-mail, so long as they have UUDECODE software to decode it. To get the latest version of F/WIN Anti-Virus by e-mail, send a message (with nothing in the Subject line or body of the message) to: evaluate@fwin.com If you don't currently have UUDECODE, it is available at many FTP sites on the Internet. Our web page also contains the DOS and Windows version of UUENCODE/UUDECODE for you to download. Here's how to get to our web page: http://www.fwin.com The shareware version may also be downloaded from: http://www.psnw.com/~joe http://www.cyberbox.north.de F/WIN may also be downloaded from any of the various SimTel FTP sites around the world. 3.4 In other countries For ordering the German version, contact Stefan Kurtzhals for purchasing instructions. All others please contact Gary Martin. Both can be contacted by e-mail through our web page specified above. 4.0 WINDOWS EXE VIRUSES ================================================================= 4.1. For NON-Technical readers ----------------------------------------------------------------- Until recently, {windows viruses} were very rare and primitive. In most cases they just converted the Windows executable format {NE-EXE} into normal {DOS-EXE} or used {companion style infection} and didn't change the programs at all. Furthermore, they all were {non-resident} {direct action} infectors which never spread very far. Viruses like {WinVir14} were to clumsy to escape into the {wild} and remained pure research viruses. But the situation changed after an underground virus magazine published the source code for a virus called {Winsurfer}. used a new {infection scheme} for infecting NE-EXE files. It was the first virus which was able to infect NE-EXE in a proper way without converting the program in DOS-EXE or by just creating companions. The new infection scheme is much less noticeable than the previous ones because it only changes a very small part of the {program header} and leaves the program still executable. Also, (and especially ) stay {resident} using the {DPMI API}. This gives them a much higher infection rate than the older direct action viruses. ( is a partial {fast infector}) Because this infection scheme is so clearly superior and additionally being published widely, it's very likely that more viruses will appear which copy this special method of infecting files. Examples of this are the viruses and . Windows 95 programs (32 bit EXE) have a new format, PE-EXE. The viruses that use the NE-EXE infection scheme don't infect this format, but as there are still some NE-EXE (16 bit EXE) left in Windows 95 or the user still uses old Windows programs, the viruses will still spread under Windows 95. Also, infects DOS programs such as COMMAND.COM or WIN.COM beside infecting Windows EXE. The same underground virus writer group which created and also managed to write a PE-EXE virus for Windows 95 executables. This virus is still quite clumsy (it's again just a direct action virus), but surely there will soon follow more complex viruses as the virus source was again published by the authors. 4.1.1 F/WIN's detection of Windows EXE viruses ----------------------------------------------------------------- F/WIN detects Windows EXE viruses by analyzing the NE-EXE and PE-EXE header of a file. The known Windows EXE viruses modify this header to an very unusual structure which can be detected by F/WIN. F/WIN does not check the program code which seems suspicious, and it will detect normal or variable encrypted {polymorphic} viruses because of this. 4.2. For Technical readers ----------------------------------------------------------------- Until recently, windows viruses were very rare and primitive. In most cases they just converted the Windows executable format NE-EXE into normal DOS-EXE or use companion style infection and didn't change the programs at all. Furthermore, they all were non-resident direct action infectors which never spread very far. Viruses like WinVir14 were to clumsy to escape into the wild and remained pure research viruses. But the situation changed after an underground virus magazine published the source code for a virus called . used a new infection scheme for infecting NE-EXE files. It was the first virus which was able to infect NE-EXE in a proper way without converting the program in DOS-EXE or by just creating companions. The new infection scheme is much less noticeable than the previous ones because it only changes a very small part of the program header and leaves the program still executable. In detail, the virus moves the NE header 8 bytes in order to get a free slot for a new segment entry which now points to the virus code. The virus code will then be added to the end of the file, storing the original entry point in a relocator entry behind the virus code. Also, (and especially ) stay resident using the DPMI API. This gives them a much higher infection rate than the older direct action viruses. ( is a partial fast infector) Because this infection scheme is so clearly superior and additionally being published widely it's very likely that more viruses will appear which copy this special method of infecting files. Windows 95 programs (32 bit EXE) have a new format, PE-EXE. The viruses that use the NE-EXE infection scheme don't infect this format, but as there are still some NE-EXE (16 bit EXE) left in Windows 95 or the user still uses old Windows programs, the viruses will still spread under Windows 95. Also, infects DOS programs such as COMMAND.COM or WIN.COM beside infecting Windows EXE. The same underground virus writer group which created and now also managed to write a PE-EXE virus for Windows 95 executables. This virus is still quite clumsy (it's again just a direct action virus), but surely there will soon follow more complex viruses as the virus source was again published by the authors. Actually, the virus is written for operating systems which support the Win32 API. At the moment, Win32 is supported by Windows (Win32s), Windows 95 and Windows NT. increases the amount of segments, changes the IP RVA to the new virus entry point, adds a new segment to the segment list (the new segment is named .vlad) and add the virus code at the end of the file. 4.1.1 F/WIN's detection of Windows EXE viruses ----------------------------------------------------------------- F/WIN detects Windows EXE viruses by analyzing the NE-EXE and PE-EXE header of a file. The known Windows EXE viruses modify this header to an very unusual structure which can be detected by F/WIN. Usually, they add strange segments which have no valid code segment flags set. F/WIN does not scan into these suspicious code segments, because there are yet too few Windows EXE viruses to derive a good code heuristic from them. Because F/WIN doesn't check the code of the virus, it is able to detect any unencrypted or polymorphic virus which use the or infection schemes. 5.0 MACRO VIRUSES ================================================================= 5.1 What they are ----------------------------------------------------------------- Macro viruses which infects documents are fairly new. In the case of Microsoft Word templates, they use the built-in macro language called WordBasic. Other products like Excel, Word Perfect, etc. have their own built-in macro languages similar in function to WordBasic. Winword Macro viruses copy themselves into the global macro template and convert user documents into macro templates when the document is saved and infected. Also, the viruses use auto macros that are executed by WinWord automatically when for example a file is opened, saved or closed. Microsoft Word also allows execute-only macros which means that the user can't read the macro definition anymore, a feature which is used by most of the macro viruses. 5.2 History of ----------------------------------------------------------------- The idea of macro viruses by itself isn't new at all. In 1994 an example macro virus () was done to show the dangers of macro languages. This virus is a pure demonstration virus and was never spread. The first macro virus that escaped into the wild was , which was released in 1995. Shortly after other macro viruses where done, such as and . For more information about the known macro viruses to-date, use your web browser to link to: http://www.bocklabs.wisc.edu/~janda/macro_faq.html Currently there are more than 100 known macro viruses and the number is increasing almost every day. The reason for this is that it is very easy to write such macro viruses. There are also now two macro virus construction kits available which allows even more easier creation of new macro viruses. 5.3 Why they pose such a great threat to your data ----------------------------------------------------------------- There are two major reasons why macro viruses in general pose such a great potential threat to your data. First, macro languages like WordBasic (the macro language of Microsoft Word) are easy to learn. What keeps most people with bad intentions from writing DOS viruses is that DOS viruses are usually written in Assembler which is quite difficult to learn. But macro languages like WordBasic are significantly easier to learn and write viruses with than Assembler is. Coding examples for writing macro viruses can be found on the Internet. If your business uses one of the Microsoft Word templates that have been designed to intercept and remove viruses, then you have provided an excellent coding example to your employees for coding a WordBasic virus. Parts of those templates can be easily copied and modified to become destructive virus code. And the help screens that are available for WordBasic are plentiful. It would probably take the average programmer less than 10 hours to start with one of these anti-virus templates, and make a fully functional virus with highly destructive capabilities from it. The potential for data loss from a disgruntled employee is high if someone made a decision to attack your company in this manner. The second reason the risk is so high is that most virus scanners to-date only check for known macro viruses. They are not capable of detecting unknown ones, or if they do, they can misidentify what they've found. So if someone did plant a new virus that they just wrote in your business, you may not find it until it's too late. And it is very easy to create a 'new' undetectable virus by just inserting spaces and carriage returns into the macro code of a known virus. F/WIN's strength is that it finds both known and UNKNOWN WordBasic viruses and trojan's. F/WIN uses heuristic analysis instead of signature scans to find the viruses. F/WIN can also REMOVE most viruses it finds. And if it would happen to remove a virus in such a way where the document is no longer accessible, it makes a backup copy of the file before attempting to remove the virus. So F/WIN is both effective, and safe. Keep in mind that WordBasic is a powerful language. Beside the possibility of modifying almost every parameter and option of Winword, you can easily rename, change or delete other files (like WIN.INI, SYSTEM.INI, CONFIG.SYS etc.) and you can call other Windows or DOS programs, i.e. FORMAT or DELTREE. It's also possible to execute Win API calls or other embedded OLE objects. 5.4 F/WIN's detection of WordBasic macro viruses/trojans ----------------------------------------------------------------- F/WIN use a WordBasic emulator/tracer to analyse every command in a Word template. If the macro performs dangerous or suspicious actions, F/WIN will report this file as possibly infected. The heuristic analysis is very well balanced and has a very high detection rate but also very few false positives. Beside heuristic analysis, F/WIN also use signature scanning to detect if a suspicious file contains a known macro virus. Note that the signature scanning is just some kind of extra information (you will see if the virus is known or not), but F/WIN does not need it to detect macro viruses. If you use /NOSIG, the detection rate will not change. 5.5 How the viruses are removed ----------------------------------------------------------------- F/WIN will remove macro viruses by deleting the macro code and disabling the macro entry in the Word document structure. It is not possible to reactivate a cleaned virus. Before starting the actual cleaning process, F/WIN will try to backup the target file by creating a copy of the file with ".Vnn" file extension. The file will not get modified if F/WIN fails to create a backup! Here's an example of how this naming scheme works. Assuming that you have eleven Word documents containing payroll information, and all are infected, here's how F/WIN would name the backup copies. Infected file Backup file ------------- ----------- PAYROLL.WK1 PAYROLL.VIR PAYROLL.WK2 PAYROLL.VI1 PAYROLL.WK3 PAYROLL.VI2 PAYROLL.WK4 PAYROLL.VI3 PAYROLL.WK5 PAYROLL.VI4 PAYROLL.WK6 PAYROLL.VI5 PAYROLL.WK7 PAYROLL.VI6 PAYROLL.WK8 PAYROLL.VI7 PAYROLL.WK9 PAYROLL.VI8 PAYROLL.WK10 PAYROLL.VI9 PAYROLL.WK11 PAYROLL.V10 (notice that the 'I' is now replaced by a '1') Please note that F/WIN can not scan inside password protected documents or Word 2.0 files. However, F/WIN will produce warnings if it detects a password encrypted document which contains macros. Do not try to decrypt the document using Word! The macros could get active at once you removed the password protection. In case of Word 2.0 documents, F/WIN will warn if it located a file called ".DOC" which has macros inside. 6.0 COPYRIGHT, LICENSE TERMS AND DISCLAIMER ================================================================= See file "LICENSE.TXT". 7.0 GLOSSARY OF TERMS USED IN THIS DOCUMENTATION ================================================================= 16-bit EXE Windows 3.x uses a special executable file format, NE-EXE. Beside the old DOS EXE file header, it has a new NE header which specifies the locations and sizes of the code and data resources in the file. NE-EXE files still can call the DOS INT 21h or DPMI API functions. The first known virus for NE-EXE was . Except and , none of the known Windows viruses are found in the wild. 32-bit EXE Windows 95 and Windows NT uses a new executable format, PE-EXE (Portable Executable). It is optimized for the 32-bit OS, i.e. by using 32-bit RVA's and supporting MMF (Memory Mapped Files). Like NE-EXE, they still have a normal DOS EXE header followed by the PE header which indicates the location and size of the file contents. PE-EXE run in flat protected mode and the program code can only call Windows API functions. The first known virus for PE-EXE was . Auto Macro Auto macros are special Microsoft Word macros which are executed automatically by Word on certain events, i.e. like opening a document. To some degree, they can be disabled (for example by pressing SHIFT while opening a file), but the macro viruses still have enough other ways to intrude the system. Boza is the first known virus for PE-EXE files (Windows 95), and comes from Australia. It's only a research viruses and not in the wild, mostly because it's just a direct action virus and has some bugs. There are now four known variants of . COMMAND.COM The first normal DOS executable which is started at a system bootup. It only contains the command-line interpreter, but it's often a target for DOS file viruses. DOS itself is stored in MSDOS.SYS and IO.SYS (or IBMDOS.COM and IBMBIO.COM). COMMAND.COM itself executes AUTOEXEC.BAT. Companion Virus Companion Style Infection If you have two files with the same filename but different file extensions (one .COM, one .EXE) in the current directory and you execute the program without specifying an extension, DOS will always start the .COM program and not the .EXE. For example, if you have TEST.COM and TEST.EXE and execute "TEST", TEST.COM will be started. Companion viruses use this and creates corresponding .COM files to existing .EXE programs. These .COM files often have the HIDDEN attribute set in order to prevent detection (you will see this when you run tools like DEFRAG: the whole hard disk cluster layout is covered with single unmovable clusters). There are two known macro viruses which use a similar infection scheme ( and ). They link infected .DOT files to a normal .DOC document. Concept The first Microsoft Word macro virus which appeared in the wild. It appeared in the mid of 1995 and spread rapidly world-wide. Beside displaying a window with a '1' in it, is quite harmless. Together with some other macro viruses, is now very common. There are very many variants now know, from which some have just renamed macro names but others also have destructive payloads. Direct Action Infector A virus which actively scans the system for infection targets and doesn't go resident in memory. These viruses are not very viable and never spread very far because they are too obvious to the users and have a too low spread rate. All common viruses are resident. DOS-EXE The standard DOS executable format. It has a special EXE header, which is placed directly at the beginning of the file and is marked with a ASCII signature ('MZ'). The header will specify things like the program entry point, code size, amount of relocations, size of stack and others. Unlike .COM executables, EXE can be larger than 64K. DPMI API The DOS PROTECTED MODE INTERFACE API is used by real mode applications to interfere with the protected mode, i.e. mode-switching, transferring memory blocks, calling INT 21h from protected mode and other services. In real mode, the CPU only can access 1 MB of address space, in protected mode the memory is usually limited to 4 GB (real and virtual memory). Dropper Sometimes viruses are hidden in a special dropper file. The virus is then often encrypted or compressed with special tools in order to prevent detection by virus scanners. Droppers are also used to 'install' boot viruses from files. contains a debug script of the virus, which will be dropped into the system sometimes. Encrypted Macro Execute-Only Macro Microsoft Word macros which can't be read or modified by the user anymore. It's only possible to execute, rename or delete such macros. Execute-only macros are often used by macro viruses to protect and hide their code. False Negative An infected file which is not detected by a virus scanner is called false negative. An uninfected file which is flagged as being infected by a virus is called false positive. Fast Infector At first, resident viruses only infected programs when the user execute the application by intercepting the INT 21h EXECUTE call. Newer file viruses also infect programs when they are opened or closed, which will cause very high spread rate for the virus. It is possible that a virus scanner will spread the virus infection, if the virus is a fast infector and unknown to the virus scanner. If you scan the hard disk with such a virus being active, almost every executable on the hard disk will get infected! Word macro viruses could be called fast infectors because they often infect documents when you access them. Flat Protected Mode In flat protected mode, the memory is mapped as linear 4 GB address space. You don't need multiple selectors and can address the memory without much effort. In The Wild (ITW) Viruses, which have been found often and are very common are 'in the wild'. From the known 10000 viruses, only about 300 are in the wild. All other viruses are either extinct or research viruses, which never spread very far. Infection Scheme The way how a virus modifies an executable. Usually a virus changes the file header in way that it now points to the virus code, which is added at the file end. Some special viruses insert themselves at the file beginning or split up themselves throughout the file. Laroux The first known macro virus for Microsoft Excel. It`s quite harmless and only infects Excel spreadsheets by transfering it`s macros. It has no payload. Beside , this is the only known Excel macro virus so far. Macro Microsoft Word macros contain WordBasic commands which can be used to speed up your work with Word. For example, you could write a macro which reformats a text block in a special way. Microsoft Word A word processor from Microsoft, which is used quite often. Word documents are OLE 2.0 objects. NE Header The program header used by NE executables. Must be modified by Windows EXE viruses during the infection. NE-EXE See 16-bit EXE. Non-Resident virus See Direct Action Infector. NORMAL.DOT The global template of Microsoft Word. Beside some other things, global Word options and all global Word macros are stored in this file. NORMAL.DOT will be infected at once by most Winword macro viruses. Note that a virus could declare additional "NORMAL.DOT`s" in order to permanently infecting a system. Setting the READ- ONLY file attribute is a common protection against macro viruses but it can be simply bypassed. There are also macro viruses which drops their destructive payload if they notice a READ-ONLY NORMAL.DOT file. PE header See 32-bit EXE. PE-EXE See 32-bit EXE. PGP PGP (Pretty Good Privacy) is a freeware tool for encrypting data (i.e. e-mail) and verifying the integrity and source of data. It uses RSA and IDEA encryption and is very secure. Ph33r (Fear) The second virus which used the infection scheme. Beside infecting NE-EXE, also attacks DOS .COM and .EXE files and is memory resident using DPMI API calls. A dropper was included in the virus. Program Header Located at the beginning of executables, the program header specifies things like the program entry point, code size, stack size etc. File viruses must modify this part of the program during infection, but a lot of viruses are buggy and change the header incorrectly. Public Key Used by PGP. If you want to exchanged encrypted data with someone, you must exchange your public keys. Even if someone intercepted both public keys, he can't decrypt the transferred data because he doesn't have the private keys which are also protected with a password. Scan String Used by normal virus scanner to identify viruses. It's a byte signature which maybe contains wildcards and is like a 'fingerprint' to the virus, which will only detect this special virus. Virus scanners without heuristics will usually quickly be outdated because of the large number of new viruses which appear every day or month. F/WIN actually use heuristics and signatures for virus detection. Segment Because the normal CPU registers are 16 bit, you only can access 64K at a time. If you want to address other space you must change the segment registers. In the protected mode, you don't have this segment restriction. System Macro Beside auto macros, Microsoft word has other important macros like FileExit, ToolsMacros and others. This system macros are also often used and intercepted by macro viruses. Almost every Word function can be intercepted by a macro virus! Trojan A program which causes damage but unlike a virus it does not spread by itself. Unknown virus A (new) virus that is yet unknown to the virus scanners and is not detected by them without heuristics. Some of the heuristic scanners will detect about 60-90% of all new viruses. VBA (Visual Basic for Applications) The language used in the Microsoft Office products (Excel, Access) can also be used to write macro viruses. So far, there are only two known Excel virus ( and ). Virus A piece of executable code which is able to replicate and to insert a copy of itself into other executables. WIN API The set of functions available to Windows programs. This contains functions like virtual memory management, file access, graphical operations and other things. There are a lot of different API's like Win32s, WinG and others. Windows EXE Can be either NE-EXE (Windows 3.x), PE-EXE (Windows 95 and Windows NT) or LE-EXE (used by some device drivers). See 16-bit and 32-bit EXE. Windows Virus A virus which is able to infect Windows executables or Windows related objects like Microsoft Word documents. Winsurfer A Windows NE-EXE virus which uses a powerful new infection scheme. WinVir14 The very first Windows virus, which never spread and is considered as a pure research virus. Winword Word See Microsoft Word. WordBasic The macro language used by Microsoft Word. * F/WIN - Copyright (c) 1996 by Stefan Kurtzhals