F-PROT Professional 2.15 Update Bulletin ======================================== Data Fellows Ltd, P„iv„ntaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi This text may be freely used as long as the source is mentioned. F-PROT Professional 2.15 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd. ------------------------------------------------------------------------------- Contents 5/94 ============= Data Fellows' Experts Abroad The Global Virus Situation Die_Hard LZR One_Half Bye 3APA3A The Virus Bulletin Conference '94 Retroviruses - how viruses fight back Common Questions and Answers Changes in version 2.15 Data Fellows' Experts Abroad ---------------------------- Virus Bulletin Conference, the grand event in the anti-virus field, was held this September on the isle of Jersey, between England and France. In the tradition of these conferences, the event was very successful. The audience could enjoy the several top-quality treatises presented by anti-virus experts, and explore the latest anti-virus products exhibited in the convention. Three specialists who participate in F-PROT's development had been invited to speak in the conference. Mikko Hypp”nen spoke about retroviruses, and Jeremy Gumbley told the audience about BBS systems whose purpose is to spread viruses and virus know-how. Fridrik Skulason was appointed the president of the conference's technical half. The conference is more closely described further on in this bulletin. We are unifying the F-PROT Professional version numbering. From this update onward, the new versions of F-PROT Professional for DOS, Windows and OS/2 shall all be numbered 2.11, 2.12, 2.13 etc. This will make it easier to recognize the version upgrades of products designed for different environments. The Global Virus Situation -------------------------- Die_Hard -------- Die_Hard is a memory-resident file virus which uses fast infector techniques. The virus infects COM and EXE files. Die_Hard is known to be in the wild at least in Singapore and India, where it was discovered in September 1994. The virus loads itself into memory, where it decreases the amount of available DOS memory by 9232 bytes. Die_Hard infects all executed or opened COM and EXE files, increasing their size by exactly 4000 bytes. Die_Hard has several layers of encryption. The following text can be found beneath the encryption: SW DIE HARD 2 The virus doesn't use polymorphic encryption, so it is quite easy to find. The full features of the virus are not yet known. FPROT can detect the Die_Hard virus. LZR --- LZR is a destructive virus which has quickly become common all over the world. The latest occurrence happened on October the 10th in Helsinki, Finland, when a large amount of preformatted, infected diskettes was imported to the country. Since only about ten percent of the diskettes were infected, the virus slipped through the importer's virus checks. A number of diskettes was sold before the virus was noticed. LZR infects the boot sectors of diskettes and the main boot records of hard disks. The virus crosses to the hard disk if a computer is booted while an infected diskette is in drive A. The virus does not infect computers during every boot-up, however, but only randomly. This makes it quite slow to spread. Once the virus has infected the hard disk, it infects practically all non-write protected diskettes used in the computer. When LZR is resident in memory, it decreases the amount of available DOS memory by 8 kilobytes. LZR damages 3.5" HD diskettes when it tries to infect them. It does not identify this diskette type correctly, and copies the second sector of its own code, together with the original boot sector, straight to the middle of the diskette. The viruse's original purpose is to copy them to the diskette's end. The overwritten area is cylinder 39, sectors 8 and 9. If this one-kilobyte area contains data, it is lost. LZR contains two separate activation routines. Every time a disk operation is made, the virus has a 1/65536 chance of activating. If this happens, the virus overwrites all data on the computer's first hard disk. The second activation mechanism is connected to disk writes. Every time the hard disk is written to, the virus has a 1/256 chance of activating. When this activation routine is executed, the virus corrupts one byte in the computer's write buffer. This way, it steadily corrupts the data on the hard disk. Damaged files can not be located afterwards - and in most cases, the corrupted files have already made it to the backup copies. There is no sure way to find out how long the virus has been corrupting the system. The LZR virus is therefore very dangerous. F-PROT Professional can detect and remove the LZR virus. One_Half -------- One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II, was first discovered in May 1994. The virus has been found both in USA and Europe. One_Half is a destructive virus: its removal may cause files to be damaged to the extent that they are completely unintelligible. One_Half is a multipartite virus. It infects hard disk MBRs and COM and EXE files. Infected files grow by 3544 bytes. The virus is also polymorphic, so its appearance changes between every infection. Besides the aforementioned features, One_Half employs stealth virus techniques. When the MBR of an infected hard disk is examined, the virus shows the original contents of the MBR. It makes the other sectors on the zero track seem empty, although in truth they contain a part of the virus code and the original MBR. The following, unencrypted texts can be found inside the viruse's code: Dis is one half. Press any key to continue ... Did you leave the room ? The virus also contains the names of many anti-virus products: SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV One_Half is a destructive virus. Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the first disk partition. This way, the encrypted area slowly creeps toward the disk's beginning. When information is retrieved from the encrypted area, the virus decrypts it on the way, so the user doesn't notice anything out of the ordinary. The encrypted information stays encrypted while the virus is not resident, so the true nature of things is revealed only after the computer is booted from a diskette or after the virus is removed. If One_Half is removed from a hard disk's MBR without first making a backup copy of the computer's data, it is almost impossible to restore the encrypted information on the hard disk; the virus stores both the encryption key and information about the location and extent of the encrypted area inside its own code in the MBR. F-PROT can detect the One_Half virus. Bye --- Bye is a typical boot sector virus which infects the boot sectors of diskettes and the main boot records of hard disks. The virus is capable of infecting all common diskette types (360, 720, 1200 and 1440 kilobytes). Bye was discovered in Italy, at the end of September 1994. The virus infects the hard disk when the computer is booted from an infected diskette. Once the hard disk is infected and the virus has loaded itself into memory, it shall infect all non-write protected diskettes used in the computer. The viruse's code contains the encrypted text: "Bye by C&CL". The virus uses stealth virus techniques, so its code cannot be seen on the hard disk's MBR while it is resident in memory. The virus stores the original main boot record on the last sector of the hard disk's active partition. On diskettes, the virus stores the boot sector on the diskette's last sector. The virus changes only 40 bytes in the boot sector - the rest of the viruse's code is stored elsewhere. Bye does this to avoid being detected by heuristic scanners. F-PROT can detect and remove the Bye virus. 3APA3A ------ Analysis by Igor G. Muttik MIG@lt.phys.msu.su A new and unique boot sector virus has appeared in Russia. The virus was named "3APA3A" (in Russian slang, it means "INFECTION"). The virus was found in the wild in Moscow, between 12th and 14th of October 1994. The virus uses a complex infection method that seems also to be a completely new one. Like other boot sector viruses, 3APA3A infects the boot sectors of diskettes. However, on hard disks the virus infects the DOS core file IO.SYS. The diskette boot sector infection mechanism is like that of many other boot-sector viruses, but the hard disk infection method is unique. Because of this, the virus is deemed to belong to a new virus class, known as "kernel infectors". The viruse's size is 1024 bytes (i.e., 2 sectors). On a diskette, the first half of the viruse's code is stored in the boot sector. The original diskette boot sector and the second half of the viruse's code are stored at the very end of the diskette's root directory. This means that when the virus infects a diskette, it also overwrites the last two sectors in the root directory. When a computer is booted from an infected diskette, the virus tries to infect the first file in the root directory of the active DOS partition (this file being usually IO.SYS). The virus begins by making a copy of the IO.SYS file, after which it infects the original file. After the infection, the root directory contains two IO.SYS entries. The first is not shown in a directory listing, however, because the virus sets its volume-label bit. The directory entries point to the two IO.SYS files. The first, infected IO.SYS is located in its customary place at the beginning of the root directory. It contains the viruse's code, 1024 bytes, in its beginning, but is not otherwise changed. The second IO.SYS directory entry points to the copy of the original IO.SYS file, which is located at the end of the partition. The copy is not infected. When DOS is started during the computer's next boot-up, the infected IO.SYS is executed and the virus loads itself into memory like any other boot sector virus. It will then infect all non-write protected diskettes that are used in the computer. Infected hard disks carry the label "IO SYS". The label can be seen with the DIR and LABEL commands. This label cannot be changed even with the LABEL command. Since the 3APA3A virus is located in the IO.SYS file, it cannot be removed with the command FDISK/MBR. FDISK/MBR replaces the MBR and DOS boot sectors, so it can be used for removing a great many boot sector viruses. With 3APA3A it is quite ineffective, however. The command SYS C: isn't very useful, either. It only modifies/removes the uninfected copy of IO.SYS the virus has placed at the end of the active DOS partition. The 3APA3A virus is mildly polymorphic - the boot sectors of infected diskettes vary slightly. Only the string 'MSDOS 5.0' is visible at the beginning and, obviously, the 55AA marker is present at the very end of the boot sector. The virus contains the message "B BOOT CEKTOPE 3APA3A!" (which means "IN BOOT SECTOR - INFECTION!") The message string is encrypted, and cannot be seen even in memory. In August, the virus displays its message during every computer boot-up. The 3APA3A virus does not contain destructive routines. Because of a bug, the virus frequently hangs 386/486 computers. 3APA3A can only infect hard disks whose active DOS partition is bigger than 10.6 MB. The Virus Bulletin Conference '94 --------------------------------- The Virus Bulletin Conference is an annual conference held by the English Virus Bulletin magazine. From year to year, it gathers together virtually all noteworthy anti-virus experts, anti-virus product manufacturers and a great number of interested companies. This year's conference was held on the isle of Jersey, with over 200 participants. The conference lasted two days, in which time anti-virus experts presented 23 different treatises on various subjects. For most of the time, the convention was divided into two auditoriums, one reserved for technical treatises and the other for more general subjects. The conference audience was provided with a booklet which contained and expanded upon the things heard on stage, so it was possible to familiarize oneself with all the treatises by reading the material. For the first time, the conference also included a product exhibition. In keeping with the general nature of the conference, the exhibition was attended by all important anti-virus products and manufacturers. The Bottom Line --------------- Computers do not spread viruses, people do. Since there are no practical means to actually stop viruses from being written, it is best to condemn the practice together and in public. Even toddlers should be told that it is harmful to spread viruses. The harmfulnes of viruses should be pointed out in schools' computer classes. In addition to this, everybody, especially companies and anti-virus manufacturers, should publicly condemn the spreading of viruses - viruses are a hindrance to business and may cause great financial losses. Virus writers should be made to understand that when they spread the viruses they have written, they are acting harmfully and even against the law. Technical Treatises ------------------- The conference's technical treatises addressed various subjects, such as viruses in the future, new ways to combat viruses, virus BBSs, virus writers, viruses behind the ex- Iron Curtain, viruses in the wild, retroviruses and the certification of virus tests, to name a few. Paul Ducklin from South Africa addressed the virus problem from an educational viewpoint. In his opinion, anti-virus practices should be taught to all users, not just to administrators and computer support personnel. Even though the number of computer viruses has grown to the magical 5000, only very few of these viruses have been found in the wild. Viruses found in the wild are usually old, and in most cases also simple to detect and remove. Virus education would abolish ignorance, hysteria and superstition about viruses. Jeremy Gumbley, F-PROT's distributor in Italy, demonstrated how easy it is to gain access to a virus BBS. Before the audience, Jeremy called a virus BBS he had never visited before. He proved once and for all that such BBSs do exist, and at the same time showed the audience a nasty example of their contents. Vesselin Bontchev from Germany spoke about the future of computer viruses. He addressed the various techniques and possibilities virus writers may come to employ in the future, and gave suggestions on how to prepare for them. Vesselin made it clear that the matter should be taken seriously, and recommended that everybody prepare for the worst but hope for the best. Glenn Coates from England presented a new virus description language he had created with David Leigh. The language opens up new ways to search for and detect viruses. The language is as yet unfinished, and the makers of current anti-virus products present in the audience had many comments about its continuing development. Mikko Hypp”nen from Data Fellows Ltd. spoke of retroviruses. Mikko's treatise is included in this and the next bulletin in its entirety. Sara Gordon from USA spoke of virus writers. She had been doing research on them, and had come to the conclusion that there is no such thing as a typical virus writer. It is interesting to note that, according to research made on the subject, there are no female virus writers. Sara had interviewed many virus writers, and expressed the opinion that forceful methods and stern laws against virus writing and virus writers themselves were not going to do much good. Instead, the harmfulnes of viruses should be taught to everyone from children to adults, and viruses should be publicly condemned. Virus writers are much more affected by the condemnation of society in general and friends in particular than by rigorous laws and criminalization. Pavel Baudis from the Czech Republic discussed viruses behind the ex-Iron Curtain, with emphasis on viruses found inside the boundaries of previous Czechoslovakia. Chris Baxter from England told of the ITSEC certificate. ITSEC (IT Security Evaluation Criteria) defines the way in which anti-virus products are tested, and aims to become a producer of valid and unbiased anti-virus tests. A product which passes such a test receives the ITSEC certificate. Joe Wells from USA has compiled a virus list which contains all the viruses found in the wild of which he has received a report. This list can be used as a tool by, among others, anti-virus product manufacturers, indicating the viruses which should be given priority when detection and removal mechanisms are being added to anti-virus products. The list also helps in the unification of virus naming conventions, since in many cases viruses' names must be invented or picked up from inside the virus code. In addition to this, the list aids anti-virus software developers in designing tests, for it is much more important for a product to find viruses which actually exist in the wild, than some 4000 viruses which may only be found in some obscure collection. Jeff Kephart from USA discussed methods for automating the selection of search strings used in identifying viruses. With schemas, Jeff demonstrated how an automated system can find the most effective search strings very quickly. This naturally saves time when the recognition of new viruses is being added to an anti-virus program. General Treatises ----------------- The emphasis of general treatises was on information security, which was discussed from many points of view, including network management, the security of NetWare, LAN Server and OS/2, information security in general, diskette protection and electronic evidence. There were also treatises on virus writers and anti-virus methods, and the audience was treated to a wild vision of computer terrorists. Jan Hruska and Steve White from USA started a little ahead of schedule, on the night before the conference officially opened. They spoke of viruses in general, bringing the audience up to date on the global virus situation. Richard Ford from England held the conference's opening speech, reminding the audience that viruses are still going strong, and that the situation is in no way improved by virus BBSs and the virus CD-ROMs sold on open market. During this year, viruses have become even more cunning than before, and the situation is not likely to change for the better in 1995. Alan Solomon from England described a virus writers' group whose career he had had the chance to follow. Alan was one of the speakers who thought that re-education would be a more efficient way to combat viruses than the criminalization of virus writing and spreading. Edward Wilding from England spoke of electronic evidence. Edward told the audience how computers can be used for gathering evidence of criminal activities. He pointed out the things one should pay attention to when examining a computer's contents, and described the difficulties in the procedures, tools and techniques used in gathering evidence from computers. He also told the audience about the "gray area", or how computer evidence can be used. Edward suggested that global guidelines on the legal use of electronic evidence should be established. Winn Schwartau from USA painted a disturbing picture of computer terrorists. He pointed out that USA and NATO devise their defence according to their enemies' capabilities, not their intentions. Why should an industrialized society act differently? In his treatise, Winn described the facts of information security and insecurity, and listed various things which can be used in terrorism. It is realistic to expect that if a party - an individual or a group - wishes to acquire information, stop it from being used or destroy it, it will find it possible and in some cases even easy to do so. These problems and their solutions have been known for a long time, now it is time to do something about them. Martin Smith from England spoke about information security. Since computers are currently related to almost everything in some way, it is very important that the data in them is safe, always available and never damaged. This is the purpose of information security products. Information security is people's problem - not computers'. Mike Jones from England discussed information security guidelines. An English standard of such guidelines is currently being established, and it is hoped that it will some day become also an international one. Linda Saxton from England spoke about the basics of information security, concentrating on viruses and how they can be detected. In Linda's opinion, all companies should understand the importance of information security, have an information security policy, and take the necessary steps to enforce it. David Ferbrache from England concentrated on viruses found in other than PC computer environments, pointing out that each system has its own characteristic features, users and viruses. Many methods used in PC systems can be applied to other environments, and this, in David's opinion, is what should be done. Scott Lenharth from USA discussed the security of LAN Server and OS/2, while Stephen Cobb from England concentrated on NetWare's security considerations. Stephen expressed satisfaction in NetWare's security. He said that if companies take advantage of NetWare's security features, the information security problems in NetWare environments will remain very small. Joe Norman from France spoke also of network security, but from users' point of view. He mentioned several things which should be added to network operating systems in order to improve their security. Many of these things have, in fact, been incorporated to network operating systems, either in already existing versions or in upgrades which are due to appear soon. However, some of the improvements Joe suggested will not be seen for some time yet. Steve Bailey from England described various anti-virus strategies, and mentioned diskette authorization as a new way to combat viruses. Such authorization will efficiently stop viruses from spreading through diskettes. Summary ------- The Virus Bulletin Conference '94 was in many ways a very satisfying experience. During the conference, the audience heard treatises discussing virus-related topics from many points of view, together with treatises addressing information security in general. In addition to this, the reading material provided in the conference made it possible to familiarize oneself with all the subjects discussed there, even if time did not allow participation in all the events. The opportunity to contact anti-virus experts personally added to the conference's atmosphere, as did the chance to explore the latest anti-virus and information security products in the separate exhibition hall. The Virus Bulletin '94 Conference proceedings can be ordered for ś50 + postage ś7 in UK, ś17 in Europe and ś25 in other parts of the world. The orders can be sent to Virus Bulletin, Victoria Lammer, phone +44 (0) 1865 843691, fax +44 (0) 1865 843971. Retroviruses - how viruses fight back ------------------------------------- Mikko Hypp”nen, who works in Data Fellows Ltd's F-PROT- support, presented the following treatise in the Virus Bulletin '94 conference. The treatise is published in two parts. The second part will appear in the next update bulletin which will come out in December. "The GoldBug virus has extensive anti-anti-virus routines. It can install itself while several resident anti-virus monitors are running. It will prohibit most popular anti- virus programs from running, and will also by-pass several integrity checking programs" -from the original source code of the GoldBug virus Abstract -------- This paper will discuss the methods viruses use or might use in the future to attack anti-virus programs. Attacks of this kind are becoming more common, as virus writers seem to be constantly looking for ways to make their viruses more efficient and vigorous. This paper also suggests how to make anti-virus products more resistant to such attacks. The scope of this paper is limited to PC-compatible machines. Introduction ------------ There is a constant battle going on between computer virus authors and virus fighters. Virus writers are looking for ways to create more complicated, more difficult-to-analyse and more inconspicuous viruses. At the same time, anti-virus people are building methods to address these threats. It's not surprising that virus authors have realised that anti-virus tools are one of their creations' worst enemies. The logical step for them has been to make ...their viruses fight back, either directly or indirectly.. Several viruses explicitly target anti-virus programs. The attack routines may be generic or targeted against a specific program. Many virus authors obviously consider an attack to be the best defence, when the objective is to keep the virus alive in order to spread it as widely as possible. There is a battle going on in computer systems world-wide - it's survival of the fittest, one might say. Hopefully, this paper will provide some ideas how to make anti-virus applications fitter than viruses. A virus that fights back ------------------------ For the purposes of this paper, a retrovirus is defined as follows: Retrovirus is a computer virus that specifically tries to by-pass or hinder the operation of an anti-virus program or programs. The attack may be specific to a known product or a generic one. Retroviruses are sometimes known as anti-anti-viruses. Anti- anti-viruses should not be confused with anti-virus-viruses, which are viruses that will disable or disinfect other viruses. To avoid confusion, the term retrovirus will be used here. The creation of a virus which incorporates retro-routines is not necessarily a difficult task. In most cases, virus writers have access to the anti-virus programs they want to by-pass. All they need to do is experiment by trial and error until they find a way to attack the anti-virus program in a way the anti-virus developer has not foreseen. [Siilasmaa] Some virus authors have gone all the way and disassembled the offending anti-virus programs in order to find the most effective way to attack them. They often look for methods to attack a product in a way that would be most difficult to circumvent in future versions of the product. As the virus authors are pretty efficiently connected to each other via different types of electronic networks, information on how to attack specific products spreads quickly. It should be noted that virus writers typically have access to only those anti-virus products that are available as freeware or shareware. Some virus exchange BBS systems are known to make pirated copies of commercial products available, but the shareware products seem to be targeted most often [Fellows]. It can be expected that more retroviruses, using more advanced retro-routines, will be seen in the future. Rules of the game ----------------- Viruses using retro-routines started to show up during late 1980's - before that, there was no point in creating retroviruses, as anti-virus products weren't widely used. As the popularity of anti-virus programs has grown, so has the number of viruses that attempt to subvert them in some way. Several approaches are possible, including: - modifying the code of an anti-virus program file or the image in memory - detecting when an anti-virus program is activating, and either hiding itself, stopping the execution of the program or triggering a destructive routine - altering the computing environment in a way that affects the operation of an anti-virus program - using methods in the virus code that cause problems for anti-virus programs - exploiting a specific weakness or a backdoor in an anti- virus program - using generic methods that generally make it difficult or potentially dangerous to detect, identify or disinfect the virus The basic principle is that the virus must somehow hinder the operation of an anti-virus program in such a way that the virus itself benefits from it. Methods like encryption, stealth, polymorphic routines, code armouring, anti-debugging tricks and confusion code can also be considered attacks against anti-virus programs. However, they are often generic in type and therefore outside the scope of this paper. Attacks against non-resident scanners ------------------------------------- Non-resident scanners are probably the most commonly used anti-viral products. They are also the favourite target of real-world retroviruses. There are several different ways a scanner can be attacked against. Deletion and replacement A virus can locate the anti-virus program and delete it. A more sophisticated attack would be a modification or a patch that would alter the operation of the scanner in a way that would be beneficial to the virus. A virus could locate the search strings used by the scanner and overwrite them, making the scanner unable to find any virus, but still appear to be functional. A virus can replace the scanner program with a Trojan horse which could trigger a damage routine when run or just simply display an error message and abort. Such an error message would also make the scanning product look bad in the eyes of the users, especially if the error message would be something like 'only 620kB of free DOS memory, unable to run' or 'BRUN30 GW-Basic run-time library not found, aborting'. If the virus stays resident in memory, it can do similar attacks when it sees that an anti-virus program is executed. It can also by-pass a self-check routine of an anti-virus program by patching it only after the application has finished the check on its own code. Modification of parameters There is at least one known case of a virus that modifies the command-line parameters when it sees a specific anti- virus program to be started (see below). This technique allows the virus to modify the operation of the scanner to its advantage without patching the actual program code. A similar attack in which the virus modifies the configuration file of an anti-virus program might also be possible - these files are often left unencrypted and are not checked for such modifications. Altering the output If the visual interface of the anti-virus program isn't complex (ie. command-line driven), it might be feasible for a retro-virus to mimic the operation of the program. This way, the user might not notice anything strange. A variation of the theme would be that the virus would patch the texts displayed by the product. If the text string 'Virus found!" were to be changed to 'All clear!', a typical user wouldn't probably doubt anything. In many installations, anti-virus programs are run automatically and the alarms are set off depending on the exit codes (errorlevels) returned by a program. A successful attack on such a system might consist of a retrovirus that would always set the return-code of an anti-virus program to zero. False false alarms Scanners are prone to false alarms ie. detecting a virus in a clean file. Viruses can use this as one way to attack. If a virus incorporates code sections from popular applications, it is quite possible that an anti-virus vendor without a proper false-positive testing routine might include a search string that would cause a large amount of false positives. One way to implement this kind of an attack would be to include an encryption routine to a virus, but borrow the decryption code from some known application - the encryption would limit the traditional search strings to only strings that would cause false positives, and this in itself would cause problems for some scanning products. Problems with packed files Several scanners are able to scan inside compressed executables that have been packed with some of the most popular EXE-packers. Some scanners do not scan packed files at all, but only flag them as packed so the user is aware of them. This provides one way a virus could cause problems for a scanner. If a virus used a section of fake code that would make an infected program look like it had been packed, it could by-pass the scanning by such a product completely. The virus could also replicate in packed form, making it even more difficult for some scanners to detect. A similar attack might be possible against products that actually unpack the programs and scan underneath the packing. In order to uncompress the program, the scanner fetches program info from the unpacking code. If this code contained irrational values, it could cause some scanners to crash or run out of memory. One man's data is another man's code Almost all scanners default to scanning only the executable files instead of all files. File type is usually determined by the extension (ie. COM, EXE, SYS). Since a virus can control the system in any way it wants, one way to by-pass a scanner would be to change the file extensions of all infected files to non-executable ones, for example from EXE to XEX. While the virus is resident in memory, it can use stealth techniques to hide this change - but it will also make sure that all executables copied to floppies have the valid extension, to ensure that the virus gets a chance to spread. The advantage of such a method is that even if the machine is booted up from a clean diskette and all executables are scanned with a scanner that can detect the virus, it will only be found in the initial carrier file. Exploitation of technical limits A virus writer could analyse in detail how a scanner actually does the scanning and develop infection methods that cause detection problems for a specific scanner. The virus doesn't have to be difficult to find - it is enough that it is very slow to search for. The Command Bomber virus is an example of this: it inserts its code in the middle of the host file and builds a complicated series of branching commands to transfer the flow of the program code to the actual code. The detection of such virus would force some scanners to scan the whole file from the beginning to the end - which would be enough to make them unusably slow. Attacks against resident scanners and behaviour blockers -------------------------------------------------------- Resident anti-virus programs are vulnerable to special attacks. Since DOS does not provide any kind of memory protection, a program can modify the memory space of another program. This makes it possible for a virus to locate and patch or disable a resident scanner or a behaviour blocker. Unloading the protection Some anti-virus TSRs can be unloaded from memory (actually, they will have to be unloadable if the product is wanted to be Novell-certified). If such mechanisms exist, they can also be called by a virus. Viruses use this method quite successfully with some products for which it is known to work. Through the back door Practically every TSR scanner has a back door, which is used by the non-resident scanner of the same package. This back door either turns off the checking done by the TSR or provides an alternative access method to the file system. If such a back door did not exist, the TSR part would clash with the normal scanner, as the TSR would notice an infection when the non-resident part would open an infected file for scanning. A virus can use such back doors for its own benefit, either disabling the resident part or by using the clean path to file system provided by the TSR. Yet another way for a virus to attack a resident scanner is to observe the display routines, and trap the alarm messages displayed by the TSR. If the user never sees the alarm messages of the TSR, the protection is not doing its job. * To be continued in the next update bulletin in December * F-PROT-Support Informs: Common Questions and Answers ---------------------------------------------------- If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact Data Fellows directly in the number +358-0-478 444. Written questions can be mailed to: Data Fellows Ltd, F-PROT Support, P„iv„ntaite 8, 02210 ESPOO, Finland. Questions can also be sent by electronic mail to: Internet: f-prot@datafellows.fi; X.400: S=FPROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi. I want to run a virus check on our computers every time they are booted. Also, if viruses are found, I want to prevent the computers from being used. Is there a simpler way to do this than by checking the ERRORLEVEL values returned by F-PROT.EXE? F-PROT's DOS version supports the parameters /FREEZE and /FREEZE2. When started with the parameter /FREEZE, F-PROT stops the computer's functioning if it finds a virus in the computer's memory. With the parameter FREEZE2, F-PROT stops the computer if it finds a virus in a file or a boot sector. By using these parameters, you can easily configure the kind of scan you want. Insert the command F-PROT /HARD /FREEZE /FREEZE2 in the AUTOEXEC file. The program will scan the computer's memory and hard disk and freeze the computer automatically if it finds a virus. If it takes too long to scan the whole hard disk, you can use the command F-PROT C:\ /NOSUB /FREEZE /FREEZE2 in daily scans. The program will scan the computer's memory and the files in the root directory of disk C. This should, in itself, protect the computer quite well. However, if you opt for this solution, you should arrange for the whole hard disk to be scanned regularly. The scans can be easily scheduled by using F-AUTO. For example, if you use the command F-AUTO 7 F-PROT /HARD /FREEZE /FREEZE2, the program will scan the whole hard disk once every week. I have started using the newest version of the QEMM memory management program, v7.5. After I installed the program, my computer has constantly tried to boot from drive A, although I have defined the hard disk to be the boot disk in the BIOS Setup. What's the matter? The QuickBoot feature of QEMM 7.5 uses drive A as the default boot drive. If you add the parameter BF:N (BootFloppy=No) to QEMM386's command line, your computer will resume booting directly from the hard disk. In addition to this, you will avoid the risk of accidentally contaminating your computer with a boot sector virus. For some reason, my computer won't execute the programs TERMINAT.EXE and MAX.EXE. If I change the names of these files to something else, they will execute just fine. In addition to this, my BIOS Setup information keeps disappearing every once in a while. Is my computer infected? Yes. Your description fits the GoldBug virus. It prevents the execution of EXE programs whose names have the letter 'A' as their second to last character, and some letter between 'N' and 'Z' as their last character. GoldBug does this in order to detect a number of anti-virus programs and to prevent them from being executed. The method is effective with, for example, the programs SCAN, CLEAN, NETSCAN, CPAV, NAV and TBAV. Besides detecting anti-virus programs and preventing them from being executed, GoldBug also deletes the computer's CMOS information every time the user tries to run an anti- virus program. Changes in version 2.15 ----------------------- Changes in F-PROT Professional for Windows. - Both English and Finnish are now available as language options. - The updating of buttons on the screen has been speeded up. - Boot sector viruses can now be removed directly from Windows . - After you have checked a diskette, F-PROT for Windows asks whether you want to continue checking other diskettes. This feature is the same as in F-PROT for DOS. - Network communication features have been partly reprogrammed to increase operational certainty under uncertain network environments. - Idle scanning tasks are not ru, if the program on the foreground is a DOS window. Since Windows cannot see what happens in a DOS window, idle scanning tasks were previously sometimes run even though the computer was not, in fact, idle. - When a scheduled task starts, F-PROT is no longer brought to the foreground. Instead, the scan is executed unnoticeably in the background. However, if a virus is found during the scan, F-PROT is brought to the foreground immediately. - The administrator's F-Agent keeps watch for new messages and reports sent by the users. When new messages come in, the administrator is asked whether F-PROT should be started. - The status bar of the administrator's F-PROT announces all new messages and reports. - The administrator ca nown limit access rights much more comprehensively than before - The error situation which came up when F-PROT was updated as a Remote Installation through SETUP has now been corrected. Changes in F-PROT for DOS - VIRSTOP used to come into conflict with a protection program called HARDLOCK. When this happened, VIRSTOP would halt the machine, thinking that the computer had been infected with a boot sector virus. The situation could previously be solved by running VIRSTOP with the /NOMEM switch, but this is no longer necessary. VIRSTOP now recognizes HARDLOCK and continues operating normally. Changes Common to F-PROT Professional for DOS, Windows and OS/2 The false alarm given of the file l2d.exe has been corrected New Viruses Detected by F-PROT 2.15 The following 41 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of...". Burger.560.AU Copyprot Crazy_Lord ExeError HLLO.4505.B HLLO.4742 HLLO.7392 HLLO.RUW Human_Greed KI Ku Marked-X.355 Rythem.1818 Rythem.47857 Trivial.22 Trivial.26.C Trivial.29.E Trivial.30.H Trivial.34 Trivial.40.G Trivial.85 Trivial.90 Trivial.97.A Trivial.97.B Trivial.146 Trivial.Banana.B Trivial.Banana.C Trivial.Banana.D Trivial.Banana.E Trivial.Banana.F Trivial.Banana.G Trivial.Banana.H Trivial.Banana.I Trivial.Banana.J Trivial.Banana.K Trivial.Banana.L Trivial.LSD Trivial.Vsafe VCL.663 VCL.Mindless.423.C VCL.Viral_Messiah.703 The following 202 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. _200 _361 _386 _503 _310 _351 _554 _797 _908 Abal Acid AEP Anti-Pascal_II.407 Arianna.3375 Ash.743.B Ash.743.C Ash.743.D Ash.743.E Ash.743.F Ash.743.G Ash.743.H Ash.743.I Ash.743.J Ash.743.K Atomic_comp Bootexe.207 BW.373 Cait Cascade.1704.V Cascade.1704.X Casino.D Cetenary Chaos.1241 Clogg Clonewar.547 Coke Dark_Apocalypse.1016 Dementia.609 Dinky.122 Dry_Dream Enculator ESP Fax_Free.1024.I Grog.566 H_Andromeda.800 H_Andromeda.1024.B H_Andromeda.1024.C HDZZ Hehehe Hello.400 Hello.600 Hellspawn HLLC.Tree2 Howard Hwang Hymn.Sverdlov.B Intruder.1331 Inv_Evil IVP.Becky IVP.Darlene IVP.Roseanne IVP.Sonic JD.158.B JD.158.C JD.158.D JD.158.E JD.158.F JD.158.G JD.158.H JD.158.I JD.158.J JD.158.K JD.158.L JD.158.M JD.158.N JD.158.O JD.158.P Jerusalem.Anticad.4096.J Jerusalem.Sunday.N Kato King.1424 King.2175 Klot Kohn_6.633 Koko Komp Lemming.2146 Lockjaw.507 Lockjaw.573 Lockjaw.887 LordZero Mange_Tout.1091 Marzia.N Mohova Murphy.Migram.1221.B Murphy.Migram.1221.C Murphy.Migram.1221.D Murphy.Migram.1221.E Murphy.Migram.1221.F Murphy.Migram.1221.G Murphy.Migram.1221.H Murphy.Migram.1221.I Murphy.Migram.1221.J Murphy.Migram.1221.K Murphy.Migram.1221.L Natas.4988 NeverOne November_17th.768.D Npox.963.C Npox.963.D Npox.963.E Npox.963.F Npox.963.G Npox.963.H Npox.963.I Npox.963.J Npox.963.K Npox.963.L Offspring.711 One_Half.3544 One_Half.3577 Pollution Proto-T.1052 Protovirus PS-MPC.569.D PS-MPC.803 PS-MPC.Anarchist PS-MPC.Guten_Tag PS-MPC.Joana.1075 PS-MPC.Skeleton.601 PS-MPC.Toys.763 Pure.A Pure.B PVW Raptor.C School_Sucks Semtex.515 Semtex.686 Shake.C Shark.1661 Shutdown.644 Shutdown.698 SIC Slam Slimline2 Small_Comp.88 Small_Comp.92 Small_Comp.100 Small_Comp.1001.A Small_Comp.101.B SRC SRP Sterculius.240 Sterculius.266 Sterculius.273 Sterculius.428 STSV.C STSV.D STSV.E STSV.F STSV.G Sundevil.762 Suomi.B Tadinho Timid.300 Tiny_Family.137 Tony.203 Traceback.3066.B VCL.337 VCL.389 VCL.405 VCL.535 VCL.2805 VCL.Code_Zero.654 VCL.Dial.600 VCL.Dominator VCL.Donatello.831 VCL.Earthday.799 VCL.Genocide VCL.Kinison.809 VCL.Nomemn VCL.Olympic.1442 VCL.Pearl_Harbour.931 VCL.Taboo VCL.Timothy Vienna.Ambalama Vienna.BNB.B Vienna.BNB.C Vienna.BNB.D Vienna.BNB.E Vienna.BNB.F Vienna.BNB.G Vienna.BNB.H Vienna.BNB.I Vienna.BNB.J Vienna.Black_Ice Voronezh.600.B Voronezh.1600.B XPH.1032 YB.425 ZP The following 32 new viruses are now detected but can not yet be removed. _1492 Am Australian_Parasite.369.B Australian_Parasite.424 Beer.643 Boot-446 Butt Cacophony.944 Cacophony.1050 Catholic Crazyboot Daddy.1093 Daddy.1117 Dark_Avenger.1000 Democracy.3806 EndOne Froll Geldwasch Grog.1200 Grog.1349 Hello.402 Lisa Manic Moonlite.465 Neuroquila Newbug Oracle Raver Taz.1087 Verify Vienna.Variable.906 Virogen The following 4 viruses which were detected by earlier versions can now be removed. _189 Honey Techo_Rat W-Boot The following viruses have been renamed. _638 ->> Kohn_6.638 _1099 ->> Mange_Tout.1099 Mayberry.* ->> BW.Mayberry.* Trickster ->> Shark.1661 ------------------------------------------------------------------------------- F-PROT Professional 2.15 Update Bulletin ======================================== Data Fellows Ltd, P„iv„ntaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi This text may be freely used as long as the source is mentioned. F-PROT Professional 2.15 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd.