F-PROT Professional 2.10 Update Bulletin ======================================== This text may be freely used as long as the source is mentioned. F-PROT Professional 2.10 Update Bulletin; Copyright (c) 1993 Data Fellows Ltd. ------------------------------------------------------------------------------- CONTENTS 5/93 ------------- A Major update Infected CD-ROM disks To Be Fruitful and Multiply: The Butterfly family Stoned.Empire.Monkey.A A new variant of Cascade on the move in the Nordic countries Made in Sweden: Moose Sweden is going to make virus writing illegal The globally most known viruses Virus Bulletins Conference in Amsterdam Phalcon/Skism strikes again Rumours of Form Case: The Crepate virus Questions and Answers Changes to F-PROT Professional in version 2.10 Appendix: Summary of antivirus tests during 1993 F-PROT Professional 2.10 - A Major update ----------------------------------------- Never before have so many new viruses been added to F-PROT in a single update. One reason for this is that the increase in the number of viruses is accelerating steadily. In version 2.10 we add a new component to our product package. F-CHECK, which detects changes in program files, is a tool for the administrator and the skilled user. To avoid bothering users with needless alarms, F-CHECK deduces how probable it is that the changes it detects have been caused by a virus. Among other things, F-CHECK features an interesting way of removing infections. The program stores the important parts of executable files, and in many cases this data can be used to remove infections caused by previously unknown or even overwriting viruses. Both the Windows and OS/2 versions of F-PROT have moved to the Beta testing phase. The Windows version will be published along with F-PROT Professional version 2.11, and the OS/2 version will be ready at about the same time. If you are interested in betatesting the products and have both time and a network available, contact us. New virus sightings ------------------- Infected CD-ROM Disks In Circulation ------------------------------------- Two separate cases, in which a file originating from a CD-ROM disk had caused a virus infection, were discovered in October and November. In both cases, the involved disks were globally distributed shareware collections. PS-MPC.Math-test ---------------- The PS-MPC.Math-test virus was found from the CD-ROM disk "Software Vault, Collection 2". The infection was discovered when a private person from Helsinki, Finland, contacted Data Fellows Ltd at the end of October. This person's computer was almost completely infected by the virus. PS-MPC.Math-test is one of the viruses created with Phalcon/Skism Mass Produced Code Generator. The virus stays resident in memory and infects practically all executed COM and EXE programs. It activates every day between 9 and 10 a.m., displays some simple summing problems and demands that the user solve them. If the user doesn't get the answer right, the virus won't execute the requested program. The Phalcon/Skism Mass Produced Code Generator has been described in more detail in F-PROT 2.07 Update Bulletin. The infected file is located in the directory 18 of the CD-ROM, and it is contained inside the packet 64BLAZER.ZIP. The same directory contains also a clean version of the program, by the name 64BLAZE.ZIP. Lapse (366) ----------- The Lapse (366) virus was discovered on the CD-ROM disk "Night Owl 10". Lapse (366) is a simple EXE infector, written in Canada. The virus infects only EXE files in its current directory and does not stay in memory. It increases the size of infected files by 366 bytes and contains the text "Memory_Lapse.366.a". The text is quite probably intended to be a mockery of CARO's virus naming standard. Lapse (366) does not activate in any way. The infected file is located inside the packet SF2_UP.ZIP, in the CD- ROM's "Games" directory. According to the description, the file contains an update to the game Street Fighter 2. What makes an infected CD-ROM especially troublesome is the fact that the infected files cannot be removed or deleted. Data Fellows Ltd has contacted the publishers of these two CD-ROMs. The manufacturers admit the infection, and they will probably withdraw the disks from market. F-PROT 2.10 finds both PS-MPC.Math-test and Lapse (366). To Be Fruitful and Multiply: The Butterfly Family ------------------------------------------------- The F-PROT 2.09 Update Bulletin mentioned the Butterfly virus, which spread all over the world with the shareware data communications program Telemate 4.11. The Butterfly incident did not prove very serious in itself, since only few users executed the single video card driver the virus had managed to infect. Butterfly's extensive spreading created another kind of a problem, however: with it, many virus enthusiasts acquired a personal copy of a simple, functional and easily modifiable virus. A flow of new Butterfly variants followed soon after. Butterfly-FJM ------------- In the middle of July, a counterfeit copy of the popular LIST program was released in USA. The latest real version of LIST is v7.8, but the fake claimed the version number 8.2. The program had been infected with a slightly modified version of Butterfly - only the text the virus contains had been changed. The original virus contains the text "Goddamn Butterflies" at the end of its code. In its place, the new FJM version has an obscene comment about John Mcafee, the creator of the SCAN antivirus application. Although both versions of Butterfly use the same code, the FJM variant may yet prove a more successful infector than the original. That is because Butterfly only infects files in the current directory. Most users install auxiliary programs such as LIST somewhere along the hard disk's path to make them easily accessible. When the infected LIST is executed from some other directory, the virus can jump the directory boundary that normally limits its spreading. Butterfly-Crusaders ------------------- Another descendant of the Butterfly virus was found in the middle of August. Yet again, the new variant had been disguised as a shareware program and put into circulation via electronic bulletin boards. This time, the virus was hidden in the packet SPORT21C.ZIP. According to the packet's description it contained a program for inspecting the functioning of the computer's serial- and parallel ports. The program INSTALL.EXE included in the packet was infected. Some changes had been made to the original virus - the most significant difference is that the new variant is capable of infecting both COM and EXE files, whereas the original virus infects only COMs. The virus text was also changed to read "Hurray The Crusaders". None of the Butterfly variants which have so far been discovered activates in any way. F-PROT finds all known versions of Butterfly. Stoned.Empire.Monkey.A ---------------------- The Monkey virus was first discovered in Edmonton, Canada, in 1991. The virus quickly spread to USA, Australia and UK. Monkey is one of the most common boot sector viruses. As the name indicates, Monkey is a distant relative of Stoned. Its technical properties make it quite a remarkable virus, however. Like Stoned, the virus infects Master Boot Records on hard disks and DOS boot records on diskettes. Monkey spreads only through diskettes. The original Stoned leaves the partition table in its proper place in the hard disk's zero track, but Monkey does not . Instead, it copies the whole Master Boot Record to the hard disk's third sector to make room for its own code. The hard disk is inaccessible if the computer is booted from a diskette, since the operating system cannot find valid partition data in the boot sector - attempts to use the hard disk result in the DOS error message "Invalid drive specification". When the computer is booted from the hard disk, the hard disk can be used normally because the virus is executed first. The virus can, therefore, escape notice, unless the computer is booted from a diskette. As Monkey not only moves but also encrypts the Master Boot Record, it is difficult to remove. The changes to Master Boot Record cannot be detected while the virus is active, since it rerouts the BIOS-level disk calls through its own code. Upon inspection, the hard disk seems to be in its original shape. There are two often-used procedures, either of which can disinfect most boot sector viruses. One of these is the MS-DOS command FDISK /MBR, which rewrites the code in the Master Boot Record, and the other is using a disk editor to restore the Master Boot Record back on the zero track. In this case, the relocation and encryption of the partition table render these methods unusable. Although both procedures destroy the actual virus code, the computer cannot be booted from the hard disk afterwards. There are five viable ways to remove the Monkey virus: o The original Master Boot Record and partition table can be restored from a backup taken before the infection. Such a backup can be made with the MIRROR /PARTN command of MS-DOS 5, for example. o The hard disk can be repartitioned by using the FDISK program, after which the logical disks must be formatted. The procedure will also destroy all data on the hard disk, however. o The command FDISK/MBR can be used to overwrite the virus code, after which the partition table can be restored manually. In this case, the partition values of the hard disk must be calculated and inserted in the partition table by using a disk editor. The method requires expert knowledge on the disk structure. o It is possible to exploit Monkey's stealth capabilities by taking a copy of the zero track while the virus is active. Since the virus hides the changes it has made, this copy will actually contain the original Master Boot Record. This method is not recommendable, because the diskettes used in the copying may well get infected. o The original zero track can be located, decrypted and moved back to its proper place. As a result, the hard disk is restored to its exact original state. F-PROT uses this method to disinfect the Monkey virus. The Monkey virus is quite compatible with different kinds of diskettes. It has a built-in table containing structural data for the most common diskette types. Using this table, the virus is able to move a diskette's original boot record and a part of its own code to a safe area on the diskette. If Monkey does not recognize a diskette, it moves the boot record to the diskette's third physical sector. This is what happens also to, for instance, 2.88 megabyte ED diskettes, with the consequence that Monkey partly overwrites their File Allocation Tables. The virus is difficult to spot, since it does not activate in any way. A one-kilobyte reduction in DOS memory is the only obvious sign of its presence. The memory can be checked with, for instance, DOS's CHKDSK or MEM programs. However, even if MEM reports that the computer has 639 kilobytes of available memory instead of the more common 640, that does not necessarily mean that the computer is infected. In many computers, BIOS allocates one kilobyte of DOS memory for its own use. F-PROT recognizes and removes all known variants of the Stoned.Empire.Monkey virus. A New Variant of Cascade on the Move in the Nordic Countries ------------------------------------------------------------ Most new viruses are modifications of old, known viruses. The source codes for many old viruses are easily available, and it seems that many virus writers are only too glad to use them as groundwork for their own creations. At the end of August, yet another new variant of the old Cascade virus was found in Oslo, Norway. This new variant was found in two different companies at almost the same time. All in all, the Cascade family has approximately forty known members. The new virus infects COM files when they are executed. Since it increases the size of infected files by 1701 bytes, it will probably be named Cascade.1701.K. The virus is not markedly different from the original Cascade. Although the new variant bears a close resemblance to the original virus, it is clearly different in one way: it never displays its activation routine, the dropping of letters to the bottom of the screen. It is, therefore, more difficult to notice. Other than that, the differences between the original virus and the new variant are minuscule - the creator of the new virus has probably used the original source code, but a different assembler compiler. F-PROT recognizes all known variants of Cascade, and it is able to remove the most common ones. Several other new viruses have been found in Norway lately, including a completely new encrypted boot sector virus called Ripper. Made in Sweden: Moose --------------------- In the beginning of September, a new series of viruses was found in G”teborg, Sweden. The discovery was made in the local university - it may be that the viruses were written by some student. The viruses have very similar structures, and for the time being they are all known as Moose. Four different variants have been discovered so far, and they all contain the word "Moose" somewhere in their code. The viruses also come equipped with version numbers, somewhat like members of the Yankee Doodle virus family. All members of the Moose family infect files and append their code to the end of the victim file. Different variants infect different files: the alternatives are COM, EXE and SYS. When the virus infects SYS files, it overwrites their headers, the consequence being that the infected device drivers crash the computer when they are executed. The Moose viruses do not stay resident in the computer's memory. They infect files only when they are executed along with an infected file. When a Moose-infected program is executed, the virus looks for a suitable victim in its current directory. If it doesn't find one, it moves one directory upwards and tries again. If the virus doesn't find a suitable file somewhere along the way, it goes up all the way to the root directory. When Moose finds its victim, it performs infection and may change one byte somewhere in the infected file. The consequences of this kind of corruption cannot be guessed - sometimes the alteration doesn't affect the program's functioning at all, sometimes it causes the program to crash upon execution, and in certain cases the program goes completely haywire. The virus draws lots by using the Real Time Clock to decide whether or not it should perform the corruption. Sweden Is Going to Make Virus Writing Illegal --------------------------------------------- Sweden's criminal legislation is being updated, and the changes will also extend to laws concerning computer crimes. A six-hundred-page report of the matter, which also includes views on computer viruses, has been left for the Swedish Parliament to consider. The report dwells extensively on how to define computer viruses and on the juridic points of developing and spreading such viruses, and studies also cases where a computer's functioning has been hindered, by loading the system with worms for instance. In the report, primarily the spreading of viruses or other malware is considered to be a crime. However, such activity qualifies as a crime only if the perpetrator endangers public safety. If the perpetrator cannot be proven to have intended potential damage to certain data or computer system, the crime is likened to spreading poison or disease. The report considers this to be the best way to avoid the juridic problems arising from the need to differentiate between perpetrating, attempting and preparing for a crime. For the instrument the crime is committed with, the report suggests the definition "a computer program or program instructions developed in such a way that they can affect an object without having authorization to do so". The report emphasizes that the code must be objectively functional to fulfil the definition. Dysfunctional code does not qualify as an instrument of crime. For viruses, the report suggests that the law should include the following: Whoever creates a computer program or program instructions constructed in such a way that they are capable of affecting data or the technical equipment used to process data without having authorization to do so or spreads the aforementioned programs or instructions, and thus causes a risk of data being destroyed or altered, or causes damage to the aforementioned equipment or disturbance in its functioning, shall be judged guilty of manufacturing or spreading computer viruses, and sentenced to pay fines or to no more than two years of imprisonment. If the law is approved, it is estimated to take force in the middle of 1994 the earliest. If its approved as it stands, it will be the world's first piece of legislation to criminalize the writing of computer viruses in itself. Switzerland is also in the process of changing their legislation to cover computer viruses specifically. The Globally Most Common Viruses -------------------------------- Joe Wells of Symantec Inc has compiled a list of globally common viruses. Practically all significant antivirus societies have contributed to the list. Among them are the University of Hamburg, IBM, S&S International, KAMI, Datawatch, Symantec, CSIR Virus Lab, CYBEC, Stiller Research, Frisk Software International and Data Fellows Ltd. According to the combined list, the following viruses are globally most common. Stoned.Michelangelo Maltese Amoeba Stoned.Standard.B Dark_Avenger.1800.A Form Yankee Doodle.TP-44.A Dir-II.A Vacsina.TP-05 Stoned.NoINT V-Sign Stoned.Azusa Stoned.June_4th Joshi.A Stoned.Empire.Monkey Jerusalem.1808.Standard Keypress.1232.A Green Caterpillar Kampana.3700:Boot Chinese Fish Cascade.1704.A Tequila Virus Bulletin Magazine's Annual Conference in Amsterdam -------------------------------------------------------- Virus Bulletin magazine's annual conference was held in Amsterdam, from 9th to 10th of September. Approximately 200 data security specialists from all over the world were present. Among others, Jan Terpstra, Frans Veldman, Vesselin Bontchev, Righard Zwienenberg, Roger Riordan and Dmitry Gryaznov gave speeches in the conference this year. The topics ran from the virus situation in the former U.S.S.R. to how to keep up a neat and ordered virus collection, advice on how to compare antivirus programs, and a lot of else. Still, to most participants the most rewarding thing about the conference was the chance to chat with fellow experts outside the official program. It was also noteworthy to see the high esteem in which F-PROT Professional, distributed by Data Fellows Ltd., was held around the world. The Virus Bulletin conference will be held again next autumn. More information about the matter can be had from Data Fellow Ltd's F-PROT Support, or directly from the Virus Bulletin magazine, phone number +44 235 555 139. Phalcon/Skism Strikes Again --------------------------- Phalcon/Skism is active again. The originally Canadian virus group, which nowadays boasts an international membership, has once more gained publicity with its stunts. The group is clearly competing with NuKE for public notice. A Printed Version of the 40Hex Magazine --------------------------------------- Since 1991, Phalcon/Skism has been publishing an electronic magazine called 40Hex. 40Hex deals with viruses in general and how to make them in particular. 12 issues of the magazine have been published so far. In August, the magazine's editor-in-chief, "Leni Niles", announced that 40Hex will soon become available in printed form in addition to the traditional electronic distribution. If the magazine actually reaches print, it will be the second regularly published magazine to contain instructions on how to design viruses. Mark Ludwig, who has also written the Little Black Book of Computer Viruses, has been publishing his own Computer Virus Developments Quarterly for a year. From: fortyhex (geoff heap) Subject: 40Hex is now a print magazine Date: Mon, 16 Aug 93 17:19:02 EDT 40Hex, the world's most popular underground virus magazine is now available in two versions -- the familiar online magazine and a new printed magazine. In the past two and a half years, 40Hex has become the most popular virus magazine in the underground. The new printed magazine (dubbed 40Hex Hardcopy) is intended for anyone who wishes to learn as much as they can about computer viruses -- from the source, the virus writers. Each issue will contain -- o A complete virus disassembly, fully commented in the 40Hex tradition, o Detailed programming articles, intended for those fluent in assembly, o Introductory articles intended to help those on all levels of ability o Interviews with virus writers and virus researchers. Also included is an editorial column, which will provide a forum for discussions about any virus related issue. Submissions from both sides of the argument are welcome, and will be given an equal voice. Subscriptions -- The price for 40Hex Hardcopy is $35 per year for individuals, $50 per year for corporations. The magazine is bimonthly (six issues per year). The online magazine is available free of charge from many privately operated BBSs. You may receive a disk with the latest issue from us for $5. Please send a note specifying whether you would like a 5 1/4 or a 3 1/2 inch disk. Correspondence -- Subscription requests should be addressed to Subscriptions 40Hex Magazine PO Box xxx New City, NY, xxxxx Article submissions should be addressed to Articles 40Hex Magazine PO Box xxx New City, NY, xxxxx Letters to the editors should be addressed to The Editors 40Hex Magazine PO Box xxx New City, NY, xxxxx if you have access to internet E-Mail, you can send a note to xxx@xxx.com note: manuscripts will not be returned to the sender unless they are accompanied by postage. All submissions must be marked "manuscript submitted for publication." The online magazine will still be published, and will remain separate from the new hardcopy magazine with no article overlap. Leni Niles Co-Editor, 40Hex Hardcopy New Virus Writing Competition ----------------------------- A new virus writing competition was also announced in the latest issue of 40Hex. The competition's purpose is to find new members for Phalcon/Skism's Canadian Division: ---------------------------------------------------------------------------- ***** Phalcon/Skism Internet Headquarters ***** *** Phalcon/Skism Canadian Divison *** * * ***** ***** -= Virus Writing Contest =- ***** ***** *** *** *** *** * * September 1993 -> December 1st * * ---------------------------------------------------------------------------- Due to the new formation of the canadian division of Phalcon/Skism, there will be a virus writing contest that will start as of this publication in every sub you see it. The contest is mainly Canadian oriented but EVERYBODY is welcome to participate. The new canadian division needs fresh new blood to start with. Already numerous excellent writers have joined are ranks up north where we stand. Do expect new viruses soon. It's just a matter as to who else will join. The award for this contest will be either or both: 1. Publications of the virus and it's author in 40HEX magazine. 2. If the person wishes to, a membership into Phalcon/Skism. All submissions must be transmitted to this internet site at "virus-contest@skism.xxxxx.xx.ca" with compiled executable code AND commented source codes to it NO Dissassembly will be accepted. If you wish to send your file encrypted the public key of PGP 2.3 is at the end of this file. Please send files uuencoded. After evaluation by two different writers the winner will be published in every sub this message was posted on and also in the 40HEX magazine. These are the following criterias that the viruses will be judged on: HANDLE : VIRUS NAME : FILES AFFECTED: [ ]COM [ ]EXE [ ]SYS [ ]OVR [ ]DOC [ ]OTHER Brief Description:__________________________________________________ Description: I. TYPE OF VIRUS [ ]...Overwriting [ ]...Appending [ ]...Boot Sector II. INFECTION METHOD [ ]...Direct Action [ ]...Memory Resident [ ]...Uses stealth routines Brief Description:__________________________________________________ [ ]...Uses tunneling routines Brief Description:__________________________________________________ List interrupts that you hooked and how you achieved this. Brief Description:__________________________________________________ III. ENCRYPTION [ ]...Virus is not encrypted [ ]...Virus is encrypted [ ]...Uses external engine [ ]...Routines are internal Brief Description:__________________________________________________ [ ]...Virus is polymorphic Possibilities of reoccurrence: 1 to nTH _____________ Brief Description:__________________________________________________ IV. PAYLOAD [ ]...Virus is non-destructive [ ]...Virus is destructive code it before sending it over the internet: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mCAx1kAEELuP08IHVbh+P6agKQGXMR9HjXz1q 2G8KWNE0GA3kA0G1zwbcKMio1P2r2AUR ApWlA==6q---EDPPPBI KYB****oe: If you don't have internet access, please forward your submission to Memory Lapse on Total Mayhem. Rumours of Form --------------- Tenacious rumours about preformatted 3.5" HD diskettes infected by Form are still in the circulation. A certain diskette manufacturer has been faced with several accusations, but the truth about the matter has yet to surface. It is, therefore, probably a good idea to check also new, unused diskettes for viruses. When VIRSTOP is run with the /BOOT parameter on, it prevents infected diskettes from being used. Case: The Crepate virus ----------------------- Mikko Hypponen, Data Fellows Ltd's F-PROT Support. An ordinary day at work; testing F-PROT's OS/2 version, answering support calls and writing the upcoming Update Bulletin. It's over five o'clock, time to get home - the fall is far advanced and I'll have to get my lawn sown before winter sets on. The phone rings and shatters these thoughts. The call comes from Symbolic, our distributor in Italy. Jeremy Gumbley, who works in Symbolic's technical support, is on the line. Jeremy gives it to me in a nutshell: A person had just dropped by and told him that a new, unknown virus had been found in one Italian university. There are probably tens of infected computers - the exact number is not known, because none of the antivirus programs that have been tried has been able to identify the new virus. The situation is serious and all the computers will remain on hold until the virus is under control. The visitor brought along a disketteful of files suspected to be infected. Jeremy has already taken a look at the files and is quite certain that they contain a new virus. I tell Jeremy that the I'll start working on the subject immediately. Via modem, Jeremy transfers a sample packet to the Data Fellows BBS system, and the examination begins. I extract the samples and put them through an automated examination system, which checks the files with thirteen different antivirus programs and stores the reports in an easily readable form. The system reports no alarms, although some programs report that certain sample files have counterfeit time stamps: in their creation date, the clock's seconds field shows an impossible value, 62. Some viruses use this trick to mark files they have already infected. I give the files a quick once-over with a hex editor, enough to conclude that if they contain a virus, it is a brand-new one. Certain files have the text "(c)Crepa" at their end. Via Internet, I transfer the files to Frisk Software International's FTP server in Iceland. Just to be sure, I call Iceland and recount the incident to Fridrik Skulason. He says that the files will be taken under close inspection right away. We decide to divide our forces: I and Jeremy will concentrate on examining how the samples function, in other words find out what the virus really does. The people in FSI will focus on building detection- and disinfection routines for the new virus. We'll keep contact by phone and E-mail. I hang up and start the classification of samples. Seems like I won't get any time off for my lawn today. I find out quickly that there are three different kinds of samples. Some of the files contain extraneous code at their end. This is not caused by a virus but the "Immunize" function of the Central Point Antivirus program. To be on the safe side, I remove the Immunization code and check the original programs. The files are clean. Some of the other programs contain code which seems to have been added to their beginning. The remaining files have the text "(c)Crepa" at their end. It seems that we need to divide the analysing task if we want to resolve the problem as quickly as possible. I call back to Iceland, and we agree that they will start working on incorporating the detection and disinfection of the virus while I and Jeremy start to disassemble and document the functioning of the little beast. I give the Crepa files a closer look. There are four of them, all parts of the Italian MS-DOS 6. I choose to probe KEYB.COM, since it is a comfortably short program to examine and I know its structure of old. First I take a hex dump of the program by using Borland's TDUMP application. Then I proceed to run a debug listing of it with good old DEBUG. It proves extremely difficult to follow the program's execution with a DEBUG listing: the virus completes only one or two instructions at a time before jumping to somewhere else in the code. Therefore I turn to Zanysoft Debugger, and use it to analyze the infected KEYB.COM. Along with Borlands Turbo Debugger, I have found ZD to be a handy tool to examine virus samples with. The program's execution is easier to follow with ZD, and it soon becomes clear that the author of the virus has wanted to make the program difficult to examine by coding it full of jump instructions. However, a careful inspection of the code reveals that the commands executed between jumps form a complex routine that decrypts 3900 bytes at the end of the file. At this point it becomes obvious that this is a self-encrypting virus. I execute the virus one command at a time until it has decrypted itself. Then I store the virus code back on the diskette. When I go over the decrypted virus code, I notice that two new lines of readable text have surfaced from beneath the encryption: COMcomEXEexeOV?ov? Crepate (c)1992/93-Italy-(Pisa) The first line appears to indicate that the virus is capable of infecting COM, EXE and Overlay files. The second line confirms the virus to be of Italian origin. I discover that the task of separating the virus code and the original KEYB.COM code from each other is too arduous. Instead, I decide to see whether I can get the virus to infect a bait file. As bait, I use a collection of COM and EXE files which contain nothing more than a termination instruction and a lot of zeros to pad the files to a certain length. Such programs do nothing else than terminate their execution, and since the file lengths are even numbers, a change in size caused by a virus can be noticed at the first glance. I transfer the virus to our much-abused test computer, and copy a sample of clean baits into the same directory with the virus. When I run the KEYB.COM, it gives an error message in Italian complaining about incorrect parameters. I use a memory mapping program to check for changes in memory allocation. No changes are evident, which means that the virus is either not resident in memory or capable of bypassing memory mapping applications. I check the bait files - no changes in those either. I run the infected KEYB.COM a couple of times to be certain, but the bait programs are simply ignored. Why? There are many possible explanations. Maybe the virus is picky about the files it infects. Maybe it won't infect anything on even days. Maybe it doesn't infect files in its current directory, but somewhere else on the disk. Maybe it is a stealth virus, in which case the changes cannot be seen anyway, at least not while the virus is active. Jeremy calls while I'm thinking about all this. We get to a discussion on its peculiar jump structure. "I'm sure I have never seen so many jump instructions", "For a moment I thought it was a new version of the Commander Bomber virus, but no, at least not that", "I think that this jump-spaghetti has been added just to confuse heuristic analysis". Indeed - F-PROT's Heuristic Analysis failed to give warning of an infected file even when the /GURU option was enabled. Goes to show that any software-based protection can be overcome by software. Jeremy has managed to examine the virus a bit further. I ask what the words "Crepa" and "Crepate" mean, and he tells me that Crepa means death and Crepate stands for "You will all die". We agree to name the virus Crepate for the time being. Jeremy says that, right after decrypting itself, the virus gets into the business of doing some absolute disk writes. Immediately, I get a brainstorm. - It is a multipartite virus we are talking about here, operating in the same way as, for instance, Tequila. When the virus is executed in a clean computer, it infects the hard disk's Master Boot Record but does nothing else. The next time the computer is turned on, the virus stays active in memory and starts infecting other program files. I test my theory - and yes! The F-CHECK checksum program reports an altered Master Boot Record. I use Norton's DISKEDIT to take a copy of the Master Boot Record's code before restarting the computer. The boot-up seems to be completely normal. I run MEM and find the familiar sign indicating the presence of a boot sector virus: the amount of DOS memory has dropped from the 640 kilobytes normally available in this computer. There are only 636 kilobytes left, which means that the virus takes up four kilobytes. I go back to the virus directory and run the bait files again. Strangely enough, the baits are still not infected. The filesizes stay the same, whatever I do. Without giving the matter further thought, I run DOS's CHKDSK and attain instant enlightenment. CHKDSK reports "Allocation error" for every COM and EXE file I have executed during this session. The report includes all the files referred to in AUTOEXEC.BAT, all bait files, and CHKDSK.EXE itself. This is a clear sign of an active stealth virus that is operating in the computer and hiding the changes it has made to files. However, the virus is not sophisticated enough to hide the changes from the CHKDSK program, which is reporting errors caused by contradictions between directory information and File Allocation Table. The closer I look, the more advanced this virus is beginning to seem. When I compare the infected bait files, I notice that the decryption routine varies between different samples. In addition to everything else, the virus has polymorphic characteristics mixed in. The phone rings - Fridrik is calling from Iceland. His staff has gone through the same sample files, concentrating first on the samples which I and Jeremy had decided to leave alone for the time being. Some of the samples had indeed been clean, though packed by using CPAV. Some other files had been found to contain a new virus, which was named March 25th. In other words, two different viruses are on the loose in the Italian university! Frisk hands me a short account on the characteristics of the March 25th virus: a memory-resident COM and EXE infector that structurally changes COM files into EXEs. The virus activates on the 25th of March and overwrites most data on the hard disk. The size of this virus is only 1024 bytes, and it is much simpler than Crepate. Frisk has also gone over the Crepate files, and he is already well acquainted with the virus's functioning. For some reason, though, the virus does not function in his test computers. Although it manages to infect the hard disk's Master Boot Record, the computer won't boot afterwards. Curious. Fridrik is ready to build a disinfection routine for the virus, but he is hampered by the fact that he cannot get it to spread. I promise to send him a program packet containing both clean and infected versions of the same sample files. After hanging up I take a closer look on the code the virus writes on the Master Boot Record. Aha, it tries to make inspection more difficult with commands that modify the commands next in line...I get another brainstorm. Immediately, I call back to Frisk and ask what kind of a computer he used to test the virus. Frisk tells me he has used his newest virus testing computer, a 33 MHz 386DX. "Does it have internal cache memory", I ask. "Yes, 8 kilos", Frisk answers. The mystery unravels. I had tested the virus in a 16 MHz 386SX computer with no cache memory. The cache memory of Fridrik's computer buffers commands that are to be executed next, and makes it unnecessary to retrieve them all the way from the main memory. Because of that, though, the changes the virus tried to make in its own code never got through. The bytes it tried to change had already been read into the cache memory where they could not be altered. In other words, the Crepate virus cannot function in computers with internal cache memory - it will only crash them during boot-up. I start to create a sample of demo files, beginning with a collection of programs that are different from each other both structurally and in file size. I pack the clean programs and transfer the packet into the infected computer. There I execute, open and copy programs. Any of these operations infects the program in question, but I notice that the virus won't infect the smallest files. I boot the computer from a clean diskette, pack the infected files and transfer them back to my own computer. Again, I open a telnet session and send the sample packet to Iceland via FTP. I continue to examine the virus. It seems that Crepate uses a very peculiar method to hook the DOS interrupt 21h. The virus would gain nothing by jumping to hijack the interrupt for the first thing it does after it has been executed from the boot sector, because DOS takes the interrupt into use only later on. Instead, at the very beginning the virus hijacks BIOS's timer interrupt, activating 18.2 times in a second. The virus uses this interrupt to check 18 times in a second whether DOS has loaded itself. When that happens, the virus hooks the interrupt 21h to its own code. That way it gets to be the first program to clam onto the interrupt. The phone rings again, this time it's Jeremy. We quickly exchange what we have learned from the virus. He tells me he has found a date check and destruction routine further along the code. The virus activates on the 16th day of any month, and executes a remarkably thorough destruction routine. It overwrites all the data on the first hard disk, going through the disk from beginning to end. Since that kind of a routine is quite difficult to code, most viruses use destruction routines that overwrite only a part of the hard disk. For example, even the notorious Michelangelo virus destroys only a certain amount of the hard disk's data. After such partial destruction, it is usually possible to salvage some data from the hard disk without turning to expensive data recovery services. Crepate is a different breed of cat and goes through the disk thoroughly, sector by sector. The 16th day. That was a week ago -- maybe the virus was discovered a week ago, when the first hard disks were wiped? No matter. It must be stopped now, before it causes further damage. I code a routine that checks files for Crepate infection. Using it, I scan the test computer's hard disk. Practically all the programs I have used during the evening have been infected. I wipe the hard disk and restore a basic combination of clean software on it. I run the routine also on diskettes I have used to carry files between the test computer and my own. I'm surprised when I notice that the boot sectors on the diskettes have also been infected. What on Earth - to the best of my knowledge, the virus code contained no routines for infecting diskettes. I go over the code more carefully, looking for something that hints at diskettes. After a time it becomes clear that the virus uses the same routine to infect both hard disks and diskettes. Crepate is a true multipartite virus -- capable of infecting three different file types and two kinds of boot sectors. Its maker must have spent a long time finishing his creation. Fridrik sends a completed search routine via FTP. Using it as the base, I create F-PROT Professional 2.09e. After a quick check to make sure the program recognizes both March 15th and Crepate faultlessly, I transfer it to the file areas of Data Fellows BBS. I call Jeremy to tell him he can pick it up with his modem. At the moment, he is putting together a summary of the virus to be delivered to the client. He says he will take F-PROT to the university in the morning. Everything is just about finished for the evening. Frisk E-mails a message saying that he'll send a sample of the virus to other antivirus program developers so they can add the recognition of the new virus to their own products. After that, Frisk says, he will go home. Jeremy sounded tired too. The time is 01.30 in Finland, 00.30 in Italy and 22.30 in Iceland. I'll go and get some sleep, too - the fall is far advanced and I'll have to get my lawn sown before winter sets on. A Summary of the Virus ------------------------------- Compiled by Jeremy Gumbley, Symbolic, Italy The Name: The final name has not been decided yet. Suggestion: Crepate Discovered In: Pisa, Italy When: September the third, 1993 Virus type: A multipartite stealth virus with some polymorphic abilities Infects: The Main Boot Records of hard disks The DOS Boot Records of diskettes COM files sized between 400 and 62000 bytes EXE- and OVL files regardless of size Size: About 2910 bytes in infected files 6 sectors (3072 bytes) in infected boot sectors The virus also uses one extra sector to store the original boot sector code in. Interrupts: The virus uses interrupts in the following manner: INT 09h (Keyboard Interrupt) Hooked while the virus executes the destruction routine. Because of this, the routine cannot be interrupted with Ctrl-Break or Ctrl-Alt-Del. INT 13h (absolute disk reads and writes) Hooked while the virus infects boot sectors INT 1Ch (Clock Interrupt) Hooked while the computer boots itself INT 21h (A DOS Interrupt) Gets hooked when the Command Interpreter is loaded into memory INT 24h (handling of critical errors) Hooked while the virus infects files. Because of this, the user does not receive an error message when the virus tries to infect a file on a write-protected diskette. Memory Allocation: The virus allocates four kilos at the top of DOS memory for itself. The missing memory can be noticed with the commands CHKDSK and MEM. Side Effects: CHKDSK reports allocation errors for all infected files while the virus is active in memory Destruction routines: The virus uses random data to overwrite all sectors on the system's first physical hard disk. The destruction routine is executed on the 16th day of every month Description: The functioning of the Crepate virus is divided into several distinct phases. When an infected file is first executed in a clean system, the virus replaces the code in the primary hard disk's boot sector with its own. The virus also overwrites seven sectors at the end of the hard disk, using this area to store a part of its own code and the original Master Boot Record. Since it does not mark these sectors as having been allocated, some other program may afterwards overwrite them as well. Next, the virus checks the date from the computer's Real Time Clock (INT 1Ah/4h). If the date happens to be the 16th of any month, the virus overwrites all data on the primary hard disk. The virus enters into its second phase when the computer is rebooted. The virus code in the boot sector activates and loads the main part of the viral code into memory. Crepate hooks the Timer Interrupt INT 1Ch and uses it to check when the Command Interpreter is loaded into memory. After the virus has hooked the Timer Interrupt routine, it executes the original Master Boot Record and allows the booting to continue normally. When the Command Interpreter (usually COMMAND.COM) has been loaded, the virus hooks the DOS interrupt INT 21h into its own code. This way it can bypass most memory-resident antivirus programs, since they are usually loaded later from AUTOEXEC.BAT. After hijacking INT 21h, the virus begins to infect COM and EXE files. The virus infects files whenever something is done to them with the following INT 21h functions: 3Dh (Open) 3Eh (Close) 43h (Lseek) 41h (Delete) 4Bh (Load and execute program) 6C00h (Extended open/create) The curious thing about the above listing is that the virus does indeed infect also files that are being deleted. In addition to this, the virus uses the following INT 21h functions to hide the changes it has made to files: 11h (Find first/FCB) 12h (Find next/FCB) Because of this, the file sizes seem unchanged when the directory listing is browsed with, for example, the Dir command. Other Observations: The virus marks the files it has infected by inserting the bytes 6373h ("cs") at the end of the file. It also changes the seconds field in the file's time stamp to show an impossible value, 62. The stealth routines of the virus use the seconds field value for recognizing an already infected file. When the virus infects a file, it links a varying code part to the beginning of the actual viral code. This code strip is different in every infected file, and its purpose is to make finding the virus by either signatures or heuristic methods more difficult. When the virus activates its destruction routine, it is able to bypass most of the protection applications which monitor the functioning of the absolute disk write interrupt INT 13h. No wonder, since the virus marks up the BIOS address for INT 13h when the computer is booted, and calls the interrupt directly when it overwrites the hard disk. F-PROT Support Informs: Common Questions and Answers ---------------------------------------------------- Your local F-PROT Professional support is ready to help you on questions concerning information security and the prevention of viruses. You can also contact Data Fellows directly; our phone number is +358-0-692 3622, fax +358-0-670 156. You can also write to us at: Data Fellows Ltd, F-PROT Support, Wavulinintie 10, SF-00210 HELSINKI, FINLAND. By electronic mail, you can reach us at f-prot@df.elma.fi or via X.400 at S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi. I installed the new Windows-capable VIRSTOP that was included in F-PROT 2.09. When I tried to run Windows, I received the following message: Cannot find a device file that may be needed to run Windows in 386 enhanced mode; C:\F-PROT\VIRSTOP.EXE Run Setup again. Windows did start, but the Windows elements of VIRSTOP were not activated. Why not? I use the Stacker disk compression. The VIRSTOP for Windows documentation describes that the DOS- and Windows elements of VIRSTOP are both stored in the same file, the VIRSTOP.EXE. This file must be available during the startup of Windows, because the Windows elements of VIRSTOP are loaded into memory only when Windows starts, and not earlier. When VIRSTOP is run for the first time, it marks up its own location on the hard disk. If this location changes, or if VIRSTOP is removed from the disk before Windows is started, Windows displays an error message. In this case, VIRSTOP is loaded from an unpacked disk section before Stacker is executed. Upon execution, Stacker 's program SSWAP changes the order of logical disks. In other words, VIRSTOP is loaded from disk C, but afterwards the logical disks C and D swap disk letters with each other. When Windows starts, the directory for VIRSTOP is no longer C:\F-PROT\VIRSTOP,EXE, but D:\F- PROT\VIRSTOP,EXE. You can solve the problem by either storing VIRSTOP on a packed disk section, or by executing it from an unpacked disk section after the SSWAP command has been given. Windows reports a similar message if VIRSTOP is loaded from a diskette and the diskette is thereafter removed from the drive, or if VIRSTOP is loaded from a server and the network connection is terminated before Windows is run. The message does not mean that Window's won't start, but VIRSTOP will function like it had been given the /NOWIN parameter. I started using F-SCHEDULER, and configured it to run automatically every time I start a Windows session. I also use F- SCHEDULER's Screen Saver, which allows me to leave my computer logged on for the night without having to worry about unauthorized use. The Screen Saver functions otherwise normally, but for some reason it switches on every time I am in a DOS session under Windows. It doesn't seem to matter how much or how little I use the computer at the time, the Screen Saver may activate even while I am just typing on the keyboard. F-SCHEDULER's Screen Saver is switched on when the keyboard and the mouse have been left untouched for a certain time. F-SCHEDULER cannot see whether they are used inside a DOS window, however, since such information is not relayed to Windows. One way to solve the problem would be by configuring the Screen Saver not to activate if a DOS window is active at the same time. There's a snag, though, because the computer would remain unprotected at night if a DOS program was left running after hours. A better way to deal with the problem is to raise the Screen Saver's activation time to 15 or 30 minutes. It usually does not take longer to handle typical DOS window operations, but the Screen Saver will be switched on if the computer has been left alone for long enough. I tried to run F-PROT check by using F-SCHEDULER's default settings and pressing the "Execute" button. F-PROT did not start. Instead, Windows reported an error message claiming insufficient memory. Program Manager, on the other hand, reports several megabytes of available memory. In this case, it's not a question of available Windows memory. The problem is caused by the amount of available DOS memory. When F- PROT is executed under F-SCHEDULER, it requires 400 kilobytes of available DOS memory. In most configurations, this can be easily achieved through memory optimization. If the amount of available memory is only slightly below 400 kilobytes, you can probably run F-PROT by using the F-SCHEDULER function Execute File instead of Execute F-PROT. If F-PROT is run from F-SCHEDULER, the check continues only until my Screen Saver activates. When I press a key, the check picks up again. You have used the Windows Control Panel to prevent programs from being executed in the background. There is a setting called "Exclusive in Foreground" in Control Panel's 386 enhanced -section. If it is switched on, Windows stops the execution of all but the foremost program. Therefore, the F-PROT check proceeds only until the Screen Saver activates, and while the Screen Saver is active, all other programs are on hold. You can remedy the situation by switching off the setting. I have switched F-SCHEDULER's Screen Saver off, since I am using another Screen Saver product to protect my computer from unauthorized use. For some reason, F-SCHEDULER's saver is switched back on every time I start Windows. How can I get the Screen Saver to stay switched off? For this part, Screen Saver does not function correctly. We have fixed the problem, and will deliver the new version to all who want it. Raising the Screen Saver's activation time to 30 minutes or above will probably suffice for most users. When VIRSTOP is started, does it check the computer's memory for all known viruses? When started, VIRSTOP uses generic methods to ensure that the computer's memory does not contain an active boot sector virus. VIRSTOP also checks itself against a file virus infection. If you want your computer's memory checked for all known viruses during every boot-up, you must add the command F-PROT . /NOFILE /NOBOOT to the file AUTOEXEC.BAT. Verify the result by checking the errorlevel -return code. It can be done as follows, for example: IF NOT ERRORLEVEL 4 GOTO END ECHO There is an active virus in memory. Contact Bob at ext. 517. ECHO Machine is halted. CTTY NUL :END Network drivers take up a large part of my computer's DOS memory, so that I have only 350 kilos of available memory left. Will F-PROT function in a computer that has so little memory available? It depends on the scanning method, but generally speaking the answer is yes. F-PROT is designed to function in almost any computer environment. Even the original IBM 8086, equipped with a green-black monochrome monitor, a 360 kb diskette drive, 512 kb of memory and PC-DOS 2.0, can run F-PROT. At minimum, F-PROT requires about 300 kilos of available memory. The memory requirement depends on the mode the program is executed in. The following table gives an indication of how much available DOS memory F-PROT needs in order to function. The numbers presented in the table are valid for F-PROT 2.10, but the memory requirements of future versions may vary. Command Line Mode: Secure Scan 303 kb Heuristic Analysis 376 kb Interactive Mode: Secure Scan 311 kb Heuristic Analysis 412 kb I checked my hard disk with the latest F-PROT. It gave the following message of several files: Note: C:\XCOPY.EXE has been inoculated by Central Point Anti-Virus. What has CPAV done to my files? This message is not alarming, it only informs the user that Central Point Anti-Virus has been executed in the computer with the "Inoculate" option on. When the option is on, CPAV modifies all scanned programs by adding code to their ends. This code checks the program's length as well as its first few bytes. In fact, the functioning of this code strip greatly resembles the functioning of certain viruses. If the file size of a CPAV-protected program changes, the Inoculate code displays the following message when the program is next executed: Central Point Anti-Virus (c) 1991 CPS Self Integrity Check warning - File was changed ! Choose an option: [R] Self Reconstruction. [C] Continue execution. [E] Exit to DOS. Press R,C or E: Then why does F-PROT remark on the modified files? Simply because many programs do not function after they have been "inoculated". Some programs (like, for instance, F-PROT and VIRSTOP) refuse to start at all, while others only crash after the modification. Besides which, some programs modify their own file, causing the CPAV warning to be displayed time and again. CPAV's Inoculate function is especially hazardous if it is used to protect files that have already been infected with a virus. CPAV's code blankets the viruses very efficiently, preventing most antivirus programs from noticing them. Notwithstanding that, the virus is in most such cases able to continue functioning quite normally. Many heuristic antivirus programs give warning of the inoculated files as well, because the code added by CPAV is very suspicious in nature. The reason why this particular message was added to F-PROT was to help a user to find and recognize the inoculated files. While the change in programs may be easy to notice, it is not necessarily obvious what has happened to them. The modified files can be returned back to normal by using CPAV. Changes to F-PROT in version 2.10 --------------------------------- The command line switch /TROJAN is no longer needed. The corresponding menu item has also been removed from the Scan menu. Nowadays, when F-PROT scans for viruses, it also looks for known Trojan Horses. Although the switch /TROJAN does still exist, it is only a convenience whose purpose is to keep old batch files functioning without modifications. The switch no longer affects the functioning of scans in any way. F-PROT notifies the user of files that have been modified by the "Immunize" function of Turbo Antivirus or Central Point Antivirus. Two new command line parameters have been added to F-PROT. The parameter /640 prevents F-PROT from checking the memory above 640 kilos - the switch may be needed in computers having a nonstandard motherboard and only 640 kilos of memory. The parameter /MONO starts F-PROT in monochrome mode, and it can prove useful when the program is run on a laptop, for instance. Results of memory scan are now written to a report file if a virus is found and the /REPORT= switch is used - previously only an errorlevel value was returned. The method F-PROT uses to deal with new variants of known viruses has been redesigned. Previously F-PROT would always refuse to disinfect a new variant of some known virus, even if it was only slightly different from a variant it recognized. Now it will attempt to determine if the new variant is sufficiently similar to a known variant for the same disinfection procedure to be attempted. Still, we would like to ask F-PROT users to continue sending us samples of all viruses that are reported as new, modified or unknown variants. F-PROT 2.09 occasionally missed samples of the Tremor and Phoenix.2000 viruses. This is fixed now. When disinfecting certain viruses, such as Jerusalem from COM files, F-PROT would not retain the date/time of the file, but instead set it to the current date/time. This has been fixed. If F-PROT was run twice in a row in interactive mode, and found some viruses on the first pass, on the second run it would occasionally claim that the MBR was infected. This has been fixed. F-PROT would search boot sectors for user-defined signatures only with "Quick Scan", not "Secure Scan" - it should have been the other way around. This has been fixed. We have significantly increased the use of "exact" identification of viruses, where F-PROT uses a 32-bit checksum to distinguish between very similar variants. This is one of the explanations for the large number of new variants listed below. New Viruses Recognized by F-PROT: --------------------------------- The following 58 viruses are now identified, but can not be removed because they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but were only reported to be new or modified variants: Abraxas (1171) SillyOR (69) Trivial (27) Abraxas (1200) SillyOR (74) Trivial (28) Atomic.480 SillyOR (76) Trivial (29) Burger (405.B) SillyOR (77) Trivial (30.D) Burger (560), 8 variants SillyOR (88) Trivial (30.E) Civil War.444 SillyOR (94) Trivial (40.D) Knight SillyOR (97) Trivial (40.E) Leprosy (350) SillyOR (98) Trivial (40.F) Leprosy (647) SillyOR (99) Trivial (42.C) Leprosy (Clinton) SillyOR (101) Trivial (42.D) Milan.WWT.67.C SillyOR (102) Trivial (43) Naught (712) SillyOR (107) Trivial (44.D) Naught (865) SillyOR (109) Trivial (45.D) Proto-T.Flagyll.371 SillyOR (112) Trivial (102) SillyOR (60) Tack (411) VCL.527 SillyOR (66) Tack (477) Viruz SillyOR (68) Trivial (26.B) ZigZag The following 448 new viruses can now be detected and removed. Some of these viruses were detected by earlier versions, but are now identified accurately: 3y Mgtu (269) 4-days Mgtu (273.B) 4res Mgtu (273.C) _127 Minimite _130 Mirror.B _132 MPS-OPC II.754 _205 Mr. G.314 _330 Mshark.378 _409 Multi.B _524 Murphy (1277.B) _584 Murphy (Woodstock) _593 Mutator (307) _655 Mutator (459) _1417 Never Mind _1536 Nina (B) _2878 Nina (C) Abbas No Bock.B Alabama.C No Frills.835 Ambulance.E November 17th (690) Andro November 17th (800.A) Andromeda November 17th (800.B) Arcv.companion Npox (955) Armagedon.1079.D Npox (1482) Atomic (Toxic) Npox (1722) Atomic (166) Npox (1723) Atomic (350) Nygus (163) Atomic (831) Nygus (227) Attention.C Nygus (295) Aurea Nympho Australian Parasite.272 OK BadSector Oropax (B) Best Wishes (1024.C) Oropax (C) Best Wishes (1024.D) Osiris Black Jec (284) Override Black Jec (323) Parity.B Black Jec (235) Particle Man Black Monday (1055.E) PC-Flu Black Monday (1055.F) Phx Black Monday (1055.G) Pit Black Monday (1055.H) Pixel (277.B) BloodRage Pixel (300) Bootexe Pixel (343) Bubonic Pixel (846) Bupt.1279 Pixel (847.Advert.B) Cascade (691) Pixel (847.Advert.C) Cascade (1701.G) Pixel (847.Near_End.B) Cascade (1701.H) Pojer.1935 Cascade (1701.J) PS-MPC (331) Cascade (1701.K) PS-MPC (349) Cascade (1701.L) PS-MPC (420) Cascade (1704.L) PS-MPC (438) Cascade (1704.N) PS-MPC (478) Cascade (1704.O) PS-MPC (481) Cascade (1704.P) PS-MPC (513) Checksum.1253 PS-MPC (547) Chris PS-MPC (564) Civil War III PS-MPC (574) Clonewar (238) PS-MPC (578) Clonewar (546) PS-MPC (597) Clonewar (923.A) PS-MPC (615) Clonewar (923.B) PS-MPC (616) Cobra PS-MPC (1341) Coib PS-MPC (2010) Comasp.633 PS-MPC (Alien.571) Coffeshop.1568 PS-MPC (Alien.625) Cybercide.2299 PS-MPC (Arcv-9.745) Cybertech (501) PS-MPC (Arcv-10) Cybertech (503) PS-MPC (Deranged) Danish Tiny (163 PS-MPC (Dos3) Danish Tiny (Kennedy.B) PS-MPC (Ecu) Dark Apocalypse PS-MPC (Flex) Dark Avenger (1800.F) PS-MPC (Geschenk) Dark Avenger (1800.G) PS-MPC (Grease) Dark Avenger (1800.H) PS-MPC (Iron Hoof.459) Dark Avenger (1800.I) PS-MPC (Iron Hoof.462) Dark Avenger (1800.Rabid.B) PS-MPC (Napolean) Dark Avenger (2000.Copy.C) PS-MPC (Nirvana) Dark Avenger (2000.DieYoung.B) PS-MPC (Nuke5) Dark Avenger (2100.DI.B) PS-MPC (Page) Dark Avenger (Jericho PS-MPC (Shiny) Dark Avenger (Uriel) PS-MPC (Skeleton) Dashel PS-MPC (Soolution) DataCrime (1168.B) PS-MPC (Sorlec4) DataCrime (1280.B) PS-MPC (Sorlec5) DataLock (920.K1150) PS-MPC (Soup) DataLock (1740) PS-MPC (T-rex) Dbase.E PS-MPC (Toast) Dejmi PS-MPC (Toys) Destructor.B PS-MPC (McWhale.1022) Devil's Dance (C) Quadratic.1283 Devil's Dance (D) Radyum (698) Digger.600 Radyum (707) Dos 7 (342) Rape (2777.A) Dos 7 (376) Rape (2877.B) Dos 7 (419) Rasek (1489) Dosver Rasek (1490) Doteater (C) Rasek (1492) Doteater (D) Red Diavolyata (830.B) Doteater (E) Red Diavolyata (830.C) Dracula Retribution Du Ripper Dy Russian_Mirror.B Dzino Sata.612 Finnish.709.C Saturday 14th.B Friday the 13th (540.C) Satyricon Friday the 13th (540.D) Screaming Fist.I.683 Frodo (F) Shake.B Frodo (G) Shanghai Frodo (H) SI-492.C Fumble.E SillyC (208) Gemand SillyC (215) Genc (502) Sistor (1149) Genc (1000) Sistor (3009) Goga Skew.445 Golgi (465) Slub Golgi (820) Smoka Granada Sofia-Term (837) Grog (Lor) Sofia-Term (887) Grog (990) Stardot.789.C Grog (1641) Sterculius Guppy.D Spring Halloechen (B) Stimp Halloechen (C) Storm (1172) Hates Storm (1218) Headcrash.B Stupid.Sadam.Queit.B Helloween (1227) Sundevil Helloween (1384) Svc (1689.B) Helloween (1447) Svc (1689.C) Helloween (1839) Svc (3103.D) Helloween (1888) Sybille Helloween (2470) Sylvia (1321) Hi.895 Sylvia (1332.E) Hidenowt Syslock (Syslock.C) HLLC (Even Beeper.C) Syslock (Syslock.D) HLLC (Even Beeper.D) Taiwan (708.B) Infector (759 Taiwan (743.B) Infector (822.B) Taiwan (752.B) Intruder.1317 Testvirus-B (B) Italian Boy Testvirus-B (C) IVP (540) Thirty-three IVP (Bubbles) Tic.97 IVP (Math) Timid.302 IVP (Silo) Tomato IVP (Wild Thing) Totoro Jackal Traveler Jack (854) Japanese_Christmas.600.E Traveler Jack (979) Jerusalem (664) Traveler Jack (980) Jerusalem (1960) Traveler Jack (982) Jerusalem (1829.Anarkia) Unexe Jerusalem (2223) Uruk Hai.427 Jerusalem (Anticad.2900.Plastique.B) Ussr-707.B Jerusalem (Anticad.2900.Plastique.C) Vacsina (634,TP.5.B) Jerusalem (Anticad.2900.Plastique.D) Vacsina (TP.16.B) Jerusalem (AntiCad.3012.C) Vbasic.D Jerusalem (AntiCad.3012.D) VCL (506) Jerusalem (Fu Manchu.D) VCL (507) Jerusalem (Sunday.G) VCL (604) Jerusalem (Sunday.H) VCL (951) Jerusalem (Sunday.I) VCL (Anti-Gif) Jerusalem (Sunday.J) VCL (ByeBye) Jerusalem (1765) VCL (Earthquake) Jerusalem (Groen Links.D) VCL (Paranoramia) Jerusalem (PSQR.B) VCL (Poisoning) Jerusalem (Solano.Syslexia.B) VCL (VF93) Jerusalem (Solano.Subliminal.B) VCL (VPT) Jerusalem (Westwood.B) VCL (Ziploc) Jest VFSI.B K-4 (687) Vienna (566) K-4 (737) Vienna (623.B) Kemerovo.257.E Vienna (627.B) Keypress (1215) Vienna (644.C) Keypress (1232.D) Vienna (648.J) Keypress (1232.E) Vienna (648.K) Keypress (1232.G) Vienna (648.O) Keypress (1232.H) Vienna (648.Reboot.B) Keypress (1232.I) Vienna (648.Reboot.C) Keypress (2728) Vienna (648.Reboot.D) Kernel Vienna (648.Q) Lapse (323) Vienna (648.R) Lapse (366) Vienna (648.S) Lapse (375) Vienna (648.X) Leningrad II Vienna (758) Literak Vienna (Choinka.B) Little Girl.985 Vienna (Choinka.C) Lockjaw (808) Vienna (W-13.534.H) Lockjaw (Black Knight) Vienna (W-13.534.I) Lock-up Vienna (W-13.534.J) Loki.1234 Vienna (648.Abacus) Lyceum.930 Vienna (Bush) M_jmp (122) Vienna (IWG) M_jmp (126) Virdem (1336.Bustard.A) M_jmp (128) Virdem (1336.Bustard.B) Magician Virdem (1336.Cheater) Manuel (777) Wilbur (B) Manuel (814) Wilbur (D) Manuel (840) Wildy Manuel (858) Willow.2013 Manuel (876) Wisconsin.B Manuel (937) Wolfman.B Manuel (995) Wvar Manuel (1155) Xph (1029) Manuel (1388) Xph (1100) Matura.1626 Xtac Mel Yankee Doodle.Login.2967 Merry Christmas Year 1992.B MG (2.D) Youth.640.B MG (3.C) The following 71 new viruses can now be detected but not yet removed: _1403 Mutator.780 _1798 Mystic Arcv (916) Necro-fear Arcv (Friends.839) November 17th.1007 Arcv (Jo.911) Number of the Beast (B.2) Arcv (Scroll) Number of the Beast (E.2) Arcv (Slime) Phalcon.Emo Arusiek.817.B Predator (1072) Atas II.1268 Predator (1137) Barrotes.1303 Predator (1148) Bobo Predator (1195) Calc Predator (2448) Civil War.552 Proto-T.1053 Close Rape.1885 Darkray S-bug.Fruit-Fly Digger (1000) Sarov Digger (1512) Screaming Fist (II.650) Dir-II (G) Screaming Fist (II.652) Dir-II (J) Screaming Fist (II.724) Dir-II (L) Screen+1.1654 Du Seat Dwi Serene Error Inc Shoo (2803) Fairz Shoo (2824) Honey Skater (699) Inoc Skater (977) IVP (Mandela) Skater (1021) IVP (Swank) Soupy (1001) Jerusalem.Zerotime.Australian.B Soupy (1072) Little Red Student Malmsey.806 Suriv 1.Xuxa.1405 Marzia SVC.2936 Mayak Svm Mr D (A) Velvet Mr D (B) Yankee Doodle.2189 Multichild.110 Zherkov.2435 The following 3 viruses can now be disinfected. The earlier versions of F-PROT could only destroy the infected files. HLL (3680) HLL (Antiline) Loren Appendix: Combined antivirus reviews 1993 ------------------------------------------ During 1993, F-PROT has been the product to dominate Antivirus reviews throughout the world. Here's a reference table of the results of some of the most important tests: PC Magazine, Germany, January 1993: 1. F-PROT 2.05a 2. Antivir IV 4.04 3. AntiVirus Toolkit 5.61 Virus Bulletin, Great Britain, January 1993: 1. F-PROT 2.06b 2. AntiVirus Toolkit 6.02 3. AVScan 0.98H Software Digest, USA, May 1993: 1. F-PROT 2.07 1. CPAV 2.0 2. AntiVirus Toolkit 6.02 VSUM 307, USA, July 1993: 1. F-PROT 2.09 2. ViruScan V106 3. AntiVirus Toolkit 6.53 PC Magazine, Italy, August 1993: F-PROT 2.06a AntiVirus Toolkit 6.5 Norton Antivirus 2.1 VSUM 308, USA, August 1993: 1. F-PROT 2.09 2. ViruScan V106 3. AntiVirus Toolkit 6.53 Computer Sweden, Sweden, August 1993: F-PROT 2.09 AntiVirus Toolkit 6.30 ViruScan V106 TBScan 6.03 CM-Corporate, Belgium, September 1993: 1. F-PROT 2.09 2. AntiVirus Toolkit 6.53 3. TBAV 6.03 Personal Computer Magazine, The Netherlands, November 1993: F-PROT 2.09 ThunderByte Antivirus 6.05 Sweep 2.53 ------------------------------------------------------------------------------ This text may be freely used as long as the source is mentioned. F-PROT Professional 2.10 Update Bulletin; Copyright (c) 1993 Data Fellows Ltd.