F-PROT Professional 2.21 Update Bulletin ======================================== Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.21 is mentioned. Copyright (c) 1995 Data Fellows Ltd. ------------------------------------------------------------------------------ Contents 6/95 ============= Change in climate Virus Writer Sentenced to Prison in UK The Global Virus Situation Little_Red.B Stoned.Angelina WordMacro/Colors News in Short The Happy Birthday Hardware Trojan Common Questions and Answers Virus Activation Routines Changes in F-PROT version 2.21 Change in climate ----------------- In recent times, the attitudes towards viruses and virus writers seem to have toughened worldwide. People have apparently recognized viruses for what they are: an information security threat, not just harmless pranks. We here at Data Fellows approve of this trend; it makes our job that much easier. The weather has indeed turned cloudy for virus writers and virus groups. A short time ago, a virus writer in UK experienced the consequences of this shift. Virus Writer Sentenced to Prison in UK -------------------------------------- Christopher Pile, an unemployed 26-year-old from Efford, Plymouth in UK, gained notoriety under the pseudonym Black Baron by creating the viruses Pathogen, Queeg and Smeg. These viruses were available on computer bulletin boards and systems connected to Internet. Unlike too many virus writers, Pile was caught. At his trial on 26th of May 1995, Pile pleaded guilty to eleven charges arising from his creation and release of these viruses. Ten counts related to instances where organizations had suffered unauthorized modification of their computer data by one of these viruses. The eleventh charge relates to inciting others to create computer viruses and hence cause unauthorized modifications. Although Pile's trial was in May, the sentencing was delayed until November to allow both defense and prosecution counsel to argue the seriousness of these crimes. Christopher Pile was sentenced to 18 months of imprisonment. This makes him the first person in the United Kingdom to be convicted of writing and distributing computer viruses, and the first person in the world to be convicted of inciting others to create computer viruses. Of course, precedents for punishing virus writers exist in the UK; in October 1992, three Cornell University students were each sentenced to several hundred hours community service for creating and disseminating a computer virus. Unauthorized modification of information in a computer system is an offense under section 3 of the United Kingdom's Computer Misuse Act 1990. The maximum punishment under this section is five years imprisonment or an unlimited fine or both. The Global Virus Situation -------------------------- Little_Red.B ------------ The Little_Red.B virus infects COM and EXE files every time they are opened or executed. The virus is also able to infect programs in a directory when the DIR command is used on the directory. Infected files grow by 1465 bytes. Little_Red was quite a common virus in the USA during the end of 1994. The virus activates on the 26th of December and the 9th of September and plays one of two Chinese melodies. The activation dates are the birth and death dates of Mao Tse Tung, which is why the virus is also known as Mao. The Little_Red virus is known to hide on some Proview monitor utility diskettes (Power Management EPA Energy Star & VESA DPMS Compliant Version 2.02). F-PROT is able to detect and disinfect the Little_Red virus. Stoned.Angelina --------------- In November 1995, this Polish variant of the Stoned virus was discovered on some brand-new, straight-out-of-the- factory Seagate 5850 (850MB) IDE hard disks. Discoveries were made in at least the Nordic countries. The virus contains the text: Greetings for ANGELINA !!!/by Garfield/Zielona Gora Zielona Gora is a city in Poland. Stoned.Angelina is a stealth virus. It is able to hide its own code on the hard disk while it remains active in the computer's memory. WordMacro/Colors ---------------- One new Microsoft Word macro virus has appeared since the discovery of the first three macro viruses (for more information, see Update Bulletin 2.20). The new virus is known as WordMacro/Colors. This macro virus was sent to a usenet newsgroup on the 14th of October, 1995. The virus is also known by the name Rainbow. WordMacro/Colors infects Word documents in a similar manner as the previous Word macro viruses. However, the viruse's operation does not depend solely on the auto-execute macros. Thus, the virus is able to execute even if automatic macros are turned off. WordMacro/Colors contains the following macros: AutoClose AutoExec AutoOpen FileExit FileNew FileSave FileSaveAs ToolsMacro macros All the viral macros are encrypted with the standard Word execute-only feature. Once an infected document has been opened, the virus will execute when the user: o Creates a new file o Closes the infected file o Saves the file (autosave does this automatically after the infected document has been open for some time) o Lists macros with the Tools/Macro command You will naturally wish to verify that your computer has not been infected by the WordMacro/Colors virus. However, do not use the Tools/Macro command to do so - if the virus is indeed present, you will only succeed in executing it. Instead, use the File/Templates/Organizer/Macros command to detect and delete the offending macros. Keep also in mind that some future macro virus will probably subvert this command as well. The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is added to during the execution of the viral macros. After every 300rd increments the virus will modify the system's color settings; the colors of different Windows objects will be changed to random colors after the next boot-up. This activation routine does not work in Microsoft Word for Macintosh. It is interesting to note that the viruse`s AutoExec macro is empty. It has probably been included only in order to overwrite an existing AutoExec macro - which might contain some anti-virus routines. WordMacro/Colors also re-enables the automatic execution of automacros if it has been disabled, and turns off the `prompt to save changes to NORMAL.DOT' feature; both measures have been used in countering macro viruses. WordMacro/Colors seems to be carefully written; it has even a built-in debug mode. The virus has probably been written in Portugal. F-PROT Professional 2.21 detects the WordMacro/Colors virus. News in Short ------------- The Happy Birthday Hardware Trojan ---------------------------------- November the 13th surprises have become something of a tradition. This year, a large number of users encountered one again. There seems to be a large set of trojanized AMI BIOS chips going around. These chips halt the machine during the boot- up on the 13th of November, and play `Happy Birthday' from the PC speaker until you press a key. Do note that this is not a virus - the affliction will not spread anywhere from a trojanized machine. If you have this problem, contact your hardware vendor for a BIOS replacement. Common Questions and Answers ---------------------------- If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact Data Fellows directly at the number 358-0-478 444. Written questions can be mailed to: Data Fellows Ltd F-PROT Support P„iv„ntaite 8 02210 ESPOO FINLAND Questions can also be sent by electronic mail to: Internet: F-PROT-support@DataFellows.com or F-PROT-sales@DataFellows.com X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi I am interested in Internet and Web surfing. However, I am afraid of catching a virus from the net. Do the viruses in Internet pose a real danger? There is a problem with viruses in Internet. However, at the moment other information security problems present a much greater dilemma than viruses. In public, well-known ftp and www servers there are virtually no viruses, since the files in them are checked for infections before they are placed in distribution. However, Internet contains also plenty of shady, obscure servers where one may find anything at all. There is no shortage of servers specializing in pure virus distribution, either. Those who search for viruses will have no trouble finding them. There are also other ways to distribute viruses via Internet: files attached to e-mail, the chat function IRC and its file-exchange features, the different newsgroups. The greatest danger lays probably in the alt.binaries newsgroups - they serve as relay stations for all kinds of programs, most of which are not checked for infections. To make matters worse, many virus writers use these newsgroups as a distribution route for their viruses - they simply infect an innocuous-looking file package with their latest invention and send it to a newsgroup. For instance, this kind of an incident took place in 24.07.1994, when a game called SEXXY was mailed to the alt.binaries.pictures.erotica newsgroup. The virus writer who sent the game had deliberately infected it with the new Kaos4 virus. During the next five days, reports of the virus arrived from all over the world. There were also many who never reported the virus - too embarrassed to admit that they had caught the infection from a pornographic newsgroup. Netsurfers would be well advised to protect their computers with the F-PROT Gatekeeper background protection program, which automatically examines all files that are transferred to the computer. That way, one does not have to check the files for viruses separately. Of course, common sense during Internet adventures doesn't exactly hurt, either. I installed Windows 95 on my computer. Soon after that, I came to notice that Windows writes on my non-write-protected diskettes even if I only browse the diskettes' directory listings. Why is that? May it cause harm? Windows 95 does indeed act in this peculiar manner. The actual reason it does so is not known. Microsoft's technical documentation states that, for the purposes of detecting disk changes, Windows 95 writes on diskettes' boot sectors when the diskettes are used, but in reality Windows 95 also writes on the diskettes' root directories. Windows 95 seems to make a note of all the EXE files it has not previously seen. These notes are stored in an unused area in directory information, and they take up two bytes per. The bytes are apparently time-stamped checksums of the file's directory information. If Win95 has previously encountered a similar EXE file on the hard disk, on a diskette, or in the network, it won't make a note of the file. Windows does not examine the file's contents - instead, it seems to maintain a database about EXE files' directory information. Win95 does not make notes about COM files, nor does it try to write on write-protected diskettes. The writing in directories seems most probably connected to Windows 95' icon cache function. In any case, Windows 95 does write on non-write-protected diskettes during normal read procedures. This may hamper the functioning of certain copy-protection programs and nonstandard diskettes. Virus Activation Routines ------------------------- The following article on virus activation routines was written by Mikko Hypp”nen, Data Fellows LTD's F-PROT Technical Support Manager. We will publish the article in two parts - the second will appear in the next Update Bulletin. The text has previously been published for the Eicar Conference `95, where Mr. Hypp”nen presented it in its entirety. Introduction The general public's idea of a computer virus is usually something like "It's a program that destroys data". Strictly speaking, this is not true, for a virus doesn't have to destroy anything in order to be a virus. In fact, most of the known viruses do not format hard drives or overwrite files - or do anything at all besides spreading. All anti-virus support persons know that a lot of the people calling support ask "Your program said I have this virus. What does it do?", and the typical answer is: "Nothing. It just replicates". People often find this surprising, because the destructive or spectacular viruses - naturally - get more publicity than the boring ones which have nothing special about them. Still, roughly half of the known viruses have no activation routines at all. Perhaps the authors of these viruses wanted to make their viruses smaller by omitting such routines, or perhaps they reasoned that any activation at all will just result in the virus being discovered earlier. Or perhaps they just didn't have the imagination to think up an activation routine. Common Viruses and Activation Routines A quick look at the most common viruses worldwide reveals that most of them have no visible activation features at all: o AntiCMOS.A - has an activation routine, which is never executed o AntiEXE - has an activation routine, which is practically never executed o DIR_II.A - no activation routine o Form.A - has an activation routine, which is practically never executed o Tai-Pan.438 - no activation routine o Junkie - no activation routine o Stoned.Empire.Monkey.B - no activation routine o Stoned.Standard.A - has an activation routine, which is executed very seldom o Stoned.No_INT.A - no activation routine o Stealth_Boot.B - no activation routine o WordMacro/Concept - no activation routine These viruses alone are currently responsible for probably two thirds of all the virus infections worldwide. However, among the most common viruses there are also viruses with activation features: o Kampana.A - overwrites part of the hard drive after 400 boots o Green_Caterpillar.1575 - draws a caterpillar on the screen after 60 days o Michelangelo - overwrites part of the hard drive on every 6th of March o Cascade.1701.A - drops letters to the bottom of the screen o V-Sign - draws a large V with ASCII graphics after every 64 boots o Tequila - draws a fractal by random Classification There are no formal classifications rules for the viruses' different activation routines. However, we can divide the routines of known viruses in the following groups: o Data destruction o Sounds, tunes, speech o Animations o Messages o Interactive activations o Fake hardware failures o Practical jokes o Denial of service Data Destruction Destructive activation routines can be further divided into immediate and gradual. Michelangelo, Kampana and Natas are examples of immediately destructive viruses - they simply overwrite part of the hard drive with a low-level BIOS function. Other viruses with immediately destructive routines delete or overwrite files instead of overwriting physical sectors. Gradual destruction is done by viruses such as Ripper or Nomenklatura, which slowly corrupt the data on the hard drive. This is also known as data-diddling. Such corruption is likely to go unnoticed until the corrupted data has been backed up several times. This makes data recovery considerably more difficult, and in most cases significant amounts of data will be lost for good. Thankfully, destructive activation routines quite often fail to work due to programming errors. It seems that the virus authors are reluctant to test these routines on their own machines. It is also worth noticing that there are very few destructive viruses on the Macintosh side. This is possibly a result of the different user cultures of PC and Mac users. Sounds, tunes, speech There are several viruses which play tunes through the PC speaker upon activation. Probably the most common examples are the different Yankee_Doodle variants which activate by playing the Yankee Doodle tune at different times of day. Other viruses just produce beeps and zaps occasionally. There are also some viruses which try to speak - one example is the Dreamer virus, which tries to say "Hitler!" through the PC speaker. Finally, there are some viruses which try to utilize a sound card if the infected PC contains one. Animations Viruses which activate with an animation can be further divided into text-mode and graphical animation viruses. Examples of text-mode animation viruses are the Cascade.1701.A virus, which drops the characters on the screen to the bottom of the screen, and the Walker virus, which produces a walking man animation on the screen. Another example is the Vienna.Bua AKA Big Caibua virus, which attracted media attention with its activation routine: it displayed a text-mode animation of an ejaculating penis on the screen while deleting data on the hard drive. Graphical activation routines are somewhat rarer. However, they can be found in viruses like Den_Zuk, which displays a logo on the screen, and the HH&H virus, which shows quite an interesting 3D animation of a bouncing ball built out of small dots. Messages Viruses which display messages on-screen include Stoned.Standard.A, which occasionally displays "Your PC is now Stoned!" if the machine is booted from a diskette. Another common virus with a message to display is the Parity_Boot.B virus, which activates by displaying "PARITY CHECK". A more interesting display is produced by the Rescue virus, which shows a screen full of nonsense messages. Interactive Activations Some viruses stop the PC and demand that the user do something. For example, the Joshi virus stops the machine on January 5th and allows the computer to continue functioning normally only after the user types "Happy Birthday Joshi". The Casino virus forces the user to gamble in a Jackpot game, the stakes being the contents of the hard drive. Some viruses demand somewhat more effort from the user. The YAM.Math virus will occasionally stop the machine when a program is run, and display simple addition or subtraction questions. Execution of the program is denied unless the user gives the correct answer. Another similar virus called Peter_II displays the following message: Good morning,EVERYbody,I am PETER II Do not turn off the power, or you will lost all of the data in Hardisk!!! WAIT for 1 MINUTES,please... After this, the virus encrypts the whole hard drive. Having done that, it continues by displaying the following questionnaire: Ok.If you give the right answer to the following questions,I will save your HD: A. Who has sung the song called "I`ll be there" ? 1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4): B. What is Phil Collins ? 1.A singer 2.A drummer 3.A producer 4.Above all(1-4): C. Who has the MOST TOP 10 singles in 1980`s ? 1.Michael Jackson 2.Phil Collins (featuring Genesis) 3.Madonna 4.Whitney Houston(1-4): If the user gives correct answers to all questions, the virus decrypts the hard disk and displays the following message: CONGRATULATIONS !!! YOU successfully pass the quiz! AND NOW RECOVERING YOUR HARDISK ...... The user can then continue to use the computer normally. However, if incorrect answers are given, the virus will not decrypt the hard disk. Instead, it will just display the following message: Sorry!Go to Hell.Clousy man! Correct answers to the questions are left as an exercise to the reader. Finally, some viruses invite the user to play a game on the PC. An example of this is the Playgame virus, which displays a simple race game. Fake Hardware Failures Some viruses try to simulate a hardware failure. For example, the Azusa virus disables the serial and parallel ports of the machine, and Parity_Boot makes it appear as if the computer has faulty memory chips. In the worst case, the user is fooled into replacing components of his system before he realizes that there is nothing physically wrong with the machine. Practical Jokes Several viruses play practical jokes on the user. The Jerusalem.Fu_Manchu virus monitors what the user types, and inserts comments when keywords such as `Thatcher', `Reagan' or `Waldheim' are entered. The Armagedon virus from Greece checks whether a modem is connected to the machine, and tries to call out to the local time service when the time is between 5am and 6am. The Fone.688 tries to pull a similar prank but with one difference - it calls to X-rated 1-900 phone services in the USA. The Haifa virus inserts two text lines in the middle of DOC files when they are accessed: OOPS! Hope I didn't ruin anything!!! Well, nobody reads those stupied DOCS anyway! Similarly, the WordMacro/Nuclear virus adds comments against French nuclear testing in Pacific to the end of documents when they are printed or faxed from Microsoft Word. Denial of Service Some viruses just try to make the machine unusable. Viruses which overwrite hard drives are somewhat obvious about it, but good backups provide a fast way to recover from the damage. On the other hand, there are also viruses like Monica, which turns the BIOS boot-up password function on (if the BIOS supports this), and sets the password to `monica'. As there is no way for the user to guess the password, the machine is rendered effectively unusable until the CMOS battery is disconnected. In the future we will probably see Flash BIOS -aware viruses, which will cause even more difficult problems. The remaining part of the article will be published in the next Update Bulletin. It describes viral trigger mechanisms, tells where to get information about viruses, and lays out some future prospects. Changes in F-PROT version 2.21 ------------------------------ Changes in F-PROT for DOS ------------------------- The Antibase virus was previously detected only in COM files. Now it can also be detected in EXE files. Although the Ginger.2774 virus could previously be detected in boot sectors, the program could not identify it accurately. This has been corrected. Formerly, the PH33R virus could only be detected in DOS programs. Now, it can also be detected in Windows programs. Minor Improvements and Changes Previously, if someone created a file containing a short byte string which happened to be one of the search strings used by F-PROT, the program reported that the file had been infected by "a new or a modified variant". Nowadays, the program checks whether the file is large enough to contain the virus in the first place. If the file is too short, F-PROT does not report anything. F-PROT can now identify files destroyed by the Exebug virus. Changes in F-PROT for Windows ----------------------------- The memory test has been changed to avoid problems with buggy flat model display drivers. Communications directory polling mechanism has been changed to reduce sharing violations and other network conflicts, especially in NT networks. It is now possible to poll the network communication directory at a different rate from polling the local directory. F-Agent's polling interval specified in the Network preferences now determines the polling rate for the communications directory only. Value of 90 minutes is the default. The local tasks poll rate is hardcoded to 6 minutes. Sometimes an "Error -xxx loading scan_s.dll" message was shown without real reason occasionally on startup; this bug has been fixed. Environment variable name is now allowed in user name at workstation preferences: if you have variable USER holding the name of the user, you can enter #USER# to Workstation name field. F-PROT Gatekeeper Scans for document macro viruses by default now; feature can be disabled by a setting in F- PROTW.INI. Less conventional memory (below 1MB) will be reserved by Gatekeeper when it is loaded. It is now possible to configure the position of Gatekeeper's memory scan progress bar by a setting in F-PROTW.INI in your Windows directory, for example: [MemoryScan] StatusWindowPos=LowerRight Choices are UpperLeft, UpperRight, LowerLeft and LowerRight. The dialog "Distribute Installations by Autoinst" now has an Options button, which brings out a dialog for setting some basic options: whether to install FPW or Gatekeeper or both, and whether there will be a local, remote, or standalone installation. The AUTOINST.INI created will then contain proper settings for the selected installation type. Changes in the F-ARC Program It is now possible to disable F-ARC's boot sector check. This is done by adding the following lines to the file F-ARC.INI: [F-ARC] bootscan=0 The following 29 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but not identified accurately. _548 Bane Burgar.560.BB Darth_Vader.411 Itti.99.C Leprosy.534 Leprosy.666.R Leprosy.792 Linda MSK.272.B MSK.272.C MSK.284.B Orce.67 Orce.71 Quasar.422 SillyOR.83 Springs Terra Trelew Trivial.26.D Trivial.29.F Trivial.40.H Trivial.42.I VCL.341 VCL.355 VCL.407 VCL.427 VCL.645 VCL.Mindless.423.I The following 183 new viruses can now be removed. Many of them were detected by earlier versions, but are now identified accurately. _205 _351 _553 _612 _658 _724 _759 _1314 _1972 Ahav Alex.818 Anthrax.B Armagedon.1065 Armagedon.1066 Asahi.1045 Asahi.1061 Australian_Parasite.231 Australian_Parasite.279.B Avalon Badsectors.3627 Barrotes.1463 Beda.1530 Bengal.1170 Black_Jec.231.B BootExe.453.A BootExe.453.B BootExe.453.C Cascade.1701.AL Cascade.1701.AM Cascade.1701.AN Cascade.1701.AO Cascade.1701.AP Catherine CED Chomik Conjurer.181 Conjurer.265 Conjurer.270 Conjurer.277 Conjurer.353 Conjurer.550 Continua.B Cor Coyote CPW.1457 Creeper.482 Dagger Danish_Tiny.263.B Danish_Tiny.312 Dark_Avenger.2000.GoGo Dark_Revenge Darth_Vader.344.E Dex Diablo Diamond.1024.D Drunk.527 EM Fis Flame.B Ginger.2620 Gippo.Bumpy.B Gynx H8 Hates.190 Heja.511.B Heja.511.C Helloween.1376.B Helloween.1376.C Helloween.1376.D Helloween.1376.E Helloween.1376.F Hellspawn.1075 HLL.10217 HLLC.12573 Ibqqz IVP.652 Jerusalem.1024 Jerusalem.1234 Jerusalem.1624 Jerusalem.1747.B Jerusalem.1808.Frere.K Jerusalem.1808.sUMsDos.AS Jerusalem.1808.sUMsDos.AT Jerusalem.1808.sUMsDos.AU Jerusalem.Sunday.P Katvir Keeling Kode_4.399.B Kode_4.412 Kolumna.1100 Leda Leech.1008 Little_Brother.276 Malaise.D Mario MDS.331 Mephisto.510 Minnie MR Murphy.HIV.D Murphy.HIV.E Natas.4740 No_Frills.1358 NotStoned November_17th.768.E Ntmy Opal Open.1569 Open.1581 Overboot Peligro.1208 PH33R Phi Pihenj PS-MPC.306 PS-MPC.603.D PS-MPC.Skeleton.598.G Pure.439 Quell Quick Reverse.C Riihi.258 Riot.Carpe_Diem.1305 Riot.Carpe_Diem.1415 RMC Rocket Rodolf.4096.B Salamander Scotch Seventh_son.334 SillyC.101 SillyC.109 SillyC.162 SillyC.184 SillyC.254.A SillyC.254.B SillyCR.125.B SillyCR.3152 SillyER.168 Stoned.Dinamo.B Stoned.Dinamo.C Suriv_1.941 Suriv_1.1000.B Swiss_boot.B Tai-Pan.438.C Tankar.212 Teh Tib Timid.245 Timid.289 Timid.302.B Titanium Undershove VCL.229 VCL.331 VCL.339 VCL.343.A VCL.343.B VCL.395 VCL.401 VCL.432 VCL.453 VCL.485 VCL.513 VCL.517 VCL.570 VCL.708 VCL.851.B VCL.909 VCL.Spam VCL.VCC.343 VCL.VCC.353 Vienna.648.AG Vienna.648.AH Vienna.Iraqui_Warrior.C Vienna.W-13.600 Virdem.1336.German.C Won't_Last WSI WZ.436.A WZ.465.B Xiv YB.8588 The following 65 new viruses are now detected and identified but can not yet be removed. _732 _2158 Air_Raid.330 Annihilator.208 Annihilator.272.B Annihilator.276 Annihilator.308 Annihilator.314 Annihilator.361 Annihilator.394 Annihilator.453 Annihilator.510 Annihilator.548 Attitude.823 Caos Conjurer.300 Conjurer.312 Conjurer.377 Conjurer.408 Conjurer.433 Conjurer.506 Conjurer.510 Conjurer.586 Conjurer.886 Crazy_Frog Dan.1092 Dan.1871 Digdeath.1062 Digdeath.1153 Explorer.3037 Grace Int13.B IVP.632 IVP.674 IVP.703 IVP.1017 IVP.Insomnio Lost_Friend.881 Lost_Friend.882 Lucifer Marbas.1303 M01 NRLG.575 NRLG.587 NRLG.624 NRLG.655 NRLG.727 NRLG.982 No_of_the_beast.AC Psychosis.991 Qtiny.162 Quish Red_Zar.461 Red_Zar.467 Rider.575 Riot.Carpe_Diem.1012 Spec St_R Thirty_First Tigre.1800.B Vampiro.1623 VCL.VCC.367 VCL.VCC.438 VCL.VCC.571 WordMacro/Colors The following 5 new viruses are now detected, but not identified. F-PROT will just report the family name with a (?) or report the virus as "New or modified variant", as it is not yet able to determine which variant it is dealing with. Disinfection of these viruses is not yet possible. Avispa.C Avispa.D Avispa.E Avispa.F FinnPoly The following 2 viruses which were identified by earlier versions can now be removed. Boot-437 LV The following viruses have been renamed: Espejo -> Fifteen_Years Vienna.IWG -> Vienna.Iraqui_Warrior.B ------------------------------------------------------------------------------ F-PROT Professional 2.21 Update Bulletin ======================================== Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com This material can be freely quoted when the source, F-PROT Professional Update Bulletin 2.21 is mentioned. Copyright (c) 1995 Data Fellows Ltd. ------------------------------------------------------------------------------