F-PROT Professional 2.14 Update Bulletin ======================================== This material may be freely quoted as long as the source is mentioned. F-PROT Professional version bulletin 2.14. Copyright c 1994 Data Fellows Ltd. Contents Virus Situation In Far East F-PROT Remains At the Top The Award Goes To Data Fellows Ltd's Vineyard Workgroup Software World Wide Web New Viruses In the Wild Kaos-4 Tai-Pan Parity_Boot.B VLamiX Goldbug _1099 New Viruses in Belgium Sandrine BombTrack Hong Kong _ A Crossroads for Viruses Good viruses and bad viruses A dozen reasons why a "good" virus is a bad idea False alarms of anti-virus products F-PROT support informs: Common Questions and Answers Changes in Version 2.14 New Viruses Detected by F-PROT 2.14 Virus Situation In Far East --------------------------- In August, we and our local distributor arranged a joint anti-virus seminar in Beijing, China. The seminar was held along with the country's biggest information technology fair, the China International Computer Exhibition `94. We also exhibited the F-PROT Professional product family in our own booth in the fair itself. We were the only company to bring an anti-virus software to the fair. During the seminar, we asked how many people in the audience had discovered a virus in their computers. All hands rose. We asked how many of them were using an anti-virus program. Again, all hands rose. When we went on to enquire how many had updated their anti-virus program during the last month, nobody reacted. What about the last two months? Again, no reaction. Finally, when were asking about the last four months, somebody in the audience gathered his courage and admitted that he usually updated his anti-virus program once a year. In China, the virus problem is as bad as in Russia. The biggest reasons for this are: ú Many computers do not have hard disks _> programs are stored on diskettes, and viruses find it easy to spread around ú Networks are relatively rare _> files are transferred on diskettes ú Most of the programs in China are pirated copies China's government recognized the seriousness of the virus threat as early as the late eighties. Legislation which dealt with the issue was passed, and the government created a separate department, operating under the state's Security Ministry, to combat the problem. An anti-virus program called Kill was also developed under the Security Ministry's auspices. At first, the Kill program was distributed for free to everybody who wanted it; nowadays, a small fee is charged. Surprisingly, China is shown to be quite aware of the virus threat. The problem is taken seriously. F-PROT Professional was also highly visible in Japan, where, among other things, the PC Week magazine interviewed Data Fellows Ltd's managing director, Risto Siilasmaa. F-PROT Remains At the Top ------------------------- In its latest issue, the Byte magazine published the results of an NLM anti-virus product test. F-PROT was also included in the test, and did excellently. The results are listed below: Rating Product Version **** F-PROT 1.24 **** CPAV 2.0 **** NAV 1.0 *** LANDesk 2.1 *** NetShield 1.6 ** InocuLAN 2.56 * Dr. Solomon's AVT 1.03 **** = Excellent *** = Average ** = Below Average * = Poor The Award Goes To Data Fellows Ltd's Vineyard Workgroup Software ---------------------------------------------------------------- Besides F-PROT, our other product, Vineyard, is also doing well. Vineyard was awarded the title "Best of Show" in the Groupware'94 fair in USA. The contest was held by the Computerworld magazine, and its purpose was to spread some deserved acclaim among groupware manufacturers. Among others, the jury included the representatives of Gartner Group, Andersen Consulting and Infoworld. Vineyard's award is especially noteworthy when one considers the toughness of its competition. The products of all major groupware manufacturers were represented in the show. Among the competitors were Lotus Notes, Lotus VIP and all groupware products by Microsoft and Novell. World Wide Web -------------- We're happy to announce that our World Wide Web server is now operational. The service can be accessed with any WWW browser by connecting to http://www.DataFellows.fi/. The server enables Internet users to browse through various information, including: ú product information: white papers and demos are available for downloading ú virus information: an on-line database of F-PROT Professional virus descriptions, virus news from Data Fellows's F-PROT support, comp.virus Frequently Asked Questions ú access to related information worldwide: Gopher servers, FTP sites, newsgroups ú Data Fellows press releases A text mode browser can also be used. In order to be able to access our WWW site, you will need the following: 1. Internet access. This can be a direct line or a SLIP or PPP connection. Some Unix users can also use a Term Connection. 2. A TCP-IP stack. PC users need a stack with Windows Sockets compatibility. Suitable product are Microsoft Wolverine, FTP Softwareïs PC/TCP, PC-NFS, SuperTCP, Trumpet Winsock etc. 3. A browser. This can be, for example, NCSA Mosaic, Cello, WinWeb or Lynx. Most of these products are available for a variety of platforms. If you don't have a browser, but are able to telnet, you can use one of the text-based WWW gateways. Most or all of the needed programs can be had for free from ftp sites. The Data Fellows WWW site is a public site, and the service is provided for free: no login is necessary. New Viruses In the Wild ----------------------- Kaos-4 ------ Kaos4 spread from an infected file which was sent to the usenet newsgroup alt.binaries.pictures.erotica on the 24th of July, 1994. In a couple of days, the virus spread all over the world. It is reported to have been found at least in USA, Germany, Norway and Finland. Kaos4 is a simple virus: it spreads only when an infected program is executed, and infects COM and EXE files in its current directory and in the directories along the path. Apart from spreading itself, the virus does not do anything. Infected files grow by 697 bytes. The virus contains the text "KAOS4 / K”hntark". K”hntark is well-known American virus writer. F-PROT detects and disinfects the Kaos4 virus. Tai-Pan ------- Tai-Pan was first discovered in Sweden during the summer 1994. It has since spread in Europe, mainly in Scandinavia. This virus was present at least in a file called PROLOGUE.ZIP, which was a demonstration released by the demo group Legen Design. Tai-Pan is quite a simple virus. It stays resident in memory and infects nearly all executed EXE files. It will not infect files that are larger than 64kB. Infected files grow by 438 bytes. Tai-Pan does not do anything apart from spreading itself. Tai-Pan is also known as Whisper. This is due to the text it contains `[Whisper presenterar Tai-Pan]'. F-PROT detects and disinfects the Tai-Pan virus. Parity_Boot.B ------------- Incidents involving the Parity_Boot.B virus have lately popped up in several parts of the world. The virus seems to be especially common in Germany. Parity_Boot.B infects the boot records of diskettes and the Master Boot Records of hard disks. As a typical boot sector virus, Parity_Boot.B can infect hard disks only during a diskette boot. The virus reserves one kilobyte of conventional memory for itself and infects all non-write- protected diskettes used in an infected computer. Parity_Boot.B uses stealth techniques, so the changes the virus has made cannot be detected while it is active in memory. Parity_Boot.B activates at random times and prints the message "PARITY CHECK" on the screen. After this, the virus crashes the computer, simulating a genuine error situation due to faulty memory circuits. F-PROT detects and disinfects the Parity_Boot.B virus. VLamiX ------ The VLamiX virus spread through BBS systems in an archive called A30!PWA.ZIP. The archive was supposed to contain the version 3.0 of the popular ARJ archiver. Robert Jung, the author of ARJ, has confirmed that ARJ 3.0 has not been released. The whole incident happened near the end of August. VLamiX is a simple resident file virus; it infects EXE files when they are opened, and appends an encrypted copy of itself. It uses a simple encryption routine with a 16-bit decryption key which changes between infections. However, the decryption routine does not change and it makes the virus easy to spot. The virus contains several bugs. It often manages to corrupt a file irreparably instead of infecting it. The name VLamiX is taken from a text string found underneath the viruse's encryption: smartc*.cps chklist.* -=*@DIE_LAMER@*=- CHKLIST ??? CHKLIST.CPS VLamiX-1 VLamiX attacks CPAV and MSAV by deleting their checksum files. F-PROT detects and disinfects the VLamiX virus. Goldbug ------- Goldbug is a complex virus, made in USA. It managed to slip into international circulation in summer 1994. Goldbug was, apparently on purpose, attached to a beta version of the game DOOM. This archive was circulated in BBSs worldwide. Goldbug infects the main boot records of hard disks and diskette boot sectors. It also spreads by using the companion virus technique and contains retrovirus features. Goldbug uses an astonishing variety of tricks to make detection and surveillance difficult. When a file infected by Goldbug is executed, the virus copies its own code to the hard disk's main boot record. If the computer has available HMA memory, the virus goes resident in memory. If the computer in question is not at least a 286, the virus does not do anything. The same thing happens if the system does not use HMA memory. When the virus infects the hard disk, it overwrites the partition information in the main boot record. Due to Goldbug's stealth capabilities, this cannot be seen as long as the virus is resident in memory. However, if the computer is booted from a clean diskette, the system cannot find the hard disk. The effect is similar to that caused by, for example, the Monkey virus, and prevents the virus from being removed with the FDISK/MBR command. The virus goes resident to memory the next time the computer is started, storing its own code in color video memory. At this stage, Goldbug restores the original main boot record. The virus cannot keep its code in color video memory indefinitely, because that would prevent graphical programs from functioning. However, at this stage it cannot move its code to HMA memory either, since the system's memory management programs have not been loaded from CONFIG.SYS yet. The virus hooks the video interrupt 10h and waits for HMA to become available. If HMA memory is not installed, the virus removes itself from memory once the computer switches to graphical mode. Otherwise the virus copies its code on top of HMA memory as soon as it gets the chance. Once in HMA, the virus writes its own code back to the main boot record. Goldbug infects the boot sectors 1.2 MB diskettes like a normal boot sector virus. All non-write protected diskettes used in a Goldbug-infected computer are infected. In addition to the diskette boot sector, Goldbug uses two sectors on the diskette to store its code _ however, unlike most other boot sector viruses, Goldbug checks that these sectors are empty before infecting the diskette. Goldbug uses quite an unusual method for infecting diskettes. If a computer is booted from an infected diskette, the virus stays resident in video memory until it gains access to HMA memory. When HMA memory becomes available, the virus infects the hard disk. At the same time, it removes its own code from the diskette, and won't infect it again while it stays in the drive. This makes it difficult to trace an infection's source, because the diskette the virus originally arrived on may not be infected any longer. When the virus is active, it infects executed EXE programs. When such a program is executed, the virus creates a companion file for it in the same directory and removes the original file's file extension. For example, a file called PROGRAM.EXE will be renamed PROGRAM. The companion file is then given the name of the original file. The virus takes care to create a companion file with the same size, creation date and attributes as in the original file. The original file is given the system attribute, so that it cannot be seen in a directory listing. The virus does not create companion files on diskettes. However, it will infect files over a network, as long as the user has the right to create and rename files in the network. Goldbug employs a variable encryption routine. The virus can use 512 different decryption routines, each of which it can modify in 128 different ways. Nevertheless, the viruse's encryption technique cannot be called truly polymorphic. The viruse's encryption routines are protected, which makes it difficult to decrypt the virus for analysis. Goldbug is a stealth virus. When the main boot record of an infected hard disk or the boot sector of an infected diskette is examined, the virus shows the user a copy of the original object. When an infected EXE file is executed, the virus reroutes the operation to the original file. If some program tries to delete a companion file the virus has created, the virus causes the original file to be deleted instead. Most of the viruses which hijack the interrupt int 13h are easily caught if the computer is running Windows 3.1 with the 32-bit disk access on. In such a case, Windows reports an error situation during startup if the virus has changed the disk interrupt address. Goldbug bypasses this problem by letting go of the interrupt 13 when Windows is started. The virus also restores the main boot record back to its original place. When Windows terminates, the virus infects the main boot record again. Goldbug has extensive retrovirus capabilities. It is able to install itself despite the presence of programs like VSAFE.COM or DISKMON.EXE, by tunneling past them. If Goldbug is resident in memory, it prevents the execution of the most common anti-virus programs. If a file's name ends with the letters "AN" or "AV", the virus prevents it from being executed. Among such files are, for instance, SCAN, CLEAN, NAV, CPAV, MSAV, TBAV, TBSCAN, TNTAV etc. If the user tries to execute such a program, Goldbug causes an execution error and a checksum error in CMOS. When the virus spreads to a directory, it deletes all CHKLIST files the directory may contain, thus bypassing CPAV's and MSAV's checksum protection. Goldbug checks whether the system contains a modem. If the modem receives a call, the virus causes the modem to wait for the seventh ring and answering. This is the only activation routine the virus contains. F-PROT Professional is able to detect the Goldbug virus in memory, files and boot sectors. _1099 ----- The _1099 virus was originally found in Hong Kong during the spring of 1994. Later, this virus was also found in China. The first discovery _1099 virus in Europe happened near the end of August in Norway, where the _1099 virus was found on some VGA driver diskettes. These diskettes had been imported from Hong Kong. The virus is now believed to be in the wild in several European countries. This virus does a good job of keeping itself encrypted constantly, even when in memory. It has an armoured decryption routine, which it uses both at its own start-up and during interrupts when resident in memory. The virus contains specific traps for debuggers. All of this makes _1099 quite laborious to analyze. In any case, it stays resident in memory, hooking interrupts 08h, 09h and 21h (system timer, keyboard and DOS), and infects COM and EXE files. F-PROT is able to detect and remove the _1099 virus. New Viruses in Belgium ---------------------- By Pierre Vandevenne, DataRescue S.P.R.L. At the beginning of August, two new viruses were uploaded on several Belgian BBSes. As the infection spread, at least four of the sites were forced to shut down temporarily. Sandrine -------- Sandrine, a simple companion virus, spread through a file called 486up.com which was supposed to improve a 486's performance by 20 to 30%. Instead, it contained a simple 445 bytes long companion virus. Sandrine took advantage of the fact that the DOS EXEC loader executes a COM file before executing a similarly named EXE file if both files are found in the same directory. Sandrine virus has an activation routine, during which it creates a file called SANDRINE.COM. This file contains the text "Sandrine Baillieux thoughts of you are in my mind (c) 1994 by BrokenHeart". It seems that BrokenHeart was twice unlucky: Sandrine was detected by F-PROT in heuristic mode. Current version of F-PROT detects and disinfect Sandrine normally. BombTrack --------- BombTrack, a heavily armoured polymorphic virus, was distributed hidden within the player for an erotic animation. Bombtrack is a memory-resident COM and EXE infector, about 2400 bytes long. It allocates 6 kB of DOS memory at runtime and infects executables when they are run. The virus achieves polymorphism by using variable decryptors buried in long runs of non-significant instructions. The virus uses a lot of anti-debugging tricks to prevent disassembly. Before infection, the virus erases the MSAV and CPAV checksum files. It also carefully avoids infecting popular anti-virus scanners. The virus contains several bugs. Some variants are not able to reproduce reliably and are, from a virocentric point of view, an evolutionary dead end. The activation routine is supposed to create a directory structure called "\BOMBTRA.CK\NEVERYne". However, this operation is rather poorly implemented and almost always causes severe file system corruption. The virus will sometimes infect an executable and fail to modify its entry point. Such files, at first sight similar to successfully infected ones, are not functional since the viral code never gets the chance to be executed. Finally, the virus doesn't take great care of the target's memory requirements: an infected COM file can grow to more than 64 KB and an infected EXE can grow larger than the memory it allocates. Such files are, unable to execute properly. Bombtrack is the first Belgian polymorphic virus. No scanner was able detect it at the time of its discovery. It elicited a quick response from our technical support and, within 48 hours, our customers inflicted with this virus had a reliable way to detect and eradicate it. Hong Kong _ A Crossroads for Viruses ------------------------------------ By Allan Dyer, Yui Kee Company Hong Kong's position as the gateway to China and a major trading centre gives it some importance in the spread of viruses internationally. Our recent visit to China clearly showed that there are viruses there that have never been seen by Western virus researchers, and there is circumstantial evidence that some recent viruses that were first found in Hong Kong and have since been seen internationally originated in China. Additionally, there is a small group of local virus writers, who mainly seem to be writing variants of Jerusalem. But it is the international trade links that make Hong Kong a potential virus distribution source. Large numbers of pre-formatted diskettes are exported from China. Together with motherboards, add-in cards and machines which are assembled or packaged (with driver diskettes) here. Some examples will help to illustrate this: The Nice virus, written in Hong Kong, was first found circulating in Hong Kong BBSs in January, 1994. Two weeks later, a minor variant was found in Northern Scandinavia and traced to a set of video driver diskettes that had been copied from an infected master diskette in Hong Kong. The _1099 virus was first found in a Hong Kong company which has a factory in China in January, 1994. Other samples of the virus were also found in Hong Kong, only in companies with Chinese connections, but the virus was clearly becoming common in the Territory. At the end of August, 1994, the virus was detected on VGA display driver diskettes sent from Hong Kong in Norway. By looking at recent samples and anti- virus programs from China, it is clear that _1099 is well- known there. These viruses are not particularly virulent (the Nice virus overwrites it's victim, so it is likely to get noticed fast), but they have achieved international distribution by infecting an exporter. It is necessary to hunt down new viruses in individual countries actively, for such viruses can quickly jump to international fame. Viruses are already using international communications, it is up to us to make effective use of them too to combat viruses. Good viruses and bad viruses ---------------------------- In different forums, there has lately been much talk about whether it is possible to make good and useful computer viruses. The discussion has often grown rather heated, and it seems that the question does not have a simple answer. The main reason for the dispute has been that different parties attach different meanings to the term `virus'. Just about everybody agrees that the DOS utility program DISKCOPY.EXE is a useful program _ or at least not particularly harmful or dangerous. If some people cconsider that DISKCOPY to be a virus because it is capable of replicating itself, disagreements are bound to occur. This kind of arguments have often been the source of disputes over useful viruses. The following article by Vesselin Bontchev discusses the problems inherent in useful viruses exhaustively. Vesselin Bontchev is one of the world's most respected virus researchers. He works in the Virus Test Center of the University of Hamburg. A dozen reasons why a "good" virus is a bad idea ------------------------------------------------ By Vesselin Bontchev I. Technical points: -------------------- 1. Once released, one cannot control how the virus will spread; it may reach an unknown system (or one which did not even exist at the time the virus was created) in which it can cause non-intentional damage. Any virus that claims to be beneficial must contain measures to prevent this. For instance, if it infects a particular object, it must at least keep a cryptographically strong checksum of this object, in order to make sure that it does not infect anything else by mistake. And this is only a simplistic example; in reality, the precautions must be much more elaborated. A virus that claims to be beneficial should be controllable. It should be possible to easily prevent the infection even of a system that has never heard about the virus; it should be possible to remove the infection easily from any infected system, without causing any harm; and it should be possible to send a message to all instances of the virus to terminate themselves, restoring the infected systems to their uninfected state - or to update themselves. Such a message should propagate faster than the virus itself. In some sense, such messages would be "viruses" in the "computational environment" consisting of all existing copies of the virus, just like the virus is a virus in the "normal" computational environment (the one that the user uses). If such a solution is implemented, there's still danger, although danger of a different kind. Suppose that a system uses the beneficial virus and relies on it. Then a malicious attacker can send a message to the virus to terminate itself, thus causing harm to the system (a denial of service attack). Therefore, the message should be cryptographically authenticated. In short, the virus should be able to authentify itself to the system and the system should be able to authentify itself to the virus. The user of a beneficial virus should actively invite (e.g. install) the virus on his/her system. It is not enough that the virus asks for a permission, because this forces users to take some measures in order to keep their systems virus- free. By default (i.e. if no measures are taken), the virus should not infect systems. The virus should infect a system only if it finds some kind of an "invitation". There must be a way to turn off the prompting _ the user must both be able to set the default action to "no, don't infect" (by removing the invitation or not installing it in the first place) and to "yes, keep infecting without asking". And again, cryptographic means should be used to ensure that what the virus sees as invitation is indeed one and not some kind of a mistake. No uncontrollable mutations of the virus should happen, either of random (errors) or deterministic (intentional changes) nature. 2. Anti-virus programs would have to distinguish between "good" and "bad" viruses, which is essentially impossible. Also, the existence of useful programs which modify other programs at will would make integrity checkers essentially useless, because they are only able to detect the modifications, not to determine whether they have been caused by a "good" virus. Therefore, a virus that claims to be beneficial must not modify other programs. 3. A virus will eat up disk space and time resources unnecessarily while it spreads. A virus is a self- replicating resource eater. Therefore, a virus that claims to be beneficial should keep only one instance of itself per infected machine, and the costs of the time and other resources used by it must be negligible compared to the benefits it brings to the user. 4. A virus can contain bugs which may damage something or harm somebody. Any program can be buggy, but a buggy virus is a self-spreading buggy program which is out of control. 5. A virus will disable the few programs on the market which check themselves for modifications and halt themselves if they have been changed. It is important to repeat again that a virus which claims to be beneficial must not modify other programs. Summary of technical points against "good" viruses: ú impossibility to control it or possibility to lose control over it ú uncertainty in discerning "good" from "bad" viruses ú resource wasting ú bugs which are harder to detect and easier to spread around ú modification of programs The above points apply to all practical systems in use today, i.e. all systems which are based on von Neumann's architecture. II. Ethical/legal points: ------------------------- 6. It is unethical to modify somebody's data without his or her active authorization. In several countries this is also illegal. The user of a beneficial virus must actively invite the virus to infect his or her machine. The virus must wait for an invitation, not bother the user by asking for a permission. It must not sneak in without one, either. 7. If the virus modifies a program, the program's owner may lose his or her rights for technical support, ownership, or copyright. A case reported recently to VTC _ Hamburg provides an example. In that case, a program's manufacturer refused technical support to somebody whose system was infected - they insisted that their product be re-installed. 8. An attacker can use a "good" virus as a means of transportation to penetrate a system. That is why a "good" virus must be able to authentify itself to the system, and the system must be able to verify that the virus is exactly what it claims to be. A person with malicious intents can, furthermore, get a copy of the "good" virus and modify it to include something malicious. Actually, an attacker can trojanize any program, but a "good" virus will provide the attacker with means to transport his malicious code to a virtually unlimited population of computer users. The possibility to transport malicious code is one of the things that makes a virus "bad". 9. Declaring some viruses "good" will just give the crowd of virus writers an excuse to claim that they are actually doing "research". Work involving potentially dangerous things _ either poisonous substances or self-replicating programs _ should be left to people who have (a) the moral and ethical stability and (b) the technical expertise to do it. 10. Anything useful that can be done with a virus can also be done with a normal, non-replicating program. Any virus that claims to be beneficial must do something that either cannot be done by a non-viral program, or is not done as effectively as with a viral one to avoid problems stated in previous points. Summary of ethical/legal points against "good" viruses: ú modification of data/programs without active authorization of user ú possibility to lose ownership rights for infected programs ú possibility to modify a "good" virus with malicious code to transport such a code further ú the question of responsibility of persons writing viruses ú the question of suitability of "good" viruses to perform a certain task III. Psychological points: -------------------------- 11. Virus activity ruins the trust that a user has in his or her machine. The impression that a virus steals user's control of the machine can cause the user to lose his or her belief that she or he can control it. It may become a source of permanent frustrations. 12. For most people, the label "computer virus" is already loaded with negative meaning. They will not accept a program called that, even if it claims to do something useful. This article was originally published in the Alive magazine, Volume I, Issue 1. For more information about the Alive electronic magazine, e-mail Suzana Stojakovic-Celustka at celust@cslab.felk.cvut.cz. The author, Vesselin Bontchev, can be contacted at bontchev@fbihh.informatik.uni-hamburg.de. False alarms of anti-virus products ----------------------------------- Editor's note: The following article is a response to the article `False Alarms" in F-PROT Update Bulletin 2.13. The article is written by Mr. Guenter Musstopf from perComp- Verlag GmbH, Germany. perComp-Verlag develops the German version of F-PROT Professional and distributes it in Germany, Austria and Switzerland. First of all, we must discuss the question "How to define a false alarm?": A false alarm occurs when a program - such as a virus scanner _ performs a test on objects and reports a feature which is not true or which is not present. Below are two typical examples of false alarms generated by scanners: Example 1: A scanner reports a virus in a file, but the file is clean and does not contain the said virus. Example 2: A scanner reports a resident virus in memory. The virus is not active, however. The computer's memory contains only an image of the viruse's code (e.g. due to accessing an infected floppy). Therefore, the virus is not resident. This kind of a false alarm is also called a "ghost positive". Heuristic scanners produce similar false positives. For example, they may report something like: The file ... is possibly infected by a virus". Let's move on to another question: Do integrity checkers _ such as F-CHECK _ generate false positives? Bearing in mind the above-mentioned definition for a false positive, the answer is NO. If an integrity checker reports changes in an object (file, boot sector or master boot record), the object has really changed. However, integrity checkers do not search for viruses per se, and they do not claim that detected changes are due to a virus infection. Nevertheless, some PC users misunderstand the reports given by integrity checkers, even if the reports do not mention the term virus", or a specific virus name. If an integrity checker reports changes in one or more objects, it is up to the user to find out what has caused the changes. The changes may be due to one of the following reasons: ú A program has been updated without simultaneously updating the integrity checker's database. ú The boot sectors have changed because the user has installed a new version of DOS or a new or modified version of an anti-virus program. The integrity checker's database has to be updated after such installations. ú The system contains self-modifying programs made by someone with bad programming habits. These programs use their own executable files to store parameters which can be selected by the user. According to normal programming conventions, such parameters should be stored in an external, non-executable configuration file. SETVER from MS-DOS is an example of such a program. ú Finally a virus may have infected the object. The object may also have been destroyed by an overwriting virus. To sum it up, an integrity checker may report modifications for one of the following three reasons: ú The user has forgotten to update the integrity checker's database. ú A programmer has done a bad job. In this case, the self- modifying program files should be never checked. This means that although the names of these files are stored in the integrity checker's database, the checker won't bother to check the files for modifications. ú The modifications have been caused by a virus. What can be done to get rid of these warnings? The first kind of warnings will not be encountered if the integrity checker's database is updated after each new program installation. Therefore, the integrity checker's maintenance facilities must be easy to use _ even by end users who are only able to install or update an application package. The second kind of warnings can be avoided by setting the status of self-modifying program files to "Never". In the third case, the modified objects should be checked with a scanner. This will reveal whether the changes are caused by an already known virus. If the scanner does not find a known virus, the suspicious object(s) should be sent to the scanner's manufacturer. The manufacturer can examine the objects, and find out whether some unknown virus has caused the modifications. If necessary, the manufacturer can then update his product. F-CHECK contains the following features for restoring infected files: If a scanner finds a known virus, F-CHECK can in many cases restore the infected object to its original state without any risk (this holds true even if the scanner itself cannot disinfect the virus). In most cases, the restoration can be effected even if the virus is a new one which the scanner cannot identify yet. Even if the virus has overwritten a part of the object (like some of the variants of the Vienna virus do), F-CHECK can restore the object by using additional information stored in its database. As a general rule, a user has to be familiar with the basic functions of the anti-virus product he or she is using. These functions can be compared to the different programs of a washing machine, of which a user also needs a minimum of understanding. Integrity checkers do not report viruses, but changes in the objects they survey! If users update the integrity checker's database after each new program installation or update, they can avoid unnecessary warnings. Guenter Musstopf perComp-Verlag GmbH percomp@infohh.rmi.de F-PROT support informs: Common Questions and Answers ---------------------------------------------------- If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact Data Fellows directly in the number +358-0-692 3622. Written questions can be mailed to: Data Fellows Ltd F-PROT Support Wavulinintie 10 00210 HELSINKI Finland Questions can also be sent by electronic mail to: Internet: f-prot@datafellows.fi X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi I have a Unix clone operating on my PC, Linux to be exact. Nevertheless, I would like to check my computer for DOS viruses every now and then. Can I run a check with F-PROT? You can. Install Linux's DosEmu and run F-PROT with it. DosEmu is available in Internet, in the address sunsite.unc.edu, directory pub/Linux/Emulators/dosemu. With F-PROT, PCs running other Unix clones can also be checked for boot sector viruses, but in such cases the computer must first be booted from a DOS diskette. Boot sector viruses are practically the only viruses capable of infecting PCs that use an Unix-based operating system. I have had some trouble installing F-PROT Professional for Windows to network. How should I go about it to make sure that the workstations communicate with the server properly? The installation of F-PROT Professional for Windows is different from most other Windows-program. This is because of the more advanced installation method: you can actually install pre-defined default settings to workstation while doing the installations. We'll start by installing the administrator's copy of the program: 1. Start the process by copying the contents of the F- PROT for Windows installation diskette to a shared directory on the network server. In this example, we'll use the directory V:\FPWSETUP. 2. Execute the program V:\FPWSETUP\SETUP from Windows. 3. When the installation program starts, choose Complete installation as the installation option. Next, turn on the Administrator radio button and enter a suitable Admin password. 4. Make sure that you have checked the check-boxes Enable Network Usage and Load Task Agent at Startup. 5. Choose a suitable target directory from your local hard disk, for example C:\WINDOWS\F-PROTW. 6. Click Continue. 7. Choose a shared directory on the network server to be the Communication Directory. In this example, we'll use the directory V:\COMM-DIR. If you cannot find a suitable directory, check the Establish Shared Directory checkbox. 8. Enter a name for the Workgroup. This can be, for example, the name of the office where the installation is taking place. The application uses the workgroup's name for internal communication, to identify messages sent to a certain workgroup over the network. Click Continue. 9. Enter the Organization Name and User Name. Be sure to enter the correct Organization Name, for it will carry over to all further copies of the program installed after the administrator installation. Only the administrator can change the Organization Name. Click Install. 10. The installation program completes the installation. Icons for executing the program, as well as certain preconfigured scans, are added to Program Manager. 11. Start F-PROT by double-clicking the icon labeled F- PROT Professional for Windows. 12. You can now modify the program's default settings. You can, for example, change the Preferences settings (choose the command Preferences from the Edit menu), add or change Tasks, add buttons to the Button Bar, and modify the program's startup settings; for instance, you may wish to make F-PROT start up in the Button Bar mode by default. We suggest that you do not change the default task Scan hard drives when idle, however. This task causes a virus scan to be performed on the computer's hard disk when the machine has been left alone for a predetermined time. By default, the disk is scanned after 30 idle minutes. 13. When you are satisfied with the changes you have made to the program, you can transfer the modifications to the master installation directory on the network server. Choose the command Create Distribution Diskette from the Administration menu, and select V:\FPWSETUP as the destination directory. Next, we'll do a complete workstation installation: 1. Install F-PROT Professional for Windows to a workstation by executing the program V:\FPWSETUP\SETUP from Windows. Choose the Complete installation option and enter the target directory on the local hard disk (we recommend using the directory C:\WINDOWS\F-PROTW). Enter the User Name. The installation program will install the program on the workstation. The modifications made during administrator installation will be carried over to the program copy installed on the workstation. 2. You can modify the icons in Program Manager's F-PROT Group as you wish: for example, if you need only the icons for scanning the hard drive and drive A:, you can delete the others. We have now performed a sample workstation installation of F-PROT Professional for Windows. Make sure that you have the necessary access rights to the directories V:\FPWSETUP and V:\COMM-DIR. Suppose I want to install F-PROT for Windows on the network server and use this single copy from all the workstations. What do I do then? Again, we'll start with the administrator installation: 1. Start the installation by copying the contents of the F-PROT for Windows installation diskette to a shared directory on the network server. In this example, we'll use the directory V:\FPWSETUP. 2. Execute the program V:\FPWSETUP\SETUP from Windows. 3. Choose the Complete installation option and turn on the Administrator radio button. Enter the Admin password. 4. Make sure that you have checked the checkboxes Enable Network Usage and Load Task Agent at Startup. 5. Choose a suitable target directory on the shared drive, in this example V:\F-PROTW. 6. Click Continue. 7. Choose a suitable directory on the shared drive to be the Communication directory. In this example, we'll use the directory V:\COMM-DIR. If you cannot locate a suitable directory, check the Establish Shared Directory checkbox. 8. Enter a name for the Workgroup. The workgroup's name can be, for example, the name of the office where the installation is taking place. The application uses the workgroup's name for internal communication, to identify messages sent to a certain workgroup over the network. Click Continue. 9. Enter the Organization Name and User Name. Make sure that the Organization Name is correct, for it will be shown to all users using F-PROT over the network. Only the administator can change the Organization Name. Click Install. 10. The installation program completes the installation. Icons for executing the program, as well as certain preconfigured scans, are added to Program Manager. 11. Start F-PROT by double-clicking the icon labeled F- PROT Professional for Windows. 12. You can now modify the program's default settings. You can, for example, change the Preferences settings (choose the command Preferences from the Edit menu), add or change Tasks, add buttons to the Button Bar, and modify the program's startup settings; for instance, you may wish to make F-PROT start up in the Button Bar mode by default. We suggest that you do not change the default task Scan hard drives when idle, however. This task causes a virus scan to be performed on the computer's hard disk when the machine has been left alone for a predetermined time. By default, the disk is scanned after 30 idle minutes. 13. When you are satisfied with the changes you have made to the program, you can transfer the modifications to the master installation directory on the network server. Choose the command Create Distribution Diskette from the Administration menu, and select V:\FPWSETUP as the destination directory. Next, we'll do a Remote workstation installation: 1. Install F-PROT Professional for Windows to a workstation by executing the program V:\FPWSETUP\SETUP from Windows. Choose the Remote installation option and enter the target directory on the local hard disk (we recommend using the directory C:\WINDOWS\ F-PROTW). Click Continue. 2. Enter the path to the F-PROT copy stored in the shared directory (V:\F-PROTW) and click Continue. 3. Enter the User Name and click Install. The installation program will install the program on the workstation. The modifications made during administrator installation will be carried over to the program installed on the workstation. 4. You can modify the icons in Program Manager's F-PROT Group as you wish: for example, if you need only the icons for scanning the hard drive and drive A:, you can delete the others. We have now completed a Remote workstation installation of F-PROT Professional for Windows. Make sure that you have the necessary access rights to the directories V:\FPWSETUP, V:\F-PROTW and V:\COMM-DIR. Changes in Version 2.14 ----------------------- Changes in F-PROT for Windows ----------------------------- It is now possible to update VIRSTOP.EXE centrally from the network server to local workstations by using F-PROT for Windows. When F-PROT for Windows starts, it checks a file called FPW-PREF.INI. Copy this file to the same directory with F-PROTW.EXE. The file should contain lines like: [Update] Source=V:\MASTER\F-PROT Destination=C:\F-PROT The FPW-PREF.INI file shown above causes F-PROT for Windows to update files from the server directory V:\MASTER\F-PROT to the local directory C:\F-PROT each time it starts up. The admininistrator needs to update VIRSTOP only in the master directory on the server, and F-PROT for Windows will make sure that all workstations will soon be running an up-to- date copy of VIRSTOP. The functioning of the General/Run Scheduled Tasks Minimized preference has been changed slightly. Scheduled tasks (both distributed and normal tasks) that are executed by starting F-PROT via F-Agent will always run minimized, regardless of the preference setting. The scheduled tasks that get into execution while the main program is already running will run either minimized or not, depending on the preference setting. Network connection is not attempted at startup if the workgroup name and the communication path are missing from the configuration file. Instead, the user is shown an informational message box. This kind of a situation takes place if the user has made a Network/User installation from a diskette which the administrator has not created by using the Create Distribution Disk command. The Help button works now also in the Bulletin Attributes dialog. Changes in F-PROT for DOS ------------------------- F-PROT for DOS 2.14 returns ERRORLEVEL 8 upon finding suspicous files. Such files are usually not virus-infected, but it may be a good idea to check them more closely anyway. Note that if you have been using a batch file to run F-PROT, you will need to update the batch file also in order to catch errorlevel 8. Otherwise, the batch file will see the return value as errorlevel 7, which is the `out of memory' error. The FP.BAT file included on the F-PROT for DOS installation diskette has been updated accordingly. The program did not display correctly file names which were longer than 78 bytes. Fixed. Changes Common to DOS, Windows and OS/2 versions We have introduced a new scanning "engine" which does not use search strings like the earlier one. This engine has been added to F-PROT to function side by side with the old one. Currently, the engine can detect only a small number of viruses, but all new viruses are added to it. We are also converting the detection of "old" viruses. When the conversion is finished, users of F-PROT can expect a significant speed increase, as well as a significant reduction in memory requirements. The "Quick Scan" option has been removed, for it was not significantly faster than the regular scan. This has reduced the size of the program by 20 kB and reduced the memory requirements of F-PROT for DOS even more. Some false MtE alarms given of non-executable files have been fixed. Some V2P6-infected files were incorrectly reported as having been infected by a "New or modified variant of Invisible_Man". This has been fixed, identification of the Invisible_Man has been improved, and disinfection of both viruses has been added to the program. Heuristic analysis will now report also "armored" programs _ programs containing tricks that make heuristic analysis and analysis in general difficult, but which are not necessarily virus-infected. Programs protected with the Protect! utility are among such programs. New Viruses Detected by F-PROT 2.14 ----------------------------------- The following 17 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." Burger.382.B Burger.382.C Burger.441.B Cop-Com.286 Doubleheart.452.A HLLO.Black_Crypt Leprosy.Busted.572 Leprosy.D Lesson_1.305 Necropolis.B Necropolis.C Rythem.827 Trivial.43.D Trivial.44.E VCL.Butthole VCL.Mindless.423.B _81 F-PROT can detect and remove the following 149 new viruses. Earlier versions of F-PROT could detect many of these viruses, but now they are also identified accurately. ARCV.Christmas.678 Aurea.768 Barrotes.849 Barrotes.1310.F Barrotes.1310.G Buffeater Bupt.1220.C Cascade.1701.T Cascade.1701.U Cascade.1701.V Chemist Civil_War.245 Cmagic.878 Cmagic.2015 Cmagic.2246 Crucifix.2914 Crucifix.2916 Cybertech.1066 Cybertech.1228 Damir Danish_Tiny.310.B Delwin Demolition.B Dicker Ear.380 ECW-X Filehider.1057 Foetus Genesis.217 Genesis.226 Genesis.238 Genesis.295 Ginger.2691 Gippo.Epidemic.1249 Green_Caterpillar.1575.H Helicopter Hello.A Hello.B HLLC.Christmas.15264 HLLC.Crawen.8306 HLLC.Crawen.8516 IMI.1538 IMI.1656 Iron Is_dead IVP.260 IVP.April IVP.DNA IVP.Mandela.943 Jack Jerusalem.1808.new8 Jerusalem.1808.Rambo Jerusalem.1801.SUmsDos.AD Jerusalem.5120 Jerusalem.Anticad.3012.F Jerusalem.AntiCad.4096.E Jerusalem.AntiCad.4096.F Jerusalem.AntiCad.4096.G Jerusalem.AntiCad.4096.H Jerusalem.AntiCad.4096.I Jerusalem.Sunday.L Jerusalem.Sunday.M Jerusalem.Tarapa.C Just.1056 Kali Kaos.A Kaos.B Keeper.Lemming Kemerovo.404 Keypress.1232.M Kaypress.1258 Kipa Klepavka Lastyear.743 LM.345 LM.354 LM.609 MadWill.A MadWill.B Malaria Marauder.867 Mayberry.793 Miras Mordor.1104 Multiflu Multiplex My_Child Natas.4746 Phalcon.Cool Platov PS-MPC.339.F PS-MPC.347.K PS-MPC.574.E PS-MPC.578.H PS-MPC.Alien.733 PS-MPC.ARCV-4.742 PS-MPC.Asstral PS-MPC.G2.Mudshark.312 PS-MPC.Joshua.964 PS-MPC.Polder.J PS-MPC.Shiny.934 PS-MPC.Sucker PS-MPC.Tester S_man Sandrine SHHS.591 Shizu Skid_row.415 Skid_row.418 Skid_row.432 Specified Suriv-1.Cock Sybille.853 Sylwia Tai-Pan Trakia.561 Trident.439 Trjp Troi.E VCL.609 VCL.Beepop VCL.Bigtime VCL.Black_Death VCL.Dumbco VCL.Genesis VCL.Gif VCL.Westward Vienna.648.Oscar.A Vienna.648.Oscar.B Vienna.648.Oscar.C Vienna.778 Vienna.Violator.707.B Vienna.Violator.5286.B Vivat Void VS.1919 Wizard.312 XPH.1010 Yankee_Doodle.2167 YB.316 _172 _391 _521 _604 _632 _713 _736 _928 _934 The following 20 new viruses can now be detected but not yet be removed. _388 Astra.505 Astra.882 Astra.1556 Attitude.724 Attitude.825 Crazy_Priest Die_Hard Foetus.1510 Jerusalem.Vtech.2513 Jerusalem.Vtech.2880 Jerusalem.Vtech.2886 JH Jump Raptor.B Switch Taz.987 Taz.995 Taz.1041 VCL.Renegade The following 4 viruses which were detected by earlier versions can now also be removed. Catbuncle Invisible_Man.2926 Invisible_Man.3223 Todor The following virus has been renamed in order to make F-PROT follow the CARO naming standard as closely as possible. 604 -> Lastyear F-PROT Professional 2.14 Update Bulletin ---------------------------------------- This material may be freely quoted as long as the source is mentioned. F-PROT Professional version bulletin 2.14. Copyright c 1994 Data Fellows Ltd.