home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 17
/
CD_ASCQ_17_101194.iso
/
vrac
/
bull_214.zip
/
BULL-214.TXT
next >
Wrap
Text File
|
1994-09-09
|
54KB
|
1,402 lines
F-PROT Professional 2.14 Update Bulletin
========================================
This material may be freely quoted as long as the source is mentioned.
F-PROT Professional version bulletin 2.14. Copyright c 1994 Data Fellows Ltd.
Contents
Virus Situation In Far East
F-PROT Remains At the Top
The Award Goes To Data Fellows Ltd's Vineyard Workgroup Software
World Wide Web
New Viruses In the Wild
Kaos-4
Tai-Pan
Parity_Boot.B
VLamiX
Goldbug
_1099
New Viruses in Belgium
Sandrine
BombTrack
Hong Kong _ A Crossroads for Viruses
Good viruses and bad viruses
A dozen reasons why a "good" virus is a bad idea
False alarms of anti-virus products
F-PROT support informs: Common Questions and Answers
Changes in Version 2.14
New Viruses Detected by F-PROT 2.14
Virus Situation In Far East
---------------------------
In August, we and our local distributor arranged a joint
anti-virus seminar in Beijing, China. The seminar was held
along with the country's biggest information technology
fair, the China International Computer Exhibition `94.
We also exhibited the F-PROT Professional product family in
our own booth in the fair itself. We were the only company
to bring an anti-virus software to the fair.
During the seminar, we asked how many people in the audience
had discovered a virus in their computers. All hands rose.
We asked how many of them were using an anti-virus program.
Again, all hands rose. When we went on to enquire how many
had updated their anti-virus program during the last month,
nobody reacted. What about the last two months? Again, no
reaction. Finally, when were asking about the last four
months, somebody in the audience gathered his courage and
admitted that he usually updated his anti-virus program once
a year.
In China, the virus problem is as bad as in Russia. The
biggest reasons for this are:
· Many computers do not have hard disks _> programs are
stored on diskettes, and viruses find it easy to spread
around
· Networks are relatively rare _> files are transferred on
diskettes
· Most of the programs in China are pirated copies
China's government recognized the seriousness of the virus
threat as early as the late eighties. Legislation which
dealt with the issue was passed, and the government created
a separate department, operating under the state's Security
Ministry, to combat the problem. An anti-virus program
called Kill was also developed under the Security Ministry's
auspices. At first, the Kill program was distributed for
free to everybody who wanted it; nowadays, a small fee is
charged.
Surprisingly, China is shown to be quite aware of the virus
threat. The problem is taken seriously.
F-PROT Professional was also highly visible in Japan, where,
among other things, the PC Week magazine interviewed Data
Fellows Ltd's managing director, Risto Siilasmaa.
F-PROT Remains At the Top
-------------------------
In its latest issue, the Byte magazine published the results
of an NLM anti-virus product test. F-PROT was also included
in the test, and did excellently. The results are listed
below:
Rating Product Version
**** F-PROT 1.24
**** CPAV 2.0
**** NAV 1.0
*** LANDesk 2.1
*** NetShield 1.6
** InocuLAN 2.56
* Dr. Solomon's AVT 1.03
**** = Excellent
*** = Average
** = Below Average
* = Poor
The Award Goes To Data Fellows Ltd's Vineyard Workgroup Software
----------------------------------------------------------------
Besides F-PROT, our other product, Vineyard, is also doing
well. Vineyard was awarded the title "Best of Show" in the
Groupware'94 fair in USA. The contest was held by the
Computerworld magazine, and its purpose was to spread some
deserved acclaim among groupware manufacturers. Among
others, the jury included the representatives of Gartner
Group, Andersen Consulting and Infoworld.
Vineyard's award is especially noteworthy when one considers
the toughness of its competition. The products of all major
groupware manufacturers were represented in the show. Among
the competitors were Lotus Notes, Lotus VIP and all
groupware products by Microsoft and Novell.
World Wide Web
--------------
We're happy to announce that our World Wide Web server is
now operational. The service can be accessed with any WWW
browser by connecting to http://www.DataFellows.fi/. The
server enables Internet users to browse through various
information, including:
· product information: white papers and demos are available
for downloading
· virus information: an on-line database of F-PROT
Professional virus descriptions, virus news from Data
Fellows's F-PROT support, comp.virus Frequently Asked
Questions
· access to related information worldwide: Gopher servers,
FTP sites, newsgroups
· Data Fellows press releases
A text mode browser can also be used.
In order to be able to access our WWW site, you will need
the following:
1. Internet access. This can be a direct line or a SLIP
or PPP connection. Some Unix users can also use a
Term Connection.
2. A TCP-IP stack. PC users need a stack with Windows
Sockets compatibility. Suitable product are
Microsoft Wolverine, FTP Software∩s PC/TCP, PC-NFS,
SuperTCP, Trumpet Winsock etc.
3. A browser. This can be, for example, NCSA Mosaic,
Cello, WinWeb or Lynx. Most of these products are
available for a variety of platforms. If you don't
have a browser, but are able to telnet, you can use
one of the text-based WWW gateways.
Most or all of the needed programs can be had for free from
ftp sites.
The Data Fellows WWW site is a public site, and the service
is provided for free: no login is necessary.
New Viruses In the Wild
-----------------------
Kaos-4
------
Kaos4 spread from an infected file which was sent to the
usenet newsgroup alt.binaries.pictures.erotica on the 24th
of July, 1994.
In a couple of days, the virus spread all over the world. It
is reported to have been found at least in USA, Germany,
Norway and Finland.
Kaos4 is a simple virus: it spreads only when an infected
program is executed, and infects COM and EXE files in its
current directory and in the directories along the path.
Apart from spreading itself, the virus does not do anything.
Infected files grow by 697 bytes.
The virus contains the text "KAOS4 / Köhntark". Köhntark is
well-known American virus writer.
F-PROT detects and disinfects the Kaos4 virus.
Tai-Pan
-------
Tai-Pan was first discovered in Sweden during the summer
1994. It has since spread in Europe, mainly in Scandinavia.
This virus was present at least in a file called
PROLOGUE.ZIP, which was a demonstration released by the demo
group Legen Design.
Tai-Pan is quite a simple virus. It stays resident in memory
and infects nearly all executed EXE files. It will not
infect files that are larger than 64kB. Infected files grow
by 438 bytes. Tai-Pan does not do anything apart from
spreading itself.
Tai-Pan is also known as Whisper. This is due to the text it
contains `[Whisper presenterar Tai-Pan]'.
F-PROT detects and disinfects the Tai-Pan virus.
Parity_Boot.B
-------------
Incidents involving the Parity_Boot.B virus have lately
popped up in several parts of the world. The virus seems to
be especially common in Germany.
Parity_Boot.B infects the boot records of diskettes and the
Master Boot Records of hard disks. As a typical boot sector
virus, Parity_Boot.B can infect hard disks only during a
diskette boot. The virus reserves one kilobyte of
conventional memory for itself and infects all non-write-
protected diskettes used in an infected computer.
Parity_Boot.B uses stealth techniques, so the changes the
virus has made cannot be detected while it is active in
memory. Parity_Boot.B activates at random times and prints
the message "PARITY CHECK" on the screen. After this, the
virus crashes the computer, simulating a genuine error
situation due to faulty memory circuits.
F-PROT detects and disinfects the Parity_Boot.B virus.
VLamiX
------
The VLamiX virus spread through BBS systems in an archive
called A30!PWA.ZIP. The archive was supposed to contain the
version 3.0 of the popular ARJ archiver. Robert Jung, the
author of ARJ, has confirmed that ARJ 3.0 has not been
released. The whole incident happened near the end of
August.
VLamiX is a simple resident file virus; it infects EXE files
when they are opened, and appends an encrypted copy of
itself. It uses a simple encryption routine with a 16-bit
decryption key which changes between infections. However,
the decryption routine does not change and it makes the
virus easy to spot.
The virus contains several bugs. It often manages to corrupt
a file irreparably instead of infecting it.
The name VLamiX is taken from a text string found underneath
the viruse's encryption:
smartc*.cps
chklist.*
-=*@DIE_LAMER@*=-
CHKLIST ???
CHKLIST.CPS
VLamiX-1
VLamiX attacks CPAV and MSAV by deleting their checksum
files.
F-PROT detects and disinfects the VLamiX virus.
Goldbug
-------
Goldbug is a complex virus, made in USA. It managed to slip
into international circulation in summer 1994. Goldbug was,
apparently on purpose, attached to a beta version of the
game DOOM. This archive was circulated in BBSs worldwide.
Goldbug infects the main boot records of hard disks and
diskette boot sectors. It also spreads by using the
companion virus technique and contains retrovirus features.
Goldbug uses an astonishing variety of tricks to make
detection and surveillance difficult.
When a file infected by Goldbug is executed, the virus
copies its own code to the hard disk's main boot record. If
the computer has available HMA memory, the virus goes
resident in memory. If the computer in question is not at
least a 286, the virus does not do anything. The same thing
happens if the system does not use HMA memory.
When the virus infects the hard disk, it overwrites the
partition information in the main boot record. Due to
Goldbug's stealth capabilities, this cannot be seen as long
as the virus is resident in memory. However, if the computer
is booted from a clean diskette, the system cannot find the
hard disk. The effect is similar to that caused by, for
example, the Monkey virus, and prevents the virus from being
removed with the FDISK/MBR command.
The virus goes resident to memory the next time the computer
is started, storing its own code in color video memory. At
this stage, Goldbug restores the original main boot record.
The virus cannot keep its code in color video memory
indefinitely, because that would prevent graphical programs
from functioning. However, at this stage it cannot move its
code to HMA memory either, since the system's memory
management programs have not been loaded from CONFIG.SYS
yet. The virus hooks the video interrupt 10h and waits for
HMA to become available.
If HMA memory is not installed, the virus removes itself
from memory once the computer switches to graphical mode.
Otherwise the virus copies its code on top of HMA memory as
soon as it gets the chance. Once in HMA, the virus writes
its own code back to the main boot record.
Goldbug infects the boot sectors 1.2 MB diskettes like a
normal boot sector virus. All non-write protected diskettes
used in a Goldbug-infected computer are infected. In
addition to the diskette boot sector, Goldbug uses two
sectors on the diskette to store its code _ however, unlike
most other boot sector viruses, Goldbug checks that these
sectors are empty before infecting the diskette.
Goldbug uses quite an unusual method for infecting
diskettes. If a computer is booted from an infected
diskette, the virus stays resident in video memory until it
gains access to HMA memory. When HMA memory becomes
available, the virus infects the hard disk. At the same
time, it removes its own code from the diskette, and won't
infect it again while it stays in the drive. This makes it
difficult to trace an infection's source, because the
diskette the virus originally arrived on may not be infected
any longer.
When the virus is active, it infects executed EXE programs.
When such a program is executed, the virus creates a
companion file for it in the same directory and removes the
original file's file extension. For example, a file called
PROGRAM.EXE will be renamed PROGRAM. The companion file is
then given the name of the original file. The virus takes
care to create a companion file with the same size, creation
date and attributes as in the original file. The original
file is given the system attribute, so that it cannot be
seen in a directory listing.
The virus does not create companion files on diskettes.
However, it will infect files over a network, as long as the
user has the right to create and rename files in the
network.
Goldbug employs a variable encryption routine. The virus can
use 512 different decryption routines, each of which it can
modify in 128 different ways. Nevertheless, the viruse's
encryption technique cannot be called truly polymorphic. The
viruse's encryption routines are protected, which makes it
difficult to decrypt the virus for analysis.
Goldbug is a stealth virus. When the main boot record of an
infected hard disk or the boot sector of an infected
diskette is examined, the virus shows the user a copy of the
original object. When an infected EXE file is executed, the
virus reroutes the operation to the original file. If some
program tries to delete a companion file the virus has
created, the virus causes the original file to be deleted
instead.
Most of the viruses which hijack the interrupt int 13h are
easily caught if the computer is running Windows 3.1 with
the 32-bit disk access on. In such a case, Windows reports
an error situation during startup if the virus has changed
the disk interrupt address. Goldbug bypasses this problem by
letting go of the interrupt 13 when Windows is started. The
virus also restores the main boot record back to its
original place. When Windows terminates, the virus infects
the main boot record again.
Goldbug has extensive retrovirus capabilities. It is able to
install itself despite the presence of programs like
VSAFE.COM or DISKMON.EXE, by tunneling past them. If Goldbug
is resident in memory, it prevents the execution of the most
common anti-virus programs. If a file's name ends with the
letters "AN" or "AV", the virus prevents it from being
executed. Among such files are, for instance, SCAN, CLEAN,
NAV, CPAV, MSAV, TBAV, TBSCAN, TNTAV etc. If the user tries
to execute such a program, Goldbug causes an execution error
and a checksum error in CMOS. When the virus spreads to a
directory, it deletes all CHKLIST files the directory may
contain, thus bypassing CPAV's and MSAV's checksum
protection.
Goldbug checks whether the system contains a modem. If the
modem receives a call, the virus causes the modem to wait
for the seventh ring and answering. This is the only
activation routine the virus contains.
F-PROT Professional is able to detect the Goldbug virus in
memory, files and boot sectors.
_1099
-----
The _1099 virus was originally found in Hong Kong during the
spring of 1994. Later, this virus was also found in China.
The first discovery _1099 virus in Europe happened near the
end of August in Norway, where the _1099 virus was found on
some VGA driver diskettes. These diskettes had been imported
from Hong Kong. The virus is now believed to be in the wild
in several European countries.
This virus does a good job of keeping itself encrypted
constantly, even when in memory. It has an armoured
decryption routine, which it uses both at its own start-up
and during interrupts when resident in memory. The virus
contains specific traps for debuggers. All of this makes
_1099 quite laborious to analyze.
In any case, it stays resident in memory, hooking interrupts
08h, 09h and 21h (system timer, keyboard and DOS), and
infects COM and EXE files.
F-PROT is able to detect and remove the _1099 virus.
New Viruses in Belgium
----------------------
By Pierre Vandevenne,
DataRescue S.P.R.L.
At the beginning of August, two new viruses were uploaded on
several Belgian BBSes. As the infection spread, at least
four of the sites were forced to shut down temporarily.
Sandrine
--------
Sandrine, a simple companion virus, spread through a file
called 486up.com which was supposed to improve a 486's
performance by 20 to 30%. Instead, it contained a simple 445
bytes long companion virus.
Sandrine took advantage of the fact that the DOS EXEC loader
executes a COM file before executing a similarly named EXE
file if both files are found in the same directory.
Sandrine virus has an activation routine, during which it
creates a file called SANDRINE.COM. This file contains the
text "Sandrine Baillieux thoughts of you are in my mind (c)
1994 by BrokenHeart".
It seems that BrokenHeart was twice unlucky: Sandrine was
detected by F-PROT in heuristic mode. Current version of
F-PROT detects and disinfect Sandrine normally.
BombTrack
---------
BombTrack, a heavily armoured polymorphic virus, was
distributed hidden within the player for an erotic
animation. Bombtrack is a memory-resident COM and EXE
infector, about 2400 bytes long. It allocates 6 kB of DOS
memory at runtime and infects executables when they are run.
The virus achieves polymorphism by using variable decryptors
buried in long runs of non-significant instructions. The
virus uses a lot of anti-debugging tricks to prevent
disassembly.
Before infection, the virus erases the MSAV and CPAV
checksum files. It also carefully avoids infecting popular
anti-virus scanners.
The virus contains several bugs. Some variants are not able
to reproduce reliably and are, from a virocentric point of
view, an evolutionary dead end. The activation routine is
supposed to create a directory structure called
"\BOMBTRA.CK\NEVERYne". However, this operation is rather
poorly implemented and almost always causes severe file
system corruption.
The virus will sometimes infect an executable and fail to
modify its entry point. Such files, at first sight similar
to successfully infected ones, are not functional since the
viral code never gets the chance to be executed. Finally,
the virus doesn't take great care of the target's memory
requirements: an infected COM file can grow to more than 64
KB and an infected EXE can grow larger than the memory it
allocates. Such files are, unable to execute properly.
Bombtrack is the first Belgian polymorphic virus. No scanner
was able detect it at the time of its discovery. It elicited
a quick response from our technical support and, within 48
hours, our customers inflicted with this virus had a
reliable way to detect and eradicate it.
Hong Kong _ A Crossroads for Viruses
------------------------------------
By Allan Dyer, Yui Kee Company
Hong Kong's position as the gateway to China and a major
trading centre gives it some importance in the spread of
viruses internationally. Our recent visit to China clearly
showed that there are viruses there that have never been
seen by Western virus researchers, and there is
circumstantial evidence that some recent viruses that were
first found in Hong Kong and have since been seen
internationally originated in China. Additionally, there is
a small group of local virus writers, who mainly seem to be
writing variants of Jerusalem. But it is the international
trade links that make Hong Kong a potential virus
distribution source. Large numbers of pre-formatted
diskettes are exported from China. Together with
motherboards, add-in cards and machines which are assembled
or packaged (with driver diskettes) here.
Some examples will help to illustrate this:
The Nice virus, written in Hong Kong, was first found
circulating in Hong Kong BBSs in January, 1994. Two weeks
later, a minor variant was found in Northern Scandinavia and
traced to a set of video driver diskettes that had been
copied from an infected master diskette in Hong Kong.
The _1099 virus was first found in a Hong Kong company which
has a factory in China in January, 1994. Other samples of
the virus were also found in Hong Kong, only in companies
with Chinese connections, but the virus was clearly becoming
common in the Territory. At the end of August, 1994, the
virus was detected on VGA display driver diskettes sent from
Hong Kong in Norway. By looking at recent samples and anti-
virus programs from China, it is clear that _1099 is well-
known there.
These viruses are not particularly virulent (the Nice virus
overwrites it's victim, so it is likely to get noticed
fast), but they have achieved international distribution by
infecting an exporter. It is necessary to hunt down new
viruses in individual countries actively, for such viruses
can quickly jump to international fame. Viruses are already
using international communications, it is up to us to make
effective use of them too to combat viruses.
Good viruses and bad viruses
----------------------------
In different forums, there has lately been much talk about
whether it is possible to make good and useful computer
viruses. The discussion has often grown rather heated, and
it seems that the question does not have a simple answer.
The main reason for the dispute has been that different
parties attach different meanings to the term `virus'. Just
about everybody agrees that the DOS utility program
DISKCOPY.EXE is a useful program _ or at least not
particularly harmful or dangerous. If some people cconsider
that DISKCOPY to be a virus because it is capable of
replicating itself, disagreements are bound to occur. This
kind of arguments have often been the source of disputes
over useful viruses.
The following article by Vesselin Bontchev discusses the
problems inherent in useful viruses exhaustively. Vesselin
Bontchev is one of the world's most respected virus
researchers. He works in the Virus Test Center of the
University of Hamburg.
A dozen reasons why a "good" virus is a bad idea
------------------------------------------------
By Vesselin Bontchev
I. Technical points:
--------------------
1. Once released, one cannot control how the virus will
spread; it may reach an unknown system (or one which did not
even exist at the time the virus was created) in which it
can cause non-intentional damage. Any virus that claims to
be beneficial must contain measures to prevent this. For
instance, if it infects a particular object, it must at
least keep a cryptographically strong checksum of this
object, in order to make sure that it does not infect
anything else by mistake. And this is only a simplistic
example; in reality, the precautions must be much more
elaborated.
A virus that claims to be beneficial should be controllable.
It should be possible to easily prevent the infection even
of a system that has never heard about the virus; it should
be possible to remove the infection easily from any infected
system, without causing any harm; and it should be possible
to send a message to all instances of the virus to terminate
themselves, restoring the infected systems to their
uninfected state - or to update themselves. Such a message
should propagate faster than the virus itself. In some
sense, such messages would be "viruses" in the
"computational environment" consisting of all existing
copies of the virus, just like the virus is a virus in the
"normal" computational environment (the one that the user
uses). If such a solution is implemented, there's still
danger, although danger of a different kind. Suppose that a
system uses the beneficial virus and relies on it. Then a
malicious attacker can send a message to the virus to
terminate itself, thus causing harm to the system (a denial
of service attack). Therefore, the message should be
cryptographically authenticated. In short, the virus should
be able to authentify itself to the system and the system
should be able to authentify itself to the virus.
The user of a beneficial virus should actively invite (e.g.
install) the virus on his/her system. It is not enough that
the virus asks for a permission, because this forces users
to take some measures in order to keep their systems virus-
free. By default (i.e. if no measures are taken), the virus
should not infect systems. The virus should infect a system
only if it finds some kind of an "invitation". There must be
a way to turn off the prompting _ the user must both be able
to set the default action to "no, don't infect" (by removing
the invitation or not installing it in the first place) and
to "yes, keep infecting without asking". And again,
cryptographic means should be used to ensure that what the
virus sees as invitation is indeed one and not some kind of
a mistake.
No uncontrollable mutations of the virus should happen,
either of random (errors) or deterministic (intentional
changes) nature.
2. Anti-virus programs would have to distinguish between
"good" and "bad" viruses, which is essentially impossible.
Also, the existence of useful programs which modify other
programs at will would make integrity checkers essentially
useless, because they are only able to detect the
modifications, not to determine whether they have been
caused by a "good" virus. Therefore, a virus that claims to
be beneficial must not modify other programs.
3. A virus will eat up disk space and time resources
unnecessarily while it spreads. A virus is a self-
replicating resource eater. Therefore, a virus that claims
to be beneficial should keep only one instance of itself per
infected machine, and the costs of the time and other
resources used by it must be negligible compared to the
benefits it brings to the user.
4. A virus can contain bugs which may damage something or
harm somebody. Any program can be buggy, but a buggy virus
is a self-spreading buggy program which is out of control.
5. A virus will disable the few programs on the market which
check themselves for modifications and halt themselves if
they have been changed. It is important to repeat again that
a virus which claims to be beneficial must not modify other
programs.
Summary of technical points against "good" viruses:
· impossibility to control it or possibility to lose control
over it
· uncertainty in discerning "good" from "bad" viruses
· resource wasting
· bugs which are harder to detect and easier to spread
around
· modification of programs
The above points apply to all practical systems in use
today, i.e. all systems which are based on von Neumann's
architecture.
II. Ethical/legal points:
-------------------------
6. It is unethical to modify somebody's data without his or
her active authorization. In several countries this is also
illegal. The user of a beneficial virus must actively invite
the virus to infect his or her machine. The virus must wait
for an invitation, not bother the user by asking for a
permission. It must not sneak in without one, either.
7. If the virus modifies a program, the program's owner may
lose his or her rights for technical support, ownership, or
copyright. A case reported recently to VTC _ Hamburg
provides an example. In that case, a program's manufacturer
refused technical support to somebody whose system was
infected - they insisted that their product be re-installed.
8. An attacker can use a "good" virus as a means of
transportation to penetrate a system. That is why a "good"
virus must be able to authentify itself to the system, and
the system must be able to verify that the virus is exactly
what it claims to be. A person with malicious intents can,
furthermore, get a copy of the "good" virus and modify it to
include something malicious. Actually, an attacker can
trojanize any program, but a "good" virus will provide the
attacker with means to transport his malicious code to a
virtually unlimited population of computer users. The
possibility to transport malicious code is one of the things
that makes a virus "bad".
9. Declaring some viruses "good" will just give the crowd of
virus writers an excuse to claim that they are actually
doing "research". Work involving potentially dangerous
things _ either poisonous substances or self-replicating
programs _ should be left to people who have (a) the moral
and ethical stability and (b) the technical expertise to do
it.
10. Anything useful that can be done with a virus can also
be done with a normal, non-replicating program. Any virus
that claims to be beneficial must do something that either
cannot be done by a non-viral program, or is not done as
effectively as with a viral one to avoid problems stated in
previous points.
Summary of ethical/legal points against "good" viruses:
· modification of data/programs without active authorization
of user
· possibility to lose ownership rights for infected programs
· possibility to modify a "good" virus with malicious code
to transport such a code further
· the question of responsibility of persons writing viruses
· the question of suitability of "good" viruses to perform a
certain task
III. Psychological points:
--------------------------
11. Virus activity ruins the trust that a user has in his or
her machine. The impression that a virus steals user's
control of the machine can cause the user to lose his or her
belief that she or he can control it. It may become a source
of permanent frustrations.
12. For most people, the label "computer virus" is already
loaded with negative meaning. They will not accept a program
called that, even if it claims to do something useful.
This article was originally published in the Alive magazine,
Volume I, Issue 1. For more information about the Alive
electronic magazine, e-mail
Suzana Stojakovic-Celustka at celust@cslab.felk.cvut.cz.
The author, Vesselin Bontchev, can be contacted at
bontchev@fbihh.informatik.uni-hamburg.de.
False alarms of anti-virus products
-----------------------------------
Editor's note: The following article is a response to the
article `False Alarms" in F-PROT Update Bulletin 2.13. The
article is written by Mr. Guenter Musstopf from perComp-
Verlag GmbH, Germany. perComp-Verlag develops the German
version of F-PROT Professional and distributes it in
Germany, Austria and Switzerland.
First of all, we must discuss the question "How to define a
false alarm?":
A false alarm occurs when a program - such as a virus
scanner _ performs a test on objects and reports a feature
which is not true or which is not present.
Below are two typical examples of false alarms generated by
scanners:
Example 1: A scanner reports a virus in a file, but the file
is clean and does not contain the said virus.
Example 2: A scanner reports a resident virus in memory. The
virus is not active, however. The computer's memory contains
only an image of the viruse's code (e.g. due to accessing an
infected floppy). Therefore, the virus is not resident. This
kind of a false alarm is also called a "ghost positive".
Heuristic scanners produce similar false positives. For
example, they may report something like: The file ... is
possibly infected by a virus".
Let's move on to another question: Do integrity checkers _
such as F-CHECK _ generate false positives? Bearing in mind
the above-mentioned definition for a false positive, the
answer is NO.
If an integrity checker reports changes in an object (file,
boot sector or master boot record), the object has really
changed. However, integrity checkers do not search for
viruses per se, and they do not claim that detected changes
are due to a virus infection. Nevertheless, some PC users
misunderstand the reports given by integrity checkers, even
if the reports do not mention the term virus", or a
specific virus name. If an integrity checker reports changes
in one or more objects, it is up to the user to find out
what has caused the changes. The changes may be due to one
of the following reasons:
· A program has been updated without simultaneously updating
the integrity checker's database.
· The boot sectors have changed because the user has
installed a new version of DOS or a new or modified
version of an anti-virus program. The integrity checker's
database has to be updated after such installations.
· The system contains self-modifying programs made by
someone with bad programming habits. These programs use
their own executable files to store parameters which can
be selected by the user. According to normal programming
conventions, such parameters should be stored in an
external, non-executable configuration file. SETVER from
MS-DOS is an example of such a program.
· Finally a virus may have infected the object. The object
may also have been destroyed by an overwriting virus.
To sum it up, an integrity checker may report modifications
for one of the following three reasons:
· The user has forgotten to update the integrity checker's
database.
· A programmer has done a bad job. In this case, the self-
modifying program files should be never checked. This
means that although the names of these files are stored in
the integrity checker's database, the checker won't bother
to check the files for modifications.
· The modifications have been caused by a virus.
What can be done to get rid of these warnings?
The first kind of warnings will not be encountered if the
integrity checker's database is updated after each new
program installation. Therefore, the integrity checker's
maintenance facilities must be easy to use _ even by end
users who are only able to install or update an application
package.
The second kind of warnings can be avoided by setting the
status of self-modifying program files to "Never".
In the third case, the modified objects should be checked
with a scanner. This will reveal whether the changes are
caused by an already known virus. If the scanner does not
find a known virus, the suspicious object(s) should be sent
to the scanner's manufacturer. The manufacturer can examine
the objects, and find out whether some unknown virus has
caused the modifications. If necessary, the manufacturer can
then update his product.
F-CHECK contains the following features for restoring
infected files:
If a scanner finds a known virus, F-CHECK can in many cases
restore the infected object to its original state without
any risk (this holds true even if the scanner itself cannot
disinfect the virus). In most cases, the restoration can be
effected even if the virus is a new one which the scanner
cannot identify yet.
Even if the virus has overwritten a part of the object (like
some of the variants of the Vienna virus do), F-CHECK can
restore the object by using additional information stored in
its database.
As a general rule, a user has to be familiar with the basic
functions of the anti-virus product he or she is using.
These functions can be compared to the different programs of
a washing machine, of which a user also needs a minimum of
understanding. Integrity checkers do not report viruses, but
changes in the objects they survey! If users update the
integrity checker's database after each new program
installation or update, they can avoid unnecessary warnings.
Guenter Musstopf
perComp-Verlag GmbH
percomp@infohh.rmi.de
F-PROT support informs: Common Questions and Answers
----------------------------------------------------
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can
also contact Data Fellows directly in the number +358-0-692
3622.
Written questions can be mailed to:
Data Fellows Ltd
F-PROT Support
Wavulinintie 10
00210 HELSINKI
Finland
Questions can also be sent by electronic mail to:
Internet: f-prot@datafellows.fi
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
I have a Unix clone operating on my PC, Linux to be exact.
Nevertheless, I would like to check my computer for DOS
viruses every now and then. Can I run a check with F-PROT?
You can. Install Linux's DosEmu and run F-PROT with
it. DosEmu is available in Internet, in the address
sunsite.unc.edu, directory
pub/Linux/Emulators/dosemu. With F-PROT, PCs running
other Unix clones can also be checked for boot
sector viruses, but in such cases the computer must
first be booted from a DOS diskette. Boot sector
viruses are practically the only viruses capable of
infecting PCs that use an Unix-based operating
system.
I have had some trouble installing F-PROT Professional for
Windows to network. How should I go about it to make sure
that the workstations communicate with the server properly?
The installation of F-PROT Professional for Windows
is different from most other Windows-program. This
is because of the more advanced installation method:
you can actually install pre-defined default
settings to workstation while doing the
installations. We'll start by installing the
administrator's copy of the program:
1. Start the process by copying the contents of the F-
PROT for Windows installation diskette to a shared
directory on the network server. In this example,
we'll use the directory V:\FPWSETUP.
2. Execute the program V:\FPWSETUP\SETUP from Windows.
3. When the installation program starts, choose
Complete installation as the installation option.
Next, turn on the Administrator radio button and
enter a suitable Admin password.
4. Make sure that you have checked the check-boxes
Enable Network Usage and Load Task Agent at Startup.
5. Choose a suitable target directory from your local
hard disk, for example C:\WINDOWS\F-PROTW.
6. Click Continue.
7. Choose a shared directory on the network server to
be the Communication Directory. In this example,
we'll use the directory V:\COMM-DIR. If you cannot
find a suitable directory, check the Establish
Shared Directory checkbox.
8. Enter a name for the Workgroup. This can be, for
example, the name of the office where the
installation is taking place. The application uses
the workgroup's name for internal communication, to
identify messages sent to a certain workgroup over
the network. Click Continue.
9. Enter the Organization Name and User Name. Be sure
to enter the correct Organization Name, for it will
carry over to all further copies of the program
installed after the administrator installation. Only
the administrator can change the Organization Name.
Click Install.
10. The installation program completes the installation.
Icons for executing the program, as well as certain
preconfigured scans, are added to Program Manager.
11. Start F-PROT by double-clicking the icon labeled F-
PROT Professional for Windows.
12. You can now modify the program's default settings.
You can, for example, change the Preferences
settings (choose the command Preferences from the
Edit menu), add or change Tasks, add buttons to the
Button Bar, and modify the program's startup
settings; for instance, you may wish to make F-PROT
start up in the Button Bar mode by default. We
suggest that you do not change the default task Scan
hard drives when idle, however. This task causes a
virus scan to be performed on the computer's hard
disk when the machine has been left alone for a
predetermined time. By default, the disk is scanned
after 30 idle minutes.
13. When you are satisfied with the changes you have
made to the program, you can transfer the
modifications to the master installation directory
on the network server. Choose the command Create
Distribution Diskette from the Administration menu,
and select V:\FPWSETUP as the destination
directory.
Next, we'll do a complete workstation installation:
1. Install F-PROT Professional for Windows to a
workstation by executing the program
V:\FPWSETUP\SETUP from Windows. Choose the Complete
installation option and enter the target directory
on the local hard disk (we recommend using the
directory C:\WINDOWS\F-PROTW). Enter the User Name.
The installation program will install the program on
the workstation. The modifications made during
administrator installation will be carried over to
the program copy installed on the workstation.
2. You can modify the icons in Program Manager's F-PROT
Group as you wish: for example, if you need only the
icons for scanning the hard drive and drive A:, you
can delete the others.
We have now performed a sample workstation
installation of F-PROT Professional for Windows.
Make sure that you have the necessary access rights
to the directories V:\FPWSETUP and V:\COMM-DIR.
Suppose I want to install F-PROT for Windows on the network
server and use this single copy from all the workstations.
What do I do then?
Again, we'll start with the administrator
installation:
1. Start the installation by copying the contents of
the F-PROT for Windows installation diskette to a
shared directory on the network server. In this
example, we'll use the directory V:\FPWSETUP.
2. Execute the program V:\FPWSETUP\SETUP from Windows.
3. Choose the Complete installation option and turn on
the Administrator radio button. Enter the Admin
password.
4. Make sure that you have checked the checkboxes
Enable Network Usage and Load Task Agent at Startup.
5. Choose a suitable target directory on the shared
drive, in this example V:\F-PROTW.
6. Click Continue.
7. Choose a suitable directory on the shared drive to
be the Communication directory. In this example,
we'll use the directory V:\COMM-DIR. If you cannot
locate a suitable directory, check the Establish
Shared Directory checkbox.
8. Enter a name for the Workgroup. The workgroup's name
can be, for example, the name of the office where
the installation is taking place. The application
uses the workgroup's name for internal
communication, to identify messages sent to a
certain workgroup over the network. Click Continue.
9. Enter the Organization Name and User Name. Make sure
that the Organization Name is correct, for it will
be shown to all users using F-PROT over the network.
Only the administator can change the Organization
Name. Click Install.
10. The installation program completes the installation.
Icons for executing the program, as well as certain
preconfigured scans, are added to Program Manager.
11. Start F-PROT by double-clicking the icon labeled F-
PROT Professional for Windows.
12. You can now modify the program's default settings.
You can, for example, change the Preferences
settings (choose the command Preferences from the
Edit menu), add or change Tasks, add buttons to the
Button Bar, and modify the program's startup
settings; for instance, you may wish to make F-PROT
start up in the Button Bar mode by default. We
suggest that you do not change the default task Scan
hard drives when idle, however. This task causes a
virus scan to be performed on the computer's hard
disk when the machine has been left alone for a
predetermined time. By default, the disk is scanned
after 30 idle minutes.
13. When you are satisfied with the changes you have
made to the program, you can transfer the
modifications to the master installation directory
on the network server. Choose the command Create
Distribution Diskette from the Administration menu,
and select V:\FPWSETUP as the destination
directory.
Next, we'll do a Remote workstation installation:
1. Install F-PROT Professional for Windows to a
workstation by executing the program
V:\FPWSETUP\SETUP from Windows. Choose the Remote
installation option and enter the target directory
on the local hard disk (we recommend using the
directory C:\WINDOWS\ F-PROTW). Click Continue.
2. Enter the path to the F-PROT copy stored in the
shared directory (V:\F-PROTW) and click Continue.
3. Enter the User Name and click Install. The
installation program will install the program on the
workstation. The modifications made during
administrator installation will be carried over to
the program installed on the workstation.
4. You can modify the icons in Program Manager's F-PROT
Group as you wish: for example, if you need only the
icons for scanning the hard drive and drive A:, you
can delete the others.
We have now completed a Remote workstation
installation of F-PROT Professional for Windows.
Make sure that you have the necessary access rights
to the directories V:\FPWSETUP, V:\F-PROTW and
V:\COMM-DIR.
Changes in Version 2.14
-----------------------
Changes in F-PROT for Windows
-----------------------------
It is now possible to update VIRSTOP.EXE centrally from the
network server to local workstations by using F-PROT for
Windows. When F-PROT for Windows starts, it checks a file
called FPW-PREF.INI. Copy this file to the same directory
with F-PROTW.EXE.
The file should contain lines like:
[Update]
Source=V:\MASTER\F-PROT
Destination=C:\F-PROT
The FPW-PREF.INI file shown above causes F-PROT for Windows
to update files from the server directory V:\MASTER\F-PROT
to the local directory C:\F-PROT each time it starts up. The
admininistrator needs to update VIRSTOP only in the master
directory on the server, and F-PROT for Windows will make
sure that all workstations will soon be running an up-to-
date copy of VIRSTOP.
The functioning of the General/Run Scheduled Tasks Minimized
preference has been changed slightly. Scheduled tasks (both
distributed and normal tasks) that are executed by starting
F-PROT via F-Agent will always run minimized, regardless of
the preference setting. The scheduled tasks that get into
execution while the main program is already running will run
either minimized or not, depending on the preference
setting.
Network connection is not attempted at startup if the
workgroup name and the communication path are missing from
the configuration file. Instead, the user is shown an
informational message box. This kind of a situation takes
place if the user has made a Network/User installation from
a diskette which the administrator has not created by using
the Create Distribution Disk command.
The Help button works now also in the Bulletin Attributes
dialog.
Changes in F-PROT for DOS
-------------------------
F-PROT for DOS 2.14 returns ERRORLEVEL 8 upon finding
suspicous files. Such files are usually not virus-infected,
but it may be a good idea to check them more closely anyway.
Note that if you have been using a batch file to run F-PROT,
you will need to update the batch file also in order to
catch errorlevel 8. Otherwise, the batch file will see the
return value as errorlevel 7, which is the `out of memory'
error. The FP.BAT file included on the F-PROT for DOS
installation diskette has been updated accordingly.
The program did not display correctly file names which were
longer than 78 bytes. Fixed.
Changes Common to DOS, Windows and OS/2 versions
We have introduced a new scanning "engine" which does not
use search strings like the earlier one. This engine has
been added to F-PROT to function side by side with the old
one. Currently, the engine can detect only a small number of
viruses, but all new viruses are added to it. We are also
converting the detection of "old" viruses. When the
conversion is finished, users of F-PROT can expect a
significant speed increase, as well as a significant
reduction in memory requirements.
The "Quick Scan" option has been removed, for it was not
significantly faster than the regular scan. This has
reduced the size of the program by 20 kB and reduced the
memory requirements of F-PROT for DOS even more.
Some false MtE alarms given of non-executable files have
been fixed.
Some V2P6-infected files were incorrectly reported as having
been infected by a "New or modified variant of
Invisible_Man". This has been fixed, identification of the
Invisible_Man has been improved, and disinfection of both
viruses has been added to the program.
Heuristic analysis will now report also "armored" programs _
programs containing tricks that make heuristic analysis and
analysis in general difficult, but which are not necessarily
virus-infected. Programs protected with the Protect! utility
are among such programs.
New Viruses Detected by F-PROT 2.14
-----------------------------------
The following 17 viruses are now identified, but can not be
removed as they overwrite or destroy infected files. Some
of them were detected by earlier versions of F-PROT, but
only reported as "New or modified variant of..."
Burger.382.B
Burger.382.C
Burger.441.B
Cop-Com.286
Doubleheart.452.A
HLLO.Black_Crypt
Leprosy.Busted.572
Leprosy.D
Lesson_1.305
Necropolis.B
Necropolis.C
Rythem.827
Trivial.43.D
Trivial.44.E
VCL.Butthole
VCL.Mindless.423.B
_81
F-PROT can detect and remove the following 149 new viruses.
Earlier versions of F-PROT could detect many of these
viruses, but now they are also identified accurately.
ARCV.Christmas.678
Aurea.768
Barrotes.849
Barrotes.1310.F
Barrotes.1310.G
Buffeater
Bupt.1220.C
Cascade.1701.T
Cascade.1701.U
Cascade.1701.V
Chemist
Civil_War.245
Cmagic.878
Cmagic.2015
Cmagic.2246
Crucifix.2914
Crucifix.2916
Cybertech.1066
Cybertech.1228
Damir
Danish_Tiny.310.B
Delwin
Demolition.B
Dicker
Ear.380
ECW-X
Filehider.1057
Foetus
Genesis.217
Genesis.226
Genesis.238
Genesis.295
Ginger.2691
Gippo.Epidemic.1249
Green_Caterpillar.1575.H
Helicopter
Hello.A
Hello.B
HLLC.Christmas.15264
HLLC.Crawen.8306
HLLC.Crawen.8516
IMI.1538
IMI.1656
Iron
Is_dead
IVP.260
IVP.April
IVP.DNA
IVP.Mandela.943
Jack
Jerusalem.1808.new8
Jerusalem.1808.Rambo
Jerusalem.1801.SUmsDos.AD
Jerusalem.5120
Jerusalem.Anticad.3012.F
Jerusalem.AntiCad.4096.E
Jerusalem.AntiCad.4096.F
Jerusalem.AntiCad.4096.G
Jerusalem.AntiCad.4096.H
Jerusalem.AntiCad.4096.I
Jerusalem.Sunday.L
Jerusalem.Sunday.M
Jerusalem.Tarapa.C
Just.1056
Kali
Kaos.A
Kaos.B
Keeper.Lemming
Kemerovo.404
Keypress.1232.M
Kaypress.1258
Kipa
Klepavka
Lastyear.743
LM.345
LM.354
LM.609
MadWill.A
MadWill.B
Malaria
Marauder.867
Mayberry.793
Miras
Mordor.1104
Multiflu
Multiplex
My_Child
Natas.4746
Phalcon.Cool
Platov
PS-MPC.339.F
PS-MPC.347.K
PS-MPC.574.E
PS-MPC.578.H
PS-MPC.Alien.733
PS-MPC.ARCV-4.742
PS-MPC.Asstral
PS-MPC.G2.Mudshark.312
PS-MPC.Joshua.964
PS-MPC.Polder.J
PS-MPC.Shiny.934
PS-MPC.Sucker
PS-MPC.Tester
S_man
Sandrine
SHHS.591
Shizu
Skid_row.415
Skid_row.418
Skid_row.432
Specified
Suriv-1.Cock
Sybille.853
Sylwia
Tai-Pan
Trakia.561
Trident.439
Trjp
Troi.E
VCL.609
VCL.Beepop
VCL.Bigtime
VCL.Black_Death
VCL.Dumbco
VCL.Genesis
VCL.Gif
VCL.Westward
Vienna.648.Oscar.A
Vienna.648.Oscar.B
Vienna.648.Oscar.C
Vienna.778
Vienna.Violator.707.B
Vienna.Violator.5286.B
Vivat
Void
VS.1919
Wizard.312
XPH.1010
Yankee_Doodle.2167
YB.316
_172
_391
_521
_604
_632
_713
_736
_928
_934
The following 20 new viruses can now be detected but not yet
be removed.
_388
Astra.505
Astra.882
Astra.1556
Attitude.724
Attitude.825
Crazy_Priest
Die_Hard
Foetus.1510
Jerusalem.Vtech.2513
Jerusalem.Vtech.2880
Jerusalem.Vtech.2886
JH
Jump
Raptor.B
Switch
Taz.987
Taz.995
Taz.1041
VCL.Renegade
The following 4 viruses which were detected by earlier
versions can now also be removed.
Catbuncle
Invisible_Man.2926
Invisible_Man.3223
Todor
The following virus has been renamed in order to make F-PROT
follow the CARO naming standard as closely as possible.
604 -> Lastyear
F-PROT Professional 2.14 Update Bulletin
----------------------------------------
This material may be freely quoted as long as the source is mentioned.
F-PROT Professional version bulletin 2.14. Copyright c 1994 Data Fellows Ltd.