home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
CD ROM Paradise Collection 4
/
CD ROM Paradise Collection 4 1995 Nov.iso
/
system
/
bull_220.zip
/
bull-220.txt
next >
Wrap
Text File
|
1995-10-17
|
36KB
|
819 lines
F-PROT Professional 2.20 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.20 is mentioned. Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------
Contents 5/95
=============
Vesselin Bontchev to join F-PROT Development
Macro Viruses
The Global Virus Situation
Peter_II
Die_Hard
Finnish.378
Quicky
A New Macintosh Virus
News in Short
F-PROT Gatekeeper Praised by PC Plus
New Features in Data Fellows Ltd's Web Server
Questions and Answers
Changes in Version 2.20
Vesselin Bontchev to join F-PROT Development
---------------------------------------------
We're happy to tell you that one of the worlds most respected virus
researcher, research associate Vesselin Bontchev from the Virus Test
Center in Hamburg, has started working full-time with F-PROT.
Vesselin has moved from Germany to Iceland, and started working at
Frisk Software International in September.
Vesselin Bontchev is originally a Bulgarian. He graduated from the
Sofia Technical University in 1985, with an MSc in Computer Science.
After graduating, he spent a year working at the university's
Laboratory for Microprocessors and Microcomputers. After that, he
worked for five years at the Institute of Industrial Cybernetics and
Robotics in the Bulgarian Academy of Science, building expert
systems.
Bontchev became interested in computer viruses in 1988. Two years
later, he became the Director of the Computer Virology Laboratory in
the Bulgarian Academy of Science. He has just finished his PhD thesis
(about viruses, what else) at the Virus Test Center (VTC) in Hamburg.
Vesselin is very well known for the excellent technical papers he has
written, as well as for the work he has done in testing different
anti-virus programs. VTC tests are one of the most respected tests in
the industry.
We're especially happy about starting to work with Vesselin because
he is respected by all parties in the anti-virus industry - and that
he chose to start working with F-PROT.
Macro Viruses
-------------
Macro viruses are a new kind of a threat to computer systems. This
newly emergent enemy attacks computer users from a blind side,
infecting document files instead of programs. Not to worry, though -
new features in F-PROT make it able to detect macro viruses as well
as ordinary ones.
Macro Viruses: a New Kind of Enemy
----------------------------------
Macro viruses are not a new concept - they were predicted as early as
the late eighties. At that time, the first studies about the
possibility of writing viruses with the macro languages of certain
applications were made.
However, macro viruses are not just a theory any more. Currently,
there are three known macro viruses. They have all been written with
WordBasic, the powerful macro language of Microsoft Word. These
viruses spread through Word documents - Word's advanced template
system makes it an opportune environment for viral mischief. This is
problematic, because people exchange document a lot more than
executables or floppy disks. Macro viruses are also very easy to
create or modify.
Although other word processors like WordPerfect and Ami Pro do
support reading Word documents, they can not be infected by these
viruses. It is not impossible to write similar viruses for these
systems, however.
WordMacro.DMV
-------------
WordMacro.DMV is probably the first WinWord macro virus to have been
written. It is test virus, written by a person called Joel McNamara
to study the behavior of macro viruses. As such, it is no threat - it
announces its presence in the system, and keeps the user informed of
its actions.
Mr. McNamara wrote WordMacro.DMV for over a year ago, in fall 1994 -
at the same time, he published a detailed study about macro viruses.
He kept his test virus under wraps until a real macro virus,
WordMacro.Concept, was recently discovered. At that time, he decided
to make WordMacro.DMV known to the public. We oppose to such
behaviour; although it can be argued that spreading such information
will educate the public, we can also except to see new variants of
the DMV virus, as well as totally new viruses inspired by the
techniques used in this virus. McNamara also published a skeleton for
a virus to infect Microsoft Excel spreadsheet files.
F-PROT is able to the detect the WordMacro.DMV macro virus.
WordMacro.Concept
-----------------
WordMacro.Concept - also known as Word Prank Macro or WW6Macro - is a
real macro virus which has been written with the Microsoft Word v6.x
macro language. It has been reported in several countries, and seems
to have no trouble propagating in the wild.
WordMacro.Concept consists of several Word macros. Since Word macros
are carried with Word documents themselves, the virus is able to
spread through document files. This is a quite ominous development -
so far, people have only had to worry about infections in their
program files. The situation is made worse by the fact that
WordMacro.Concept is also able to function with Microsoft Word for
Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95
and Windows NT environments. It is, truly, the first functional
multi-environment virus, although it can be argued that the effective
operating system of this virus is Microsoft Word, not Windows or
MacOS.
The virus gets executed every time an infected document is opened. It
tries to infect Word's global document template, NORMAL.DOT (which is
also capable of holding macros). If it finds either the macro
"PayLoad" or "FileSaveAs" already on the template, it assumes that
the template is already infected and ceases its functioning.
If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT,
it starts copies the viral macros to the template and displays a
small dialog box on the screen. The box contains the number "1" and
an "OK" button, and its title bar identifies it as a Word dialog box.
This effect seems to have been meant to act as a generation counter,
but it does not work as intended. This dialog is only shown during
the initial infection of NORMAL.DOT.
WordMacro.Concept displays the above dialog during inital infection
After the virus has managed to infect the global template, it infects
all documents that are created with the "Save As" command. It is then
able to spread to other systems on these documents - when a user
opens an infected document on a clean system, the virus will infect
the global document template.
The virus consists of the following macros:
AAAZAO
AAAZFS
AutoOpen
FileSaveAs
PayLoad
Picture of the Tools/Macro menu in an infected copy of Word
Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and
some users may already have attached these macros to their documents
and templates. In this context, "PayLoad" sounds very ominous. It
contains the text:
Sub MAIN
REM That's enough to prove my point
End Sub
However, the "PayLoad" macro is not executed at any time.
You can detect the presence of the WordMacro.Concept macro virus in
your system by simply selecting the command Macro from Word's Tools
menu. If the macro list contains a macro named "AAAZFS", your system
is infected.
You could prevent the virus from infecting your system by creating a
macro named "PayLoad" that doesn't have to do anything. The virus
will then consider your system already infected, and will not try to
infect the global template NORMAL.DOT. This is only a temporary
solution, though - somebody may modify the viruse's "AutoOpen" macro
to infect the system regardless of whether NORMAL.DOT contains the
macros "FileSaveAs" or "PayLoad".
There is also a anti-macro virus package called WVFIX available. This
package will detect if your copy of Word is infected, and will clean it
if needed. It can also modify your Word settings so that this specific
macro virus will be unable to infect it. WVFIX is available on the
F-PROT for DOS diskette.
Concept is quite widespread. It has been found from several CD-ROMs,
including one sent out by Microsoft.
F-PROT is able to the detect the WordMacro.Concept macro virus.
WordMacro.Nuclear
-----------------
WordMacro.Nuclear is the latest discovered macro virus. Like
WordMacro.DMV and WordMacro.Concept, it spreads through Microsoft
Word documents. The new virus was first spotted on a FTP site in
Internet, in a publicly accessible area which has in the past been a
notorious distribution site for viral code. Apparently, the viruse's
distributor has some sense of irony; the virus was attached to a
document which described an earlier Word macro virus, WordMacro.Con-
cept.
Whereas WordMacro.DMV is a test virus and WordMacro.Concept is only
potentially harmful, WordMacro.Nuclear is destructive, harmful and
generally obnoxious. It consists of a number of Word macros attached
to documents. When an infected document is opened, the virus is
executed and tries to infect Word's global document template,
NORMAL.DOT.
Unlike WordMacro.Concept - which pops up a dialogue box when it
infects NORMAL.DOT - WordMacro.Nuclear does not announce its arrival
in the system. Instead, it lays low and infects every document
created with the "Save As" function by attaching its own macros to
it. The virus tries to hide its presence by switching off the "Prompt
to save NORMAL.DOT" option (in the Options dialogue, opened from
Tools menu) every time a document is closed. That way, the user is no
longer asked whether changes in NORMAL.DOT should be saved, and the
virus is that more likely to go unnoticed. Many users relied on this
option to protect themselves against the WordMacro.Concept virus, but
it obviouisly no longer works against Nuclear.
WordMacro.Nuclear contains several potentially destructive and
irritating routines. The next time Word is started after initial
infection, one of its constituent macros, "DropSuriv", looks up the
time in the computer's clock. If the time is between 17.00 and 17.59,
the virus tries to inject a more traditional DOS/Windows file virus
called "Ph33r" into the system (as the viruse's author has commented
in the viruse's code: "5PM - approx time before work is finished").
"Suriv" is, of course, "Virus" spelled backwards. However, due to an
error, this routine does not work as intended in any of the popular
operating environments.
Another of the viruse's macros, "PayLoad", tries to delete the
computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the
date is fifth of April. And finally, the virus adds the following two
lines:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC
at the end of approximately every twelfth document printed or faxed
from Word. Since the text is added at print-time only, the user is
unlikely to notice this embarassing change. This function is handled
by the viral macro "InsertPayload".
The virus can be detected by selecting the Macro command from the
Tools menu and checking whether the macro list contains any curiously
named macros. "DropSuriv" and "InsertPayload" are obvious giveaways.
F-PROT is able to the detect the WordMacro.Nuclear virus.
Protecting yourself against macro viruses
-----------------------------------------
There is a generic way to protect your Word against currently known
macro viruses. Select the command Macro from the Tools menu and
create a new macro called "AutoExec". Write the following commands to
the macro and save it:
Sub MAIN
DisableAutoMacros
MsgBox "AutoMacros are now turned off.", "Virus protection", 64
End Sub
This macro will be executed automatically when Word starts. It will
disable the feature which Concept, DMV and Nuclear use to attack the
system. However, there are ways to create future macro viruses that
are able to bypass such protection.
Currently known Word macro viruses are not able to infect certain
nationalized versions on Word. In these programs, the macro language
commands have been translated to the national language, and therefore
macros created with the English version of Word will not work. Since
these viruses consists of macros, they will be unable to function.
Do note that although F-PROT for DOS and F-PROT for Windows do
detect the known macro viruses, VIRSTOP and F-PROT Gatekeeper
do not yet support the scanning of DOC files. This will be
implemented in a future version.
The Global Virus Situation
--------------------------
Peter_II
--------
Peter_II is a boot sector virus which infects diskette boot sectors
and hard disk Master Boot Records. As is normal for boot sector
viruses, Peter_II can infect a hard disk only if the computer is
booted from an infected diskette. After the initial Master Boot
Record infection, Peter_II will go resident in high DOS memory every
time the computer is booted from the hard disk.
Once Peter_II has managed to install itself into memory, it will
infect practically all non-write protected diskettes used in the
computer. Peter_II is also a stealth virus - if you try to examine
the boot record in an infected computer, the virus will show you the
original, clean record.
Peter_II activates every year on the 27th of February. When the
computer is booted, the virus displays the following message:
Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data in
Hardisk!!!
WAIT for 1 MINUTES,please...
After this, the virus encrypts the whole hard disk by issuing XOR
7878h to every byte on each sector. Having done that, the virus
continues by displaying the following questionnaire:
Ok. If you give the right answer to the following questions, I will
save your HD:
A. Who has sung the song called "I`ll be there" ?
1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4):
B. What is Phil Collins ?
1.A singer 2.A drummer 3.A producer 4.Above all(1-4):
C. Who has the MOST TOP 10 singles in 1980`s ?
1.Michael Jackson 2.Phil Collins (featuring Genesis) 3.Madonna
4.Whitney Houston(1-4):
If the user gives correct answers to every question, the virus
decrypts the hard disk and displays the following message:
CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ......
The user can then continue using the computer normally. However, if
incorrect answers are given, the virus will not decrypt the hard
disk. Instead, it will just display the following message:
Sorry!Go to Hell.Clousy man!
In case you do not find out about the infection until the virus
starts its mischief, the correct answers are 4, 4 and 2. Of course,
it is better to take care of the matter beforehand; F-PROT is able to
detect and disinfect the Peter_II virus.
Die_Hard
--------
Die_Hard is a resident fast infector which targets COM and EXE files.
It is known to be in the wild especially in India, where it was found
in September 1994. Die_Hard has also been sighted in Singapore,
Indonesia, USA and in many parts of Europe.
When the virus is executed, it goes resident in memory, decreasing
the available DOS memory by 9232 bytes. Die_Hard infects all executed
or opened COM and EXE files. The infected files grow by exactly 4000
bytes.
Die_Hard hides beneath several layers of encryption. When the virus
is decrypted, the following texts can be seen:
SW DIE HARD 2
SW Error
Since the virus does not utilize polymorphic encryption techniques,
it is quite easy to find.
Die_Hard activates on the 3rd, 11th, 15th, or 28th of any month,
provided the day is Tuesday and the virus has already infected at
least 13 files. The virus will then wait until some program changes
the screen to graphics mode. At this time the virus will display an
animation of large `S' and `W' characters on the screen. It will also
deny write access to files, displaying text "SW Error".
Picture of the activation routine of the Die_Hard virus
Besides infecting COM and EXE files, Die_Hard trojanizes ASM and PAS
source files when they are accessed; in other words, the virus
inserts source code Trojan horses in these files.
F-PROT is able to detect the Die_Hard virus.
Finnish.378
-----------
A new variant of the Finnish virus was found in August 1995, about
four years after the first version of the virus was discovered. The
new variant was named Finnish.378, signifying the length of the virus
in bytes. The two previously known versions are, respectively, 709
and 357 bytes in length. They have been described in more detail in
previous Update Bulletins.
The new virus has clearly been derived from the 357 variant. In most
ways, it is functionally very similar to the earlier version. The
following changes have been made, however:
- The virus beeps every time it infects a file. The beep routine
has increased the viruse's size by 21 bytes.
- The new virus uses the code 90h instead of 93h to recognize the
files it has already infected. The corresponding commands are NOP
and XCHG. The recognition byte is placed so that it is the first
command in infected files.
- The internal order of many commands has been changed: this has
apparently been done in order to render the virus undetectable by
some anti-virus scanners.
F-PROT is able to detect the Finnish.378 virus.
Quicky
------
Quicky is a badly programmed memory-resident virus which infects EXE
files. The infection takes place whenever a file is closed after an
operation, so files get infected when they are executed, copied, read
or otherwise accessed. However, if a file's read-only attribute is
on, the virus infects it only when it is executed.
The virus contains a routine which is supposed to slowly corrupt
information on the hard disk. Fortunately, the viruse's code is so
bug-ridden that the routine does not function. Quicky also tries to
attack various integrity checkers by deleting their checksum
databases.
The Quicky virus has been found on some Prosonic/Micropilot depth-
finder machines' original utility diskettes.
F-PROT is able to detect the Quicky virus.
A New Macintosh Virus
---------------------
A new, relatively harmless Macintosh virus has been discovered. The
virus - known as HC-9507 - does not infect actual program files.
Instead, it spreads through applications created with the HyperCard
application generator. The viruse's victim of choice is the so-called
homestack application, which can be found in all HyperCard
installations. HC-9507 is not picky, however - it infects also other
stacks when they are executed, and randomly selects and infects
stacks on the boot disk.
The virus spreads itself as source code, inserting its own code among
the program code in its victim stacks. HC-9507 may also give visible
indications of its presence in the system: depending on what day of
the week it is, it either blacks out the screen or adds the word
"pickle" among the text written on the keyboard.
The Disinfectant anti-virus program will not be updated to deal with
the HC-9507 virus. The threat posed by HC-9507 is considered
relatively small, and in any case, Disinfectant is designed to check
program files, not stacks. If you suspect an infection, you can
easily verify the matter by checking the scripts in the homestack.
There are also some products which can detect the virus, for instance
the Datawatch Virex software.
With the Disinfectant anti-virus software, you can protect the
Macintosh workstations in your organization against other Macintosh
viruses. We will supply our F-PROT customers with Disinfectant
without a separate charge. For more information, contact your local
F-PROT distributor or Data Fellows LTD's F-PROT Support.
News in Short
-------------
F-PROT Gatekeeper Praised by PC Plus
------------------------------------
The British PC Plus magazine evaluated F-PROT Gatekeeper in it's
October issue and gave it a very favorable rating. The evaluators
found Gatekeeper's speed, low memory consumption, effectiveness in
finding polymorphic viruses and ease of use especially noteworthy.
Gatekeeper was also praised for its ability to function seamlessly
between DOS and Windows.
Well, we agree on all points.
New Features in Data Fellows Ltd's Web Server
---------------------------------------------
We have overhauled our popular WWW service, and it is now even more
user-friendly than before. A number of new features have been added:
for instance, it is now possible to make free text searches among all
virus descriptions. One search takes about 15-25 seconds, depending
on the server's load.
Statistics about virus description accesses and visitors to the
service are also available (during August, the description about the
Monkey virus proved the most popular; over 400 accesses). It is
somewhat surprising that, although the server itself is located in
Finland, only 5% of our visitors hailed from Finland itself (and
there is no shortage of net surfers here). A mirroring service from
USA to our server is now under construction; we do not want European
users to be trampled underfoot by visitors from overseas. Currently,
our server receives about 100.000 document requests a month.
In its role as a distribution site for latest news, our WWW server
has fulfilled all expectations. For instance, we were able to tell
the public about the notorious Word macro viruses over a week before
the news was published in magazines or newspapers. It pays to stay in
touch with our WWW pages.
We have switched to a more uniform Internet address policy; all our
services have been gathered under the domain name datafellows.com.
However, the old datafellows.fi addresses can also be used.
You are welcome to visit our server at: http://www.datafellows.com/
The new graphics and layout of the system have been designed by Pixel
Vision Oy.
Common Questions and Answers
----------------------------
If you have questions about information security or virus prevention,
contact your local F-PROT distributor. You can also contact Data
Fellows directly in the number +358-0-478 444.
Written questions can be mailed to:
Data Fellows Ltd
F-PROT Support
Päiväntaite 8
FIN-02210 ESPOO
FINLAND
Questions can also be sent by electronic mail to:
Internet:F-PROT@DataFellows.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
I would like to see what happens when
F-PROT Gatekeeper really finds a virus. How can I arrange that?
The correct operation of F-PROT Gatekeeper and other F-PROT
products can be tested with a special test file. This is a dummy
file which F- PROT treats exactly like if it were a virus. The
file is known as EICAR Standard Anti-virus Test file (EICAR is
the European Institute of Computer Anti-virus Research). With
this file, the operation several other anti-virus products can
also be tested in a similar manner.
You can make the EICAR test file in the following manner: use a
text editor to create a new file, and write the text:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
to the file on a single line.
You can give the file any name you want, as long as you save it
with a COM extension. For example, EICAR.COM is a suitable name.
Make sure you save the file in standard MS-DOS ASCII format.
Now you can use this file to test what happens when F-PROT
encounters a "real" virus.
Naturally, the file is not a virus. When executed, EICAR.COM
will simply display the text
`EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' and exit.
F-PROT's DOS-, Windows- and OS/2-versions - including VIRSTOP
and Gatekeeper - support the EICAR test file.
I was installing Windows'95 from diskettes, but the setup failed at
the second diskette. No matter what I did, it failed again and again.
Finally, I began to suspect that the reason for the failure might be
in my computer instead of on the setup diskettes, and tried various
things to resolve the problem. Among other things, I ran an anti-
virus program, and it promptly reported that my computer was infected
with a virus! I immediately scanned recently used diskettes and found
the same virus on the Win95 setup floppies! Did Microsoft infect my
machine?
No, it's the other way around. The Win95 diskettes were clean,
but your hard drive wasn't.
This seems to be a very common problem among users who install
Windows 95 from diskettes. If the computer is infected with a
boot sector virus (almost any boot sector virus will do), the
installation will fail and the user is left with irreparable
setup diskettes.
The reason for this is the non-standard format of Win95 setup
diskettes. The diskettes contain almost 1.7MB of files instead
of the usual 1.44MB, so they have practically no free space left
at all. Since almost all boot sector viruses (Da'Boys is one
exception) use up additional sectors on the diskettes they
infect, they will permanently overwrite part of the data on
Win95 setup diskettes - there really is no free space left for
the virus to use.
Such infected setup diskettes can not be repaired, as
information is overwritten; they will have to be replaced.
Microsoft has confirmed that they are shipping thousands of
replacement diskettes daily for just this very reason.
The first Windows 95 setup diskette uses the normal 1.44MB
format. Therefore, it will usually not be corrupted by an active
virus, although it will be infected just like the others.
The setup diskettes are not usually write-protected by default.
In any case, the installation program writes registration
information on the second floppy during installation (user and
company name etc.). For this reason, most users with a boot
sector infection will run into the problem during the setup of
the second diskette.
Again, the problem is not caused by infected setup diskettes -
but by people who have a virus and don't bother to scan their
hard drives before starting the Win95 setup process.
I'm setting up VIRSTOP, and have been going through the different
parameters. Is it a good idea to use the /FREEZE parameter with
VIRSTOP?
In most cases, the /FREEZE option is not a good idea. For
example, imagine that you have been working on a document for an
hour. Finally you are satisfied, and try to save the document on
a diskette - which happens to be infected by a virus. Tough
luck; VIRSTOP will report the infection and freeze the computer
- you won't be able to save the text at all! On the other hand,
if you do not use /FREEZE, you'll just get the message; you can
then save the document on another diskette. The /FREEZE
parameter has it's uses in environments such as schools where
the administration might not otherwise get the message about an
infection, but in normal use it is not recommended.
I missed one F-PROT update. Can I update version 2.18 directly to
2.20, or do I have to update it to version 2.19 first?
You can skip versions freely. Every F-PROT update diskette
contains all the parts necessary for F-PROT's operation.
Changes in F-PROT Professional 2.20
-----------------------------------
F-PROT 2.19 had a false alarm on some Japanese NEC computers, the
program gave an alarm about the Hallow virus during memory scan. This
has been corrected.
A New Installation Program
--------------------------
A new installation program, SETUP.EXE, is shipped with F-PROT for
Windows. The new program functions in the same way in all Windows
environments (3.1x, NT, 95) and in OS/2. The program's appearance is
also uniform in all environments. The F-PROT files on the
installation diskette have been packed in a new, more efficient way;
this has made it possible to put both F-PROT Professional for Windows
and F-PROT Gatekeeper on the same diskette. Only one file, SIGN.DEF,
did not fit in. This file is located on the F-PROT Professional for
DOS installation diskette. During installation, the installation
program will ask you to insert the F-PROT Professional for DOS
diskette in the computer.
Changes in F-PROT for DOS
-------------------------
F-PROT Professional for DOS now scans document files (DOC, DOT) by
default. This enables it to detect known macro viruses. The program
itself, however, is not yet able to disinfect such viruses; you can
use the WVFIX package provided on the F-PROT Professional for DOS
installation diskette for disinfection. If you are certain you do not
want to check document files, you can override this with the /NODOC
command line parameter or deselect the setting from the Scan menu.
Changes and Additions to AUTOINST
---------------------------------
If the "PreferencesFrom=" entry was missing, configuration files were
not copied from the directory specified in the "InstallRemote=" entry.
This has been corrected.
Program Manager group creation has been implemented for
Autoinst/Windows (Autow31). There is more information about new
settings in the file SETUP.TXT on the F-PROT Professional for DOS
diskette.
Autow31 will wait for the memory scan to terminate before copying
installed files: this makes it possible to put Autoinst in Program
Manager's Startup group with Gatekeeper.
Autoinst has been changed so that it recognizes different Windows
platforms (Windows 3.1x, Windows 95, Windows NT). The program can now
be configured to make installations on specific platforms only.
The DOS version of Autoinst now uses the WINDIR environment variable
(when available) for locating the Windows directory. If the WINDIR
variable has been set, this will make it easier to run Autoinst in a
DOS session under Windows.
Changes in F-PROT for Windows
-----------------------------
The program can now detect also macro viruses. A checkbox called
"Document Macro Viruses" has been added to the "Look for:" group in
the task settings dialog. When this option is turned on, F-PROT for
Windows will search for known macro viruses from files with DOC and
DOT extensions, even if the task is set to scan executables only. If
files with other extensions need to be scanned for macro viruses, the
appropriate extensions must be added to the extensions list in
Scanning preferences. Another way is to set a task to scan all files.
However, the "Document Macro Viruses" option must be turned on in
such cases also; otherwise
F-PROT for Windows will not look for macro viruses. The option is
turned on by default; tasks created before the 2.20 update will have
this setting turned on as well. Note that F-PROT for Windows is as
yet unable to disinfect macro viruses; the WVFIX package on the F-
PROT for DOS installation diskette can be used for the purpose.
Boot sector (but not MBR) scanning has been implemented for Japanese
NEC PCs; disinfection is not available yet.
The "Create Distribution Diskette..." command has been replaced with
the command "Distribute F-PROT Installations...". The new command
makes it possible for the administrator to:
(a) Create modified copies of the installation diskette. This makes
installations with preset configurations possible (in this respect,
the new command acts like an enhanced version of the "Create
Distribution Diskette..." command). The "Distribute F-PROT
Installations..." command also supports the new installation
program.
(b) Copy the entire F-PROT for Windows setup to an installation
directory, from which users can install the program by using
Autoinst.
If an attempt to read an empty diskette drive was made, Gatekeeper
used to show a Retry/Cancel message box. This has been corrected.
Gatekeeper's memory usage mechanism has been changed to prevent
system crashes. The following DLLs are now memory-locked, so they
cannot be paged out to virtual memory: SSLDR.DLL, SCAN_S.DLL, F-
PROTWI.DLL and FPW386.DLL.
Gatekeeper (more precisely, the file A-PROT.EXE) will refuse to load
in Windows 95 and Windows NT environments. The program will also show
an appropriate error message.
Minor Improvements and Changes
------------------------------
If F-Agent fails to execute F-PROTW.EXE, the program will show an
error message that explains the cause of the problem (earlier
versions used to display only an error code).
When the program receives or sends an update, it displays a window
which shows the progress of copying files.
Occasionally, F-Agent left F-PROTW.CFG decrypted after reading it.
This has been corrected.
In Windows NT, the texts in reports and tasklist headers were too
small (a 6-pt font was used). The font has now been enlarged.
If Windows was set to use large fonts (in the display driver's
settings), the text on Gatekeeper's splash screen was too large to
fit into the window. This has been corrected.
Gatekeeper's memory scanner now shows an hourglass cursor while the
program executes the non-yielding part of the code.
F-PROTW.EXE displays a descriptive error message if it fails to
launch FPWM.DLL. The earlier versions of the program used to show
only an error code.
When the semaphore file (TMP.~NF) is created at the communications
directory, the user's and workstation's names (in that order) are
written to the file. If the semaphore file is not removed for some
reason, the administrator can obtain the information from the file
itself, and determine which worksta-tion caused the problem.
New Viruses Detected by F-PROT
------------------------------
The following 17 new viruses can now be removed. Many of them were
detected by earlier versions, but are now identified accurately.
Ache
Barrotes.1176
Barrotes.840
Bit_Addict.512.B
Cascade.1701.AK
Danish_tiny.163.D
Faca
Finnish.378
Hates.166
HLL.Commo
IVP.Gwynned
Jackal.3120
Jerusalem.2224
Keypress.1280
Korea_Stranger
Major
Vivian
The following 10 new viruses are now detected and identified but can
not yet be removed.
Anston.1960
Apocalipse
Bit_Addict.512.A
KY
Newboot_1
RPS2
_1121
WordMacro.Concept
WordMacro.DMV
WordMacro.Nuclear
Word.Macro viruses can be removed with WVFIX package on the F-PROT
Professional for DOS diskette.
------------------------------------------------------------------------------
F-PROT Professional 2.20 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com
This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.20 is mentioned. Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------