home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
High Voltage Shareware
/
high1.zip
/
high1
/
DIR14
/
BULL_210.ZIP
/
BULL-210.TXT
next >
Wrap
Text File
|
1993-11-17
|
79KB
|
1,654 lines
F-PROT Professional 2.10 Update Bulletin
========================================
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.10 Update Bulletin; Copyright (c) 1993 Data Fellows Ltd.
-------------------------------------------------------------------------------
CONTENTS 5/93
-------------
A Major update
Infected CD-ROM disks
To Be Fruitful and Multiply: The Butterfly family
Stoned.Empire.Monkey.A
A new variant of Cascade on the move in the Nordic countries
Made in Sweden: Moose
Sweden is going to make virus writing illegal
The globally most known viruses
Virus Bulletins Conference in Amsterdam
Phalcon/Skism strikes again
Rumours of Form
Case: The Crepate virus
Questions and Answers
Changes to F-PROT Professional in version 2.10
Appendix: Summary of antivirus tests during 1993
F-PROT Professional 2.10 - A Major update
-----------------------------------------
Never before have so many new viruses been added to F-PROT in a single
update. One reason for this is that the increase in the number of
viruses is accelerating steadily.
In version 2.10 we add a new component to our product package.
F-CHECK, which detects changes in program files, is a tool for the
administrator and the skilled user. To avoid bothering users with
needless alarms, F-CHECK deduces how probable it is that the changes
it detects have been caused by a virus.
Among other things, F-CHECK features an interesting way of
removing infections. The program stores the important parts of
executable files, and in many cases this data can be used to remove
infections caused by previously unknown or even overwriting viruses.
Both the Windows and OS/2 versions of F-PROT have moved to the
Beta testing phase. The Windows version will be published along with
F-PROT Professional version 2.11, and the OS/2 version will be ready
at about the same time. If you are interested in betatesting the products
and have both time and a network available, contact us.
New virus sightings
-------------------
Infected CD-ROM Disks In Circulation
-------------------------------------
Two separate cases, in which a file originating from a CD-ROM disk
had caused a virus infection, were discovered in October and
November. In both cases, the involved disks were globally distributed
shareware collections.
PS-MPC.Math-test
----------------
The PS-MPC.Math-test virus was found from the CD-ROM disk
"Software Vault, Collection 2". The infection was discovered when a
private person from Helsinki, Finland, contacted Data Fellows Ltd at
the end of October. This person's computer was almost completely
infected by the virus.
PS-MPC.Math-test is one of the viruses created with Phalcon/Skism
Mass Produced Code Generator. The virus stays resident in memory
and infects practically all executed COM and EXE programs. It
activates every day between 9 and 10 a.m., displays some simple
summing problems and demands that the user solve them. If the user
doesn't get the answer right, the virus won't execute the requested
program.
The Phalcon/Skism Mass Produced Code Generator has been described
in more detail in F-PROT 2.07 Update Bulletin.
The infected file is located in the directory 18 of the CD-ROM, and it is
contained inside the packet 64BLAZER.ZIP. The same directory
contains also a clean version of the program, by the name
64BLAZE.ZIP.
Lapse (366)
-----------
The Lapse (366) virus was discovered on the CD-ROM disk "Night
Owl 10".
Lapse (366) is a simple EXE infector, written in Canada. The virus
infects only EXE files in its current directory and does not stay in
memory. It increases the size of infected files by 366 bytes and contains
the text "Memory_Lapse.366.a". The text is quite probably intended to
be a mockery of CARO's virus naming standard.
Lapse (366) does not activate in any way.
The infected file is located inside the packet SF2_UP.ZIP, in the CD-
ROM's "Games" directory. According to the description, the file
contains an update to the game Street Fighter 2.
What makes an infected CD-ROM especially troublesome is the fact
that the infected files cannot be removed or deleted.
Data Fellows Ltd has contacted the publishers of these two CD-ROMs.
The manufacturers admit the infection, and they will probably withdraw
the disks from market.
F-PROT 2.10 finds both PS-MPC.Math-test and Lapse (366).
To Be Fruitful and Multiply: The Butterfly Family
-------------------------------------------------
The F-PROT 2.09 Update Bulletin mentioned the Butterfly virus, which
spread all over the world with the shareware data communications
program Telemate 4.11. The Butterfly incident did not prove very
serious in itself, since only few users executed the single video card
driver the virus had managed to infect.
Butterfly's extensive spreading created another kind of a problem,
however: with it, many virus enthusiasts acquired a personal copy of a
simple, functional and easily modifiable virus. A flow of new Butterfly
variants followed soon after.
Butterfly-FJM
-------------
In the middle of July, a counterfeit copy of the popular LIST program
was released in USA. The latest real version of LIST is v7.8, but the
fake claimed the version number 8.2. The program had been infected
with a slightly modified version of Butterfly - only the text the virus
contains had been changed. The original virus contains the text
"Goddamn Butterflies" at the end of its code. In its place, the new FJM
version has an obscene comment about John Mcafee, the creator of the
SCAN antivirus application.
Although both versions of Butterfly use the same code, the FJM variant
may yet prove a more successful infector than the original. That is
because Butterfly only infects files in the current directory. Most users
install auxiliary programs such as LIST somewhere along the hard
disk's path to make them easily accessible. When the infected LIST is
executed from some other directory, the virus can jump the directory
boundary that normally limits its spreading.
Butterfly-Crusaders
-------------------
Another descendant of the Butterfly virus was found in the middle of
August. Yet again, the new variant had been disguised as a shareware
program and put into circulation via electronic bulletin boards. This
time, the virus was hidden in the packet SPORT21C.ZIP. According to
the packet's description it contained a program for inspecting the
functioning of the computer's serial- and parallel ports.
The program INSTALL.EXE included in the packet was infected.
Some changes had been made to the original virus - the most
significant difference is that the new variant is capable of infecting both
COM and EXE files, whereas the original virus infects only COMs. The
virus text was also changed to read "Hurray The Crusaders".
None of the Butterfly variants which have so far been discovered
activates in any way. F-PROT finds all known versions of Butterfly.
Stoned.Empire.Monkey.A
----------------------
The Monkey virus was first discovered in Edmonton, Canada, in 1991.
The virus quickly spread to USA, Australia and UK. Monkey is one of
the most common boot sector viruses.
As the name indicates, Monkey is a distant relative of Stoned. Its
technical properties make it quite a remarkable virus, however. Like
Stoned, the virus infects Master Boot Records on hard disks and DOS
boot records on diskettes. Monkey spreads only through diskettes.
The original Stoned leaves the partition table in its proper place in the
hard disk's zero track, but Monkey does not . Instead, it copies the
whole Master Boot Record to the hard disk's third sector to make room
for its own code. The hard disk is inaccessible if the computer is booted
from a diskette, since the operating system cannot find valid partition
data in the boot sector - attempts to use the hard disk result in the
DOS error message "Invalid drive specification".
When the computer is booted from the hard disk, the hard disk can be
used normally because the virus is executed first. The virus can,
therefore, escape notice, unless the computer is booted from a diskette.
As Monkey not only moves but also encrypts the Master Boot Record,
it is difficult to remove. The changes to Master Boot Record cannot be
detected while the virus is active, since it rerouts the BIOS-level disk
calls through its own code. Upon inspection, the hard disk seems to be
in its original shape.
There are two often-used procedures, either of which can disinfect most
boot sector viruses. One of these is the MS-DOS command FDISK /MBR,
which rewrites the code in the Master Boot Record, and the
other is using a disk editor to restore the Master Boot Record back on
the zero track. In this case, the relocation and encryption of the
partition table render these methods unusable. Although both
procedures destroy the actual virus code, the computer cannot be
booted from the hard disk afterwards.
There are five viable ways to remove the Monkey virus:
o The original Master Boot Record and partition table can be
restored from a backup taken before the infection. Such a backup
can be made with the MIRROR /PARTN command of MS-DOS 5, for
example.
o The hard disk can be repartitioned by using the FDISK
program, after which the logical disks must be formatted. The
procedure will also destroy all data on the hard disk, however.
o The command FDISK/MBR can be used to overwrite the virus
code, after which the partition table can be restored manually. In this
case, the partition values of the hard disk must be calculated and
inserted in the partition table by using a disk editor. The method
requires expert knowledge on the disk structure.
o It is possible to exploit Monkey's stealth capabilities by taking a
copy of the zero track while the virus is active. Since the virus hides the
changes it has made, this copy will actually contain the original Master
Boot Record. This method is not recommendable, because the diskettes
used in the copying may well get infected.
o The original zero track can be located, decrypted and moved
back to its proper place. As a result, the hard disk is restored to its
exact original state. F-PROT uses this method to disinfect the Monkey
virus.
The Monkey virus is quite compatible with different kinds of diskettes.
It has a built-in table containing structural data for the most common
diskette types. Using this table, the virus is able to move a diskette's
original boot record and a part of its own code to a safe area on the
diskette. If Monkey does not recognize a diskette, it moves the boot
record to the diskette's third physical sector. This is what happens also
to, for instance, 2.88 megabyte ED diskettes, with the consequence that
Monkey partly overwrites their File Allocation Tables.
The virus is difficult to spot, since it does not activate in any way. A
one-kilobyte reduction in DOS memory is the only obvious sign of its
presence. The memory can be checked with, for instance, DOS's
CHKDSK or MEM programs. However, even if MEM reports that the
computer has 639 kilobytes of available memory instead of the more
common 640, that does not necessarily mean that the computer is
infected. In many computers, BIOS allocates one kilobyte of DOS
memory for its own use.
F-PROT recognizes and removes all known variants of the
Stoned.Empire.Monkey virus.
A New Variant of Cascade on the Move in the Nordic Countries
------------------------------------------------------------
Most new viruses are modifications of old, known viruses. The source
codes for many old viruses are easily available, and it seems that many
virus writers are only too glad to use them as groundwork for their own
creations.
At the end of August, yet another new variant of the old Cascade virus
was found in Oslo, Norway. This new variant was found in two
different companies at almost the same time.
All in all, the Cascade family has approximately forty known members.
The new virus infects COM files when they are executed. Since it
increases the size of infected files by 1701 bytes, it will probably be
named Cascade.1701.K. The virus is not markedly different from the
original Cascade.
Although the new variant bears a close resemblance to the original
virus, it is clearly different in one way: it never displays its activation
routine, the dropping of letters to the bottom of the screen. It is,
therefore, more difficult to notice. Other than that, the differences
between the original virus and the new variant are minuscule - the
creator of the new virus has probably used the original source code, but
a different assembler compiler.
F-PROT recognizes all known variants of Cascade, and it is able to
remove the most common ones.
Several other new viruses have been found in Norway lately, including
a completely new encrypted boot sector virus called Ripper.
Made in Sweden: Moose
---------------------
In the beginning of September, a new series of viruses was found in
Göteborg, Sweden. The discovery was made in the local university - it
may be that the viruses were written by some student.
The viruses have very similar structures, and for the time being they are
all known as Moose. Four different variants have been discovered so
far, and they all contain the word "Moose" somewhere in their code.
The viruses also come equipped with version numbers, somewhat like
members of the Yankee Doodle virus family.
All members of the Moose family infect files and append their code to
the end of the victim file. Different variants infect different files: the
alternatives are COM, EXE and SYS. When the virus infects SYS files,
it overwrites their headers, the consequence being that the infected
device drivers crash the computer when they are executed.
The Moose viruses do not stay resident in the computer's memory.
They infect files only when they are executed along with an infected
file.
When a Moose-infected program is executed, the virus looks for a
suitable victim in its current directory. If it doesn't find one, it moves
one directory upwards and tries again. If the virus doesn't find a
suitable file somewhere along the way, it goes up all the way to the root
directory.
When Moose finds its victim, it performs infection and may change one
byte somewhere in the infected file. The consequences of this kind of
corruption cannot be guessed - sometimes the alteration doesn't affect
the program's functioning at all, sometimes it causes the program to
crash upon execution, and in certain cases the program goes completely
haywire. The virus draws lots by using the Real Time Clock to decide
whether or not it should perform the corruption.
Sweden Is Going to Make Virus Writing Illegal
---------------------------------------------
Sweden's criminal legislation is being updated, and the changes will
also extend to laws concerning computer crimes. A six-hundred-page
report of the matter, which also includes views on computer viruses,
has been left for the Swedish Parliament to consider. The report dwells
extensively on how to define computer viruses and on the juridic points
of developing and spreading such viruses, and studies also cases where
a computer's functioning has been hindered, by loading the system with
worms for instance.
In the report, primarily the spreading of viruses or other malware is
considered to be a crime. However, such activity qualifies as a crime
only if the perpetrator endangers public safety. If the perpetrator cannot
be proven to have intended potential damage to certain data or
computer system, the crime is likened to spreading poison or disease.
The report considers this to be the best way to avoid the juridic
problems arising from the need to differentiate between perpetrating,
attempting and preparing for a crime.
For the instrument the crime is committed with, the report suggests the
definition "a computer program or program instructions developed in
such a way that they can affect an object without having authorization
to do so". The report emphasizes that the code must be objectively
functional to fulfil the definition. Dysfunctional code does not qualify as
an instrument of crime.
For viruses, the report suggests that the law should include the
following:
Whoever creates a computer program or program
instructions constructed in such a way that they are
capable of affecting data or the technical equipment used
to process data without having authorization to do so
or
spreads the aforementioned programs or instructions, and
thus causes a risk of data being destroyed or altered, or
causes damage to the aforementioned equipment or
disturbance in its functioning, shall be judged guilty of
manufacturing or spreading computer viruses, and
sentenced to pay fines or to no more than two years of
imprisonment.
If the law is approved, it is estimated to take force in the middle of
1994 the earliest. If its approved as it stands, it will be the world's first
piece of legislation to criminalize the writing of computer viruses in
itself.
Switzerland is also in the process of changing their legislation to cover
computer viruses specifically.
The Globally Most Common Viruses
--------------------------------
Joe Wells of Symantec Inc has compiled a list of globally common
viruses.
Practically all significant antivirus societies have contributed
to the list. Among them are the University of Hamburg, IBM, S&S
International, KAMI, Datawatch, Symantec, CSIR Virus Lab, CYBEC,
Stiller Research, Frisk Software International and Data Fellows
Ltd.
According to the combined list, the following viruses are globally most
common.
Stoned.Michelangelo Maltese Amoeba
Stoned.Standard.B Dark_Avenger.1800.A
Form Yankee Doodle.TP-44.A
Dir-II.A Vacsina.TP-05
Stoned.NoINT V-Sign
Stoned.Azusa Stoned.June_4th
Joshi.A Stoned.Empire.Monkey
Jerusalem.1808.Standard Keypress.1232.A
Green Caterpillar Kampana.3700:Boot
Chinese Fish Cascade.1704.A
Tequila
Virus Bulletin Magazine's Annual Conference in Amsterdam
--------------------------------------------------------
Virus Bulletin magazine's annual conference was held in Amsterdam,
from 9th to 10th of September. Approximately 200 data security
specialists from all over the world were present.
Among others, Jan Terpstra, Frans Veldman, Vesselin Bontchev,
Righard Zwienenberg, Roger Riordan and Dmitry Gryaznov gave
speeches in the conference this year. The topics ran from the virus
situation in the former U.S.S.R. to how to keep up a neat and ordered
virus collection, advice on how to compare antivirus programs, and a
lot of else.
Still, to most participants the most rewarding thing about the
conference was the chance to chat with fellow experts outside the
official program. It was also noteworthy to see the high esteem in
which F-PROT Professional, distributed by Data Fellows Ltd., was held
around the world.
The Virus Bulletin conference will be held again next autumn. More
information about the matter can be had from Data Fellow Ltd's
F-PROT Support, or directly from the Virus Bulletin magazine, phone
number +44 235 555 139.
Phalcon/Skism Strikes Again
---------------------------
Phalcon/Skism is active again. The originally Canadian virus group,
which nowadays boasts an international membership, has once more
gained publicity with its stunts. The group is clearly competing with
NuKE for public notice.
A Printed Version of the 40Hex Magazine
---------------------------------------
Since 1991, Phalcon/Skism has been publishing an electronic magazine
called 40Hex. 40Hex deals with viruses in general and how to make
them in particular. 12 issues of the magazine have been published so
far.
In August, the magazine's editor-in-chief, "Leni Niles", announced that
40Hex will soon become available in printed form in addition to the
traditional electronic distribution. If the magazine actually reaches print,
it will be the second regularly published magazine to contain
instructions on how to design viruses. Mark Ludwig, who has also
written the Little Black Book of Computer Viruses, has been publishing
his own Computer Virus Developments Quarterly for a year.
From: fortyhex (geoff heap)
Subject: 40Hex is now a print magazine
Date: Mon, 16 Aug 93 17:19:02 EDT
40Hex, the world's most popular underground virus magazine is now
available in two versions -- the familiar online magazine and a new
printed magazine.
In the past two and a half years, 40Hex has become the most popular
virus magazine in the underground. The new printed magazine (dubbed
40Hex Hardcopy) is intended for anyone who wishes to learn as much
as they can about computer viruses -- from the source, the virus
writers.
Each issue will contain --
o A complete virus disassembly, fully commented in the 40Hex tradition,
o Detailed programming articles, intended for those fluent in assembly,
o Introductory articles intended to help those on all levels of ability
o Interviews with virus writers and virus researchers.
Also included is an editorial column, which will provide a forum for
discussions about any virus related issue. Submissions from both sides
of the argument are welcome, and will be given an equal voice.
Subscriptions --
The price for 40Hex Hardcopy is $35 per year for individuals, $50 per
year for corporations. The magazine is bimonthly (six issues per year).
The online magazine is available free of charge from many privately
operated BBSs. You may receive a disk with the latest issue from us for
$5. Please send a note specifying whether you would like a 5 1/4 or a 3
1/2 inch disk.
Correspondence --
Subscription requests should be addressed to
Subscriptions 40Hex Magazine PO Box xxx New City, NY, xxxxx
Article submissions should be addressed to
Articles 40Hex Magazine PO Box xxx New City, NY, xxxxx
Letters to the editors should be addressed to
The Editors 40Hex Magazine PO Box xxx New City, NY, xxxxx
if you have access to internet E-Mail, you can send a note to xxx@xxx.com
note: manuscripts will not be returned to the sender unless they are
accompanied by postage. All submissions must be marked "manuscript
submitted for publication."
The online magazine will still be published, and will remain separate
from the new hardcopy magazine with no article overlap.
Leni Niles Co-Editor, 40Hex Hardcopy
New Virus Writing Competition
-----------------------------
A new virus writing competition was also announced in the latest issue
of 40Hex. The competition's purpose is to find new members for
Phalcon/Skism's Canadian Division:
----------------------------------------------------------------------------
***** Phalcon/Skism Internet Headquarters
*****
*** Phalcon/Skism Canadian Divison
***
*
*
***** ***** -= Virus Writing Contest =-
***** *****
*** ***
*** ***
* * September 1993 -> December 1st
* *
----------------------------------------------------------------------------
Due to the new formation of the canadian division of
Phalcon/Skism, there will be a virus writing contest that will
start as of this publication in every sub you see it. The
contest is mainly Canadian oriented but EVERYBODY is welcome to
participate. The new canadian division needs fresh new blood to
start with. Already numerous excellent writers have joined are
ranks up north where we stand. Do expect new viruses soon. It's
just a matter as to who else will join. The award for this
contest will be either or both:
1. Publications of the virus and it's author in 40HEX magazine.
2. If the person wishes to, a membership into Phalcon/Skism.
All submissions must be transmitted to this internet site at
"virus-contest@skism.xxxxx.xx.ca" with compiled executable code
AND commented source codes to it NO Dissassembly will be
accepted. If you wish to send your file encrypted the public key
of PGP 2.3 is at the end of this file. Please send files
uuencoded. After evaluation by two different writers the winner
will be published in every sub this message was posted on and
also in the 40HEX magazine.
These are the following criterias that the viruses will be judged on:
HANDLE : VIRUS NAME :
FILES AFFECTED: [ ]COM [ ]EXE [ ]SYS [ ]OVR [ ]DOC [ ]OTHER
Brief
Description:__________________________________________________
Description:
I. TYPE OF VIRUS
[ ]...Overwriting [ ]...Appending [ ]...Boot Sector
II. INFECTION METHOD
[ ]...Direct Action
[ ]...Memory Resident
[ ]...Uses stealth routines
Brief
Description:__________________________________________________
[ ]...Uses tunneling routines
Brief
Description:__________________________________________________
List interrupts that you hooked and how you achieved this.
Brief
Description:__________________________________________________
III. ENCRYPTION
[ ]...Virus is not encrypted
[ ]...Virus is encrypted
[ ]...Uses external engine
[ ]...Routines are internal
Brief
Description:__________________________________________________
[ ]...Virus is polymorphic
Possibilities of reoccurrence: 1 to nTH _____________
Brief
Description:__________________________________________________
IV. PAYLOAD
[ ]...Virus is non-destructive
[ ]...Virus is destructive
code it before sending it over the internet:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3
mCAx1kAEELuP08IHVbh+P6agKQGXMR9HjXz1q
2G8KWNE0GA3kA0G1zwbcKMio1P2r2AUR
ApWlA==6q---EDPPPBI KYB****oe:
If you don't have internet access, please forward your submission to
Memory Lapse on Total Mayhem.
Rumours of Form
---------------
Tenacious rumours about preformatted 3.5" HD diskettes infected by
Form are still in the circulation. A certain diskette manufacturer has
been faced with several accusations, but the truth about the matter has
yet to surface. It is, therefore, probably a good idea to check also new,
unused diskettes for viruses. When VIRSTOP is run with the /BOOT
parameter on, it prevents infected diskettes from being used.
Case: The Crepate virus
-----------------------
Mikko Hypponen, Data Fellows Ltd's F-PROT Support.
An ordinary day at work; testing F-PROT's OS/2 version, answering
support calls and writing the upcoming Update Bulletin. It's over
five o'clock, time to get home - the fall is far advanced and
I'll have to get my lawn sown before winter sets on.
The phone rings and shatters these thoughts. The call comes from
Symbolic, our distributor in Italy. Jeremy Gumbley, who works in
Symbolic's technical support, is on the line.
Jeremy gives it to me in a nutshell: A person had just dropped by and
told him that a new, unknown virus had been found in one Italian
university. There are probably tens of infected computers - the exact
number is not known, because none of the antivirus programs that have
been tried has been able to identify the new virus. The situation is
serious and all the computers will remain on hold until the virus is under
control. The visitor brought along a disketteful of files suspected to be
infected.
Jeremy has already taken a look at the files and is quite certain that
they contain a new virus. I tell Jeremy that the I'll start working on
the subject immediately. Via modem, Jeremy transfers a sample packet to
the Data Fellows BBS system, and the examination begins. I extract the
samples and put them through an automated examination system, which
checks the files with thirteen different antivirus programs and stores
the reports in an easily readable form. The system reports no alarms,
although some programs report that certain sample files have counterfeit
time stamps: in their creation date, the clock's seconds field shows an
impossible value, 62. Some viruses use this trick to mark files they
have already infected.
I give the files a quick once-over with a hex editor, enough to conclude
that if they contain a virus, it is a brand-new one. Certain files have the
text "(c)Crepa" at their end. Via Internet, I transfer the files to Frisk
Software International's FTP server in Iceland. Just to be sure, I call
Iceland and recount the incident to Fridrik Skulason. He says that the
files will be taken under close inspection right away. We decide to
divide our forces: I and Jeremy will concentrate on examining how the
samples function, in other words find out what the virus really does.
The people in FSI will focus on building detection- and disinfection
routines for the new virus. We'll keep contact by phone and E-mail. I
hang up and start the classification of samples. Seems like I won't get
any time off for my lawn today.
I find out quickly that there are three different kinds of samples. Some
of the files contain extraneous code at their end. This is not caused by a
virus but the "Immunize" function of the Central Point Antivirus
program. To be on the safe side, I remove the Immunization code and
check the original programs. The files are clean. Some of the other
programs contain code which seems to have been added to their
beginning. The remaining files have the text "(c)Crepa" at their end.
It seems that we need to divide the analysing task if we want to resolve
the problem as quickly as possible. I call back to Iceland, and we agree
that they will start working on incorporating the detection and
disinfection of the virus while I and Jeremy start to disassemble and
document the functioning of the little beast.
I give the Crepa files a closer look. There are four of them, all parts of
the Italian MS-DOS 6. I choose to probe KEYB.COM, since it is a
comfortably short program to examine and I know its structure of old.
First I take a hex dump of the program by using Borland's TDUMP
application. Then I proceed to run a debug listing of it with good old
DEBUG.
It proves extremely difficult to follow the program's execution with a
DEBUG listing: the virus completes only one or two instructions at a
time before jumping to somewhere else in the code. Therefore I turn to
Zanysoft Debugger, and use it to analyze the infected KEYB.COM.
Along with Borlands Turbo Debugger, I have found ZD to be a handy
tool to examine virus samples with.
The program's execution is easier to follow with ZD, and it soon
becomes clear that the author of the virus has wanted to make the
program difficult to examine by coding it full of jump instructions.
However, a careful inspection of the code reveals that the commands
executed between jumps form a complex routine that decrypts 3900
bytes at the end of the file. At this point it becomes obvious that this is
a self-encrypting virus.
I execute the virus one command at a time until it has decrypted itself.
Then I store the virus code back on the diskette. When I go over the
decrypted virus code, I notice that two new lines of readable text have
surfaced from beneath the encryption:
COMcomEXEexeOV?ov?
Crepate (c)1992/93-Italy-(Pisa)
The first line appears to indicate that the virus is capable of infecting
COM, EXE and Overlay files. The second line confirms the virus to be
of Italian origin.
I discover that the task of separating the virus code and the original
KEYB.COM code from each other is too arduous. Instead, I decide to
see whether I can get the virus to infect a bait file. As bait, I use a
collection of COM and EXE files which contain nothing more than a
termination instruction and a lot of zeros to pad the files to a certain
length. Such programs do nothing else than terminate their execution,
and since the file lengths are even numbers, a change in size caused by a
virus can be noticed at the first glance.
I transfer the virus to our much-abused test computer, and copy a sample
of clean baits into the same directory with the virus. When I run the
KEYB.COM, it gives an error message in Italian complaining about
incorrect parameters. I use a memory mapping program to check for
changes in memory allocation. No changes are evident, which means that
the virus is either not resident in memory or capable of bypassing
memory mapping applications. I check the bait files - no changes in
those either. I run the infected KEYB.COM a couple of times to be
certain, but the bait programs are simply ignored. Why? There are many
possible explanations. Maybe the virus is picky about the files it
infects. Maybe it won't infect anything on even days. Maybe it doesn't
infect files in its current directory, but somewhere else on the disk.
Maybe it is a stealth virus, in which case the changes cannot be seen
anyway, at least not while the virus is active.
Jeremy calls while I'm thinking about all this. We get to a discussion
on its peculiar jump structure. "I'm sure I have never seen so many jump
instructions", "For a moment I thought it was a new version of the
Commander Bomber virus, but no, at least not that", "I think that this
jump-spaghetti has been added just to confuse heuristic analysis".
Indeed - F-PROT's Heuristic Analysis failed to give warning of an
infected file even when the /GURU option was enabled. Goes to show that
any software-based protection can be overcome by software. Jeremy has
managed to examine the virus a bit further. I ask what the words "Crepa"
and "Crepate" mean, and he tells me that Crepa means death and Crepate
stands for "You will all die". We agree to name the virus Crepate for
the time being.
Jeremy says that, right after decrypting itself, the virus gets into the
business of doing some absolute disk writes. Immediately, I get a
brainstorm. - It is a multipartite virus we are talking about here,
operating in the same way as, for instance, Tequila. When the virus is
executed in a clean computer, it infects the hard disk's Master Boot
Record but does nothing else. The next time the computer is turned on,
the virus stays active in memory and starts infecting other program
files. I test my theory - and yes! The F-CHECK checksum program reports
an altered Master Boot Record.
I use Norton's DISKEDIT to take a copy of the Master Boot Record's code
before restarting the computer. The boot-up seems to be completely
normal. I run MEM and find the familiar sign indicating the presence of
a boot sector virus: the amount of DOS memory has dropped from the 640
kilobytes normally available in this computer. There are only 636
kilobytes left, which means that the virus takes up four kilobytes.
I go back to the virus directory and run the bait files again. Strangely
enough, the baits are still not infected. The filesizes stay the same,
whatever I do. Without giving the matter further thought, I run DOS's
CHKDSK and attain instant enlightenment. CHKDSK reports "Allocation
error" for every COM and EXE file I have executed during this session.
The report includes all the files referred to in AUTOEXEC.BAT, all bait
files, and CHKDSK.EXE itself. This is a clear sign of an active stealth
virus that is operating in the computer and hiding the changes it has
made to files. However, the virus is not sophisticated enough to hide
the changes from the CHKDSK program, which is reporting errors caused by
contradictions between directory information and File Allocation Table.
The closer I look, the more advanced this virus is beginning to seem.
When I compare the infected bait files, I notice that the decryption
routine varies between different samples. In addition to everything
else, the virus has polymorphic characteristics mixed in.
The phone rings - Fridrik is calling from Iceland. His staff has gone
through the same sample files, concentrating first on the samples which
I and Jeremy had decided to leave alone for the time being. Some of the
samples had indeed been clean, though packed by using CPAV. Some
other files had been found to contain a new virus, which was named
March 25th. In other words, two different viruses are on the loose in
the Italian university! Frisk hands me a short account on the
characteristics of the March 25th virus: a memory-resident COM and
EXE infector that structurally changes COM files into EXEs. The virus
activates on the 25th of March and overwrites most data on the hard
disk. The size of this virus is only 1024 bytes, and it is much simpler
than Crepate.
Frisk has also gone over the Crepate files, and he is already well
acquainted with the virus's functioning. For some reason, though, the
virus does not function in his test computers. Although it manages to
infect the hard disk's Master Boot Record, the computer won't boot
afterwards. Curious. Fridrik is ready to build a disinfection routine for
the virus, but he is hampered by the fact that he cannot get it to spread.
I promise to send him a program packet containing both clean and
infected versions of the same sample files.
After hanging up I take a closer look on the code the virus writes on
the Master Boot Record. Aha, it tries to make inspection more difficult
with commands that modify the commands next in line...I get another
brainstorm. Immediately, I call back to Frisk and ask what kind of a
computer he used to test the virus. Frisk tells me he has used his newest
virus testing computer, a 33 MHz 386DX. "Does it have internal cache
memory", I ask. "Yes, 8 kilos", Frisk answers. The mystery unravels. I
had tested the virus in a 16 MHz 386SX computer with no cache
memory.
The cache memory of Fridrik's computer buffers commands that are to
be executed next, and makes it unnecessary to retrieve them all the way
from the main memory. Because of that, though, the changes the virus
tried to make in its own code never got through. The bytes it tried to
change had already been read into the cache memory where they could
not be altered. In other words, the Crepate virus cannot function in
computers with internal cache memory - it will only crash them during
boot-up.
I start to create a sample of demo files, beginning with a collection of
programs that are different from each other both structurally and in file
size. I pack the clean programs and transfer the packet into the infected
computer. There I execute, open and copy programs. Any of these
operations infects the program in question, but I notice that the virus
won't infect the smallest files. I boot the computer from a clean
diskette, pack the infected files and transfer them back to my own
computer. Again, I open a telnet session and send the sample packet to
Iceland via FTP.
I continue to examine the virus. It seems that Crepate uses a very
peculiar method to hook the DOS interrupt 21h. The virus would gain
nothing by jumping to hijack the interrupt for the first thing it does
after it has been executed from the boot sector, because DOS takes the
interrupt into use only later on. Instead, at the very beginning the
virus hijacks BIOS's timer interrupt, activating 18.2 times in a second.
The virus uses this interrupt to check 18 times in a second whether DOS
has loaded itself. When that happens, the virus hooks the interrupt 21h
to its own code. That way it gets to be the first program to clam onto
the interrupt.
The phone rings again, this time it's Jeremy. We quickly exchange what
we have learned from the virus. He tells me he has found a date check
and destruction routine further along the code. The virus activates on
the 16th day of any month, and executes a remarkably thorough
destruction routine. It overwrites all the data on the first hard disk,
going through the disk from beginning to end. Since that kind of a
routine is quite difficult to code, most viruses use destruction routines
that overwrite only a part of the hard disk. For example, even the
notorious Michelangelo virus destroys only a certain amount of the
hard disk's data. After such partial destruction, it is usually possible to
salvage some data from the hard disk without turning to expensive data
recovery services. Crepate is a different breed of cat and goes through
the disk thoroughly, sector by sector.
The 16th day. That was a week ago -- maybe the virus was discovered a
week ago, when the first hard disks were wiped? No matter. It must be
stopped now, before it causes further damage.
I code a routine that checks files for Crepate infection. Using it, I
scan the test computer's hard disk. Practically all the programs I have
used during the evening have been infected. I wipe the hard disk and
restore a basic combination of clean software on it. I run the routine
also on diskettes I have used to carry files between the test computer
and my own. I'm surprised when I notice that the boot sectors on the
diskettes have also been infected. What on Earth - to the best of my
knowledge, the virus code contained no routines for infecting diskettes.
I go over the code more carefully, looking for something that hints at
diskettes. After a time it becomes clear that the virus uses the same
routine to infect both hard disks and diskettes. Crepate is a true
multipartite virus -- capable of infecting three different file types and
two kinds of boot sectors. Its maker must have spent a long time
finishing his creation.
Fridrik sends a completed search routine via FTP. Using it as the base,
I create F-PROT Professional 2.09e. After a quick check to make sure the
program recognizes both March 15th and Crepate faultlessly, I transfer
it to the file areas of Data Fellows BBS. I call Jeremy to tell him he
can pick it up with his modem. At the moment, he is putting together a
summary of the virus to be delivered to the client. He says he will take
F-PROT to the university in the morning.
Everything is just about finished for the evening. Frisk E-mails a
message saying that he'll send a sample of the virus to other antivirus
program developers so they can add the recognition of the new virus to
their own products. After that, Frisk says, he will go home. Jeremy
sounded tired too.
The time is 01.30 in Finland, 00.30 in Italy and 22.30 in Iceland. I'll
go and get some sleep, too - the fall is far advanced and I'll have to
get my lawn sown before winter sets on.
A Summary of the Virus
-------------------------------
Compiled by Jeremy Gumbley, Symbolic, Italy
The Name:
The final name has not been decided yet.
Suggestion: Crepate
Discovered In:
Pisa, Italy
When:
September the third, 1993
Virus type:
A multipartite stealth virus with some polymorphic abilities
Infects:
The Main Boot Records of hard disks
The DOS Boot Records of diskettes
COM files sized between 400 and 62000 bytes
EXE- and OVL files regardless of size
Size:
About 2910 bytes in infected files
6 sectors (3072 bytes) in infected boot sectors
The virus also uses one extra sector to store the original boot
sector code in.
Interrupts:
The virus uses interrupts in the following manner:
INT 09h (Keyboard Interrupt)
Hooked while the virus executes the destruction routine.
Because of this, the routine cannot be interrupted with
Ctrl-Break or Ctrl-Alt-Del.
INT 13h (absolute disk reads and writes)
Hooked while the virus infects boot sectors
INT 1Ch (Clock Interrupt)
Hooked while the computer boots itself
INT 21h (A DOS Interrupt)
Gets hooked when the Command Interpreter is loaded
into memory
INT 24h (handling of critical errors)
Hooked while the virus infects files. Because of this,
the user does not receive an error message when the
virus tries to infect a file on a write-protected
diskette.
Memory Allocation:
The virus allocates four kilos at the top of DOS memory for
itself. The missing memory can be noticed with the commands
CHKDSK and MEM.
Side Effects:
CHKDSK reports allocation errors for all infected files while
the virus is active in memory
Destruction routines:
The virus uses random data to overwrite all sectors on the
system's first physical hard disk. The destruction routine is
executed on the 16th day of every month
Description:
The functioning of the Crepate virus is divided into several
distinct phases. When an infected file is first executed in a
clean system, the virus replaces the code in the primary hard
disk's boot sector with its own. The virus also overwrites seven
sectors at the end of the hard disk, using this area to store a
part of its own code and the original Master Boot Record. Since
it does not mark these sectors as having been allocated, some
other program may afterwards overwrite them as well.
Next, the virus checks the date from the computer's Real Time
Clock (INT 1Ah/4h). If the date happens to be the 16th of any
month, the virus overwrites all data on the primary hard disk.
The virus enters into its second phase when the computer is
rebooted. The virus code in the boot sector activates and loads
the main part of the viral code into memory. Crepate hooks the
Timer Interrupt INT 1Ch and uses it to check when the Command
Interpreter is loaded into memory. After the virus has hooked
the Timer Interrupt routine, it executes the original Master
Boot Record and allows the booting to continue normally.
When the Command Interpreter (usually COMMAND.COM) has been
loaded, the virus hooks the DOS interrupt INT 21h into its own
code. This way it can bypass most memory-resident antivirus
programs, since they are usually loaded later from AUTOEXEC.BAT.
After hijacking INT 21h, the virus begins to infect COM and EXE
files. The virus infects files whenever something is done to
them with the following INT 21h functions:
3Dh (Open)
3Eh (Close)
43h (Lseek)
41h (Delete)
4Bh (Load and execute program)
6C00h (Extended open/create)
The curious thing about the above listing is that the virus does
indeed infect also files that are being deleted.
In addition to this, the virus uses the following INT 21h
functions to hide the changes it has made to files:
11h (Find first/FCB)
12h (Find next/FCB)
Because of this, the file sizes seem unchanged when the
directory listing is browsed with, for example, the Dir command.
Other Observations:
The virus marks the files it has infected by inserting the bytes
6373h ("cs") at the end of the file. It also changes the seconds
field in the file's time stamp to show an impossible value, 62.
The stealth routines of the virus use the seconds field value
for recognizing an already infected file.
When the virus infects a file, it links a varying code part to
the beginning of the actual viral code. This code strip is
different in every infected file, and its purpose is to make
finding the virus by either signatures or heuristic methods more
difficult.
When the virus activates its destruction routine, it is able to
bypass most of the protection applications which monitor the
functioning of the absolute disk write interrupt INT 13h. No
wonder, since the virus marks up the BIOS address for INT 13h
when the computer is booted, and calls the interrupt directly
when it overwrites the hard disk.
F-PROT Support Informs: Common Questions and Answers
----------------------------------------------------
Your local F-PROT Professional support is ready to help you on
questions concerning information security and the prevention of viruses.
You can also contact Data Fellows directly; our phone number is
+358-0-692 3622, fax +358-0-670 156. You can also write to us at:
Data Fellows Ltd, F-PROT Support, Wavulinintie 10, SF-00210 HELSINKI,
FINLAND. By electronic mail, you can reach us at f-prot@df.elma.fi or
via X.400 at S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi.
I installed the new Windows-capable VIRSTOP that was included in F-PROT
2.09. When I tried to run Windows, I received the following message:
Cannot find a device file that may be needed to run Windows in
386 enhanced mode;
C:\F-PROT\VIRSTOP.EXE
Run Setup again.
Windows did start, but the Windows elements of VIRSTOP were not
activated. Why not? I use the Stacker disk compression.
The VIRSTOP for Windows documentation describes that the DOS-
and Windows elements of VIRSTOP are both stored in the same
file, the VIRSTOP.EXE. This file must be available during the
startup of Windows, because the Windows elements of VIRSTOP are
loaded into memory only when Windows starts, and not earlier.
When VIRSTOP is run for the first time, it marks up its own
location on the hard disk. If this location changes, or if
VIRSTOP is removed from the disk before Windows is started,
Windows displays an error message.
In this case, VIRSTOP is loaded from an unpacked disk section
before Stacker is executed. Upon execution, Stacker 's program
SSWAP changes the order of logical disks. In other words,
VIRSTOP is loaded from disk C, but afterwards the logical disks
C and D swap disk letters with each other. When Windows starts,
the directory for VIRSTOP is no longer C:\F-PROT\VIRSTOP,EXE,
but D:\F- PROT\VIRSTOP,EXE.
You can solve the problem by either storing VIRSTOP on a packed
disk section, or by executing it from an unpacked disk section
after the SSWAP command has been given.
Windows reports a similar message if VIRSTOP is loaded from a
diskette and the diskette is thereafter removed from the drive,
or if VIRSTOP is loaded from a server and the network connection
is terminated before Windows is run. The message does not mean
that Window's won't start, but VIRSTOP will function like it had
been given the /NOWIN parameter.
I started using F-SCHEDULER, and configured it to run automatically
every time I start a Windows session. I also use F- SCHEDULER's Screen
Saver, which allows me to leave my computer logged on for the night
without having to worry about unauthorized use. The Screen Saver
functions otherwise normally, but for some reason it switches on every
time I am in a DOS session under Windows. It doesn't seem to matter how
much or how little I use the computer at the time, the Screen Saver may
activate even while I am just typing on the keyboard.
F-SCHEDULER's Screen Saver is switched on when the keyboard and
the mouse have been left untouched for a certain time.
F-SCHEDULER cannot see whether they are used inside a DOS
window, however, since such information is not relayed to
Windows. One way to solve the problem would be by configuring
the Screen Saver not to activate if a DOS window is active at
the same time. There's a snag, though, because the computer
would remain unprotected at night if a DOS program was left
running after hours.
A better way to deal with the problem is to raise the Screen
Saver's activation time to 15 or 30 minutes. It usually does not
take longer to handle typical DOS window operations, but the
Screen Saver will be switched on if the computer has been left
alone for long enough.
I tried to run F-PROT check by using F-SCHEDULER's default settings and
pressing the "Execute" button. F-PROT did not start. Instead, Windows
reported an error message claiming insufficient memory. Program
Manager, on the other hand, reports several megabytes of available
memory.
In this case, it's not a question of available Windows memory.
The problem is caused by the amount of available DOS memory.
When F- PROT is executed under F-SCHEDULER, it requires 400
kilobytes of available DOS memory. In most configurations, this
can be easily achieved through memory optimization.
If the amount of available memory is only slightly below 400
kilobytes, you can probably run F-PROT by using the F-SCHEDULER
function Execute File instead of Execute F-PROT.
If F-PROT is run from F-SCHEDULER, the check continues only until
my Screen Saver activates. When I press a key, the check picks up
again.
You have used the Windows Control Panel to prevent programs from
being executed in the background. There is a setting called
"Exclusive in Foreground" in Control Panel's 386 enhanced
-section. If it is switched on, Windows stops the execution of
all but the foremost program. Therefore, the F-PROT check
proceeds only until the Screen Saver activates, and while the
Screen Saver is active, all other programs are on hold. You can
remedy the situation by switching off the setting.
I have switched F-SCHEDULER's Screen Saver off, since I am using another
Screen Saver product to protect my computer from unauthorized use. For
some reason, F-SCHEDULER's saver is switched back on every time I start
Windows. How can I get the Screen Saver to stay switched off?
For this part, Screen Saver does not function correctly. We have
fixed the problem, and will deliver the new version to all who
want it. Raising the Screen Saver's activation time to 30
minutes or above will probably suffice for most users.
When VIRSTOP is started, does it check the computer's memory for all
known viruses?
When started, VIRSTOP uses generic methods to ensure that the
computer's memory does not contain an active boot sector virus.
VIRSTOP also checks itself against a file virus infection. If
you want your computer's memory checked for all known viruses
during every boot-up, you must add the command
F-PROT . /NOFILE /NOBOOT
to the file AUTOEXEC.BAT. Verify the result by checking the
errorlevel -return code. It can be done as follows, for example:
IF NOT ERRORLEVEL 4 GOTO END
ECHO There is an active virus in memory. Contact Bob at ext. 517.
ECHO Machine is halted.
CTTY NUL
:END
Network drivers take up a large part of my computer's DOS memory,
so that I have only 350 kilos of available memory left. Will F-PROT
function in a computer that has so little memory available?
It depends on the scanning method, but generally speaking the
answer is yes. F-PROT is designed to function in almost any
computer environment. Even the original IBM 8086, equipped with
a green-black monochrome monitor, a 360 kb diskette drive, 512
kb of memory and PC-DOS 2.0, can run F-PROT.
At minimum, F-PROT requires about 300 kilos of available memory.
The memory requirement depends on the mode the program is
executed in. The following table gives an indication of how much
available DOS memory F-PROT needs in order to function. The
numbers presented in the table are valid for F-PROT 2.10, but
the memory requirements of future versions may vary.
Command Line Mode:
Secure Scan 303 kb
Heuristic Analysis 376 kb
Interactive Mode:
Secure Scan 311 kb
Heuristic Analysis 412 kb
I checked my hard disk with the latest F-PROT. It gave the following
message of several files:
Note: C:\XCOPY.EXE has been inoculated by Central Point Anti-Virus.
What has CPAV done to my files?
This message is not alarming, it only informs the user that
Central Point Anti-Virus has been executed in the computer with
the "Inoculate" option on. When the option is on, CPAV modifies
all scanned programs by adding code to their ends. This code
checks the program's length as well as its first few bytes. In
fact, the functioning of this code strip greatly resembles the
functioning of certain viruses.
If the file size of a CPAV-protected program changes, the
Inoculate code displays the following message when the program
is next executed:
Central Point Anti-Virus (c) 1991 CPS
Self Integrity Check warning - File was changed !
Choose an option:
[R] Self Reconstruction.
[C] Continue execution.
[E] Exit to DOS.
Press R,C or E:
Then why does F-PROT remark on the modified files? Simply
because many programs do not function after they have been
"inoculated". Some programs (like, for instance, F-PROT and
VIRSTOP) refuse to start at all, while others only crash after
the modification. Besides which, some programs modify their own
file, causing the CPAV warning to be displayed time and again.
CPAV's Inoculate function is especially hazardous if it is used
to protect files that have already been infected with a virus.
CPAV's code blankets the viruses very efficiently, preventing
most antivirus programs from noticing them. Notwithstanding
that, the virus is in most such cases able to continue
functioning quite normally.
Many heuristic antivirus programs give warning of the inoculated
files as well, because the code added by CPAV is very suspicious
in nature. The reason why this particular message was added to
F-PROT was to help a user to find and recognize the inoculated
files. While the change in programs may be easy to notice, it is
not necessarily obvious what has happened to them. The modified
files can be returned back to normal by using CPAV.
Changes to F-PROT in version 2.10
---------------------------------
The command line switch /TROJAN is no longer needed. The corresponding
menu item has also been removed from the Scan menu. Nowadays, when
F-PROT scans for viruses, it also looks for known Trojan Horses.
Although the switch /TROJAN does still exist, it is only a convenience
whose purpose is to keep old batch files functioning without
modifications. The switch no longer affects the functioning of scans in
any way.
F-PROT notifies the user of files that have been modified by the
"Immunize" function of Turbo Antivirus or Central Point Antivirus.
Two new command line parameters have been added to F-PROT. The parameter
/640 prevents F-PROT from checking the memory above 640 kilos - the
switch may be needed in computers having a nonstandard motherboard and
only 640 kilos of memory. The parameter /MONO starts F-PROT in
monochrome mode, and it can prove useful when the program is run on a
laptop, for instance.
Results of memory scan are now written to a report file if a virus is
found and the /REPORT= switch is used - previously only an errorlevel
value was returned.
The method F-PROT uses to deal with new variants of known viruses has
been redesigned. Previously F-PROT would always refuse to disinfect a
new variant of some known virus, even if it was only slightly different
from a variant it recognized. Now it will attempt to determine if the
new variant is sufficiently similar to a known variant for the same
disinfection procedure to be attempted. Still, we would like to ask
F-PROT users to continue sending us samples of all viruses that are
reported as new, modified or unknown variants.
F-PROT 2.09 occasionally missed samples of the Tremor and Phoenix.2000
viruses. This is fixed now.
When disinfecting certain viruses, such as Jerusalem from COM files,
F-PROT would not retain the date/time of the file, but instead set it to
the current date/time. This has been fixed.
If F-PROT was run twice in a row in interactive mode, and found some
viruses on the first pass, on the second run it would occasionally claim
that the MBR was infected. This has been fixed.
F-PROT would search boot sectors for user-defined signatures only with
"Quick Scan", not "Secure Scan" - it should have been the other way
around. This has been fixed.
We have significantly increased the use of "exact" identification of
viruses, where F-PROT uses a 32-bit checksum to distinguish between very
similar variants. This is one of the explanations for the large number
of new variants listed below.
New Viruses Recognized by F-PROT:
---------------------------------
The following 58 viruses are now identified, but can not be removed
because they overwrite or destroy infected files. Some of them were
detected by earlier versions of F-PROT, but were only reported to be
new or modified variants:
Abraxas (1171) SillyOR (69) Trivial (27)
Abraxas (1200) SillyOR (74) Trivial (28)
Atomic.480 SillyOR (76) Trivial (29)
Burger (405.B) SillyOR (77) Trivial (30.D)
Burger (560), 8 variants SillyOR (88) Trivial (30.E)
Civil War.444 SillyOR (94) Trivial (40.D)
Knight SillyOR (97) Trivial (40.E)
Leprosy (350) SillyOR (98) Trivial (40.F)
Leprosy (647) SillyOR (99) Trivial (42.C)
Leprosy (Clinton) SillyOR (101) Trivial (42.D)
Milan.WWT.67.C SillyOR (102) Trivial (43)
Naught (712) SillyOR (107) Trivial (44.D)
Naught (865) SillyOR (109) Trivial (45.D)
Proto-T.Flagyll.371 SillyOR (112) Trivial (102)
SillyOR (60) Tack (411) VCL.527
SillyOR (66) Tack (477) Viruz
SillyOR (68) Trivial (26.B) ZigZag
The following 448 new viruses can now be detected and removed.
Some of these viruses were detected by earlier versions, but are now
identified accurately:
3y Mgtu (269)
4-days Mgtu (273.B)
4res Mgtu (273.C)
_127 Minimite
_130 Mirror.B
_132 MPS-OPC II.754
_205 Mr. G.314
_330 Mshark.378
_409 Multi.B
_524 Murphy (1277.B)
_584 Murphy (Woodstock)
_593 Mutator (307)
_655 Mutator (459)
_1417 Never Mind
_1536 Nina (B)
_2878 Nina (C)
Abbas No Bock.B
Alabama.C No Frills.835
Ambulance.E November 17th (690)
Andro November 17th (800.A)
Andromeda November 17th (800.B)
Arcv.companion Npox (955)
Armagedon.1079.D Npox (1482)
Atomic (Toxic) Npox (1722)
Atomic (166) Npox (1723)
Atomic (350) Nygus (163)
Atomic (831) Nygus (227)
Attention.C Nygus (295)
Aurea Nympho
Australian Parasite.272 OK
BadSector Oropax (B)
Best Wishes (1024.C) Oropax (C)
Best Wishes (1024.D) Osiris
Black Jec (284) Override
Black Jec (323) Parity.B
Black Jec (235) Particle Man
Black Monday (1055.E) PC-Flu
Black Monday (1055.F) Phx
Black Monday (1055.G) Pit
Black Monday (1055.H) Pixel (277.B)
BloodRage Pixel (300)
Bootexe Pixel (343)
Bubonic Pixel (846)
Bupt.1279 Pixel (847.Advert.B)
Cascade (691) Pixel (847.Advert.C)
Cascade (1701.G) Pixel (847.Near_End.B)
Cascade (1701.H) Pojer.1935
Cascade (1701.J) PS-MPC (331)
Cascade (1701.K) PS-MPC (349)
Cascade (1701.L) PS-MPC (420)
Cascade (1704.L) PS-MPC (438)
Cascade (1704.N) PS-MPC (478)
Cascade (1704.O) PS-MPC (481)
Cascade (1704.P) PS-MPC (513)
Checksum.1253 PS-MPC (547)
Chris PS-MPC (564)
Civil War III PS-MPC (574)
Clonewar (238) PS-MPC (578)
Clonewar (546) PS-MPC (597)
Clonewar (923.A) PS-MPC (615)
Clonewar (923.B) PS-MPC (616)
Cobra PS-MPC (1341)
Coib PS-MPC (2010)
Comasp.633 PS-MPC (Alien.571)
Coffeshop.1568 PS-MPC (Alien.625)
Cybercide.2299 PS-MPC (Arcv-9.745)
Cybertech (501) PS-MPC (Arcv-10)
Cybertech (503) PS-MPC (Deranged)
Danish Tiny (163 PS-MPC (Dos3)
Danish Tiny (Kennedy.B) PS-MPC (Ecu)
Dark Apocalypse PS-MPC (Flex)
Dark Avenger (1800.F) PS-MPC (Geschenk)
Dark Avenger (1800.G) PS-MPC (Grease)
Dark Avenger (1800.H) PS-MPC (Iron Hoof.459)
Dark Avenger (1800.I) PS-MPC (Iron Hoof.462)
Dark Avenger (1800.Rabid.B) PS-MPC (Napolean)
Dark Avenger (2000.Copy.C) PS-MPC (Nirvana)
Dark Avenger (2000.DieYoung.B) PS-MPC (Nuke5)
Dark Avenger (2100.DI.B) PS-MPC (Page)
Dark Avenger (Jericho PS-MPC (Shiny)
Dark Avenger (Uriel) PS-MPC (Skeleton)
Dashel PS-MPC (Soolution)
DataCrime (1168.B) PS-MPC (Sorlec4)
DataCrime (1280.B) PS-MPC (Sorlec5)
DataLock (920.K1150) PS-MPC (Soup)
DataLock (1740) PS-MPC (T-rex)
Dbase.E PS-MPC (Toast)
Dejmi PS-MPC (Toys)
Destructor.B PS-MPC (McWhale.1022)
Devil's Dance (C) Quadratic.1283
Devil's Dance (D) Radyum (698)
Digger.600 Radyum (707)
Dos 7 (342) Rape (2777.A)
Dos 7 (376) Rape (2877.B)
Dos 7 (419) Rasek (1489)
Dosver Rasek (1490)
Doteater (C) Rasek (1492)
Doteater (D) Red Diavolyata (830.B)
Doteater (E) Red Diavolyata (830.C)
Dracula Retribution
Du Ripper
Dy Russian_Mirror.B
Dzino Sata.612
Finnish.709.C Saturday 14th.B
Friday the 13th (540.C) Satyricon
Friday the 13th (540.D) Screaming Fist.I.683
Frodo (F) Shake.B
Frodo (G) Shanghai
Frodo (H) SI-492.C
Fumble.E SillyC (208)
Gemand SillyC (215)
Genc (502) Sistor (1149)
Genc (1000) Sistor (3009)
Goga Skew.445
Golgi (465) Slub
Golgi (820) Smoka
Granada Sofia-Term (837)
Grog (Lor) Sofia-Term (887)
Grog (990) Stardot.789.C
Grog (1641) Sterculius
Guppy.D Spring
Halloechen (B) Stimp
Halloechen (C) Storm (1172)
Hates Storm (1218)
Headcrash.B Stupid.Sadam.Queit.B
Helloween (1227) Sundevil
Helloween (1384) Svc (1689.B)
Helloween (1447) Svc (1689.C)
Helloween (1839) Svc (3103.D)
Helloween (1888) Sybille
Helloween (2470) Sylvia (1321)
Hi.895 Sylvia (1332.E)
Hidenowt Syslock (Syslock.C)
HLLC (Even Beeper.C) Syslock (Syslock.D)
HLLC (Even Beeper.D) Taiwan (708.B)
Infector (759 Taiwan (743.B)
Infector (822.B) Taiwan (752.B)
Intruder.1317 Testvirus-B (B)
Italian Boy Testvirus-B (C)
IVP (540) Thirty-three
IVP (Bubbles) Tic.97
IVP (Math) Timid.302
IVP (Silo) Tomato
IVP (Wild Thing) Totoro
Jackal Traveler Jack (854)
Japanese_Christmas.600.E Traveler Jack (979)
Jerusalem (664) Traveler Jack (980)
Jerusalem (1960) Traveler Jack (982)
Jerusalem (1829.Anarkia) Unexe
Jerusalem (2223) Uruk Hai.427
Jerusalem (Anticad.2900.Plastique.B) Ussr-707.B
Jerusalem (Anticad.2900.Plastique.C) Vacsina (634,TP.5.B)
Jerusalem (Anticad.2900.Plastique.D) Vacsina (TP.16.B)
Jerusalem (AntiCad.3012.C) Vbasic.D
Jerusalem (AntiCad.3012.D) VCL (506)
Jerusalem (Fu Manchu.D) VCL (507)
Jerusalem (Sunday.G) VCL (604)
Jerusalem (Sunday.H) VCL (951)
Jerusalem (Sunday.I) VCL (Anti-Gif)
Jerusalem (Sunday.J) VCL (ByeBye)
Jerusalem (1765) VCL (Earthquake)
Jerusalem (Groen Links.D) VCL (Paranoramia)
Jerusalem (PSQR.B) VCL (Poisoning)
Jerusalem (Solano.Syslexia.B) VCL (VF93)
Jerusalem (Solano.Subliminal.B) VCL (VPT)
Jerusalem (Westwood.B) VCL (Ziploc)
Jest VFSI.B
K-4 (687) Vienna (566)
K-4 (737) Vienna (623.B)
Kemerovo.257.E Vienna (627.B)
Keypress (1215) Vienna (644.C)
Keypress (1232.D) Vienna (648.J)
Keypress (1232.E) Vienna (648.K)
Keypress (1232.G) Vienna (648.O)
Keypress (1232.H) Vienna (648.Reboot.B)
Keypress (1232.I) Vienna (648.Reboot.C)
Keypress (2728) Vienna (648.Reboot.D)
Kernel Vienna (648.Q)
Lapse (323) Vienna (648.R)
Lapse (366) Vienna (648.S)
Lapse (375) Vienna (648.X)
Leningrad II Vienna (758)
Literak Vienna (Choinka.B)
Little Girl.985 Vienna (Choinka.C)
Lockjaw (808) Vienna (W-13.534.H)
Lockjaw (Black Knight) Vienna (W-13.534.I)
Lock-up Vienna (W-13.534.J)
Loki.1234 Vienna (648.Abacus)
Lyceum.930 Vienna (Bush)
M_jmp (122) Vienna (IWG)
M_jmp (126) Virdem (1336.Bustard.A)
M_jmp (128) Virdem (1336.Bustard.B)
Magician Virdem (1336.Cheater)
Manuel (777) Wilbur (B)
Manuel (814) Wilbur (D)
Manuel (840) Wildy
Manuel (858) Willow.2013
Manuel (876) Wisconsin.B
Manuel (937) Wolfman.B
Manuel (995) Wvar
Manuel (1155) Xph (1029)
Manuel (1388) Xph (1100)
Matura.1626 Xtac
Mel Yankee Doodle.Login.2967
Merry Christmas Year 1992.B
MG (2.D) Youth.640.B
MG (3.C)
The following 71 new viruses can now be detected but not yet removed:
_1403 Mutator.780
_1798 Mystic
Arcv (916) Necro-fear
Arcv (Friends.839) November 17th.1007
Arcv (Jo.911) Number of the Beast (B.2)
Arcv (Scroll) Number of the Beast (E.2)
Arcv (Slime) Phalcon.Emo
Arusiek.817.B Predator (1072)
Atas II.1268 Predator (1137)
Barrotes.1303 Predator (1148)
Bobo Predator (1195)
Calc Predator (2448)
Civil War.552 Proto-T.1053
Close Rape.1885
Darkray S-bug.Fruit-Fly
Digger (1000) Sarov
Digger (1512) Screaming Fist (II.650)
Dir-II (G) Screaming Fist (II.652)
Dir-II (J) Screaming Fist (II.724)
Dir-II (L) Screen+1.1654
Du Seat
Dwi Serene
Error Inc Shoo (2803)
Fairz Shoo (2824)
Honey Skater (699)
Inoc Skater (977)
IVP (Mandela) Skater (1021)
IVP (Swank) Soupy (1001)
Jerusalem.Zerotime.Australian.B Soupy (1072)
Little Red Student
Malmsey.806 Suriv 1.Xuxa.1405
Marzia SVC.2936
Mayak Svm
Mr D (A) Velvet
Mr D (B) Yankee Doodle.2189
Multichild.110 Zherkov.2435
The following 3 viruses can now be disinfected. The earlier versions of
F-PROT could only destroy the infected files.
HLL (3680)
HLL (Antiline)
Loren
Appendix: Combined antivirus reviews 1993
------------------------------------------
During 1993, F-PROT has been the product to dominate Antivirus reviews
throughout the world. Here's a reference table of the results of some
of the most important tests:
PC Magazine, Germany, January 1993:
1. F-PROT 2.05a
2. Antivir IV 4.04
3. AntiVirus Toolkit 5.61
Virus Bulletin, Great Britain, January 1993:
1. F-PROT 2.06b
2. AntiVirus Toolkit 6.02
3. AVScan 0.98H
Software Digest, USA, May 1993:
1. F-PROT 2.07
1. CPAV 2.0
2. AntiVirus Toolkit 6.02
VSUM 307, USA, July 1993:
1. F-PROT 2.09
2. ViruScan V106
3. AntiVirus Toolkit 6.53
PC Magazine, Italy, August 1993:
F-PROT 2.06a
AntiVirus Toolkit 6.5
Norton Antivirus 2.1
VSUM 308, USA, August 1993:
1. F-PROT 2.09
2. ViruScan V106
3. AntiVirus Toolkit 6.53
Computer Sweden, Sweden, August 1993:
F-PROT 2.09
AntiVirus Toolkit 6.30
ViruScan V106
TBScan 6.03
CM-Corporate, Belgium, September 1993:
1. F-PROT 2.09
2. AntiVirus Toolkit 6.53
3. TBAV 6.03
Personal Computer Magazine, The Netherlands, November 1993:
F-PROT 2.09
ThunderByte Antivirus 6.05
Sweep 2.53
------------------------------------------------------------------------------
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.10 Update Bulletin; Copyright (c) 1993 Data Fellows Ltd.