
F-PROT Professional 2.10 Update Bulletin
========================================

This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.10 Update Bulletin; Copyright (c) 1993 Data Fellows Ltd.

-------------------------------------------------------------------------------

CONTENTS 5/93
-------------
 A Major update
 Infected CD-ROM disks
 To Be Fruitful and Multiply: The Butterfly family
 Stoned.Empire.Monkey.A
 A new variant of Cascade on the move in the Nordic countries
 Made in Sweden: Moose
 Sweden is going to make virus writing illegal
 The globally most known viruses
 Virus Bulletins Conference in Amsterdam
 Phalcon/Skism strikes again
 Rumours of Form
 Case: The Crepate virus
 Questions and Answers
 Changes to F-PROT Professional in version 2.10
 Appendix: Summary of antivirus tests during 1993


F-PROT Professional 2.10 - A Major update
-----------------------------------------

Never before have so many new viruses been added to F-PROT in a single
update. One reason for this is that the increase in the number of
viruses is accelerating steadily.

In version 2.10 we add a new component to our product package. 
F-CHECK, which detects changes in program files, is a tool for the 
administrator and the skilled user. To avoid bothering users with 
needless alarms, F-CHECK deduces how probable it is that the changes 
it detects have been caused by a virus.

Among other things, F-CHECK features an interesting way of 
removing infections. The program stores the important parts of 
executable files, and in many cases this data can be used to remove 
infections caused by previously unknown or even overwriting viruses.

Both the Windows and OS/2 versions of F-PROT have moved to the 
Beta testing phase. The Windows version will be published along with 
F-PROT Professional version 2.11, and the OS/2 version will be ready 
at about the same time. If you are interested in betatesting the products 
and have both time and a network available, contact us.


New virus sightings
-------------------

Infected CD-ROM Disks In Circulation
-------------------------------------

Two separate cases, in which a file originating from a CD-ROM disk 
had caused a virus infection, were discovered in October and 
November. In both cases, the involved disks were globally distributed 
shareware collections.

PS-MPC.Math-test
----------------
The PS-MPC.Math-test virus was found from the CD-ROM disk 
"Software Vault, Collection 2". The infection was discovered when a 
private person from Helsinki, Finland, contacted Data Fellows Ltd at 
the end of October. This person's computer was almost completely 
infected by the virus.

PS-MPC.Math-test is one of the viruses created with Phalcon/Skism 
Mass Produced Code Generator. The virus stays resident in memory 
and infects practically all executed COM and EXE programs. It 
activates every day between 9 and 10 a.m., displays some simple 
summing problems and demands that the user solve them. If the user 
doesn't get the answer right, the virus won't execute the requested 
program.

The Phalcon/Skism Mass Produced Code Generator has been described 
in more detail in F-PROT 2.07 Update Bulletin.

The infected file is located in the directory 18 of the CD-ROM, and it is 
contained inside the packet 64BLAZER.ZIP. The same directory 
contains also a clean version of the program, by the name 
64BLAZE.ZIP.

Lapse (366)
-----------
The Lapse (366) virus was discovered on the CD-ROM disk "Night 
Owl 10".

Lapse (366) is a simple EXE infector, written in Canada. The virus 
infects only EXE files in its current directory and does not stay in 
memory. It increases the size of infected files by 366 bytes and contains 
the text "Memory_Lapse.366.a". The text is quite probably intended to 
be a mockery of CARO's virus naming standard.

Lapse (366) does not activate in any way.

The infected file is located inside the packet SF2_UP.ZIP, in the CD-
ROM's "Games" directory. According to the description, the file 
contains an update to the game Street Fighter 2.

What makes an infected CD-ROM especially troublesome is the fact 
that the infected files cannot be removed or deleted.

Data Fellows Ltd has contacted the publishers of these two CD-ROMs. 
The manufacturers admit the infection, and they will probably withdraw 
the disks from market.

F-PROT 2.10 finds both PS-MPC.Math-test and Lapse (366).

To Be Fruitful and Multiply: The Butterfly Family
-------------------------------------------------

The F-PROT 2.09 Update Bulletin mentioned the Butterfly virus, which 
spread all over the world with the shareware data communications 
program Telemate 4.11. The Butterfly incident did not prove very 
serious in itself, since only few users executed the single video card 
driver the virus had managed to infect.  

Butterfly's extensive spreading created another kind of a problem, 
however: with it, many virus enthusiasts acquired a personal copy of a 
simple, functional and easily modifiable virus. A flow of new Butterfly 
variants followed soon after.  

Butterfly-FJM
-------------
In the middle of July, a counterfeit copy of the popular LIST program 
was released in USA. The latest real version of LIST is v7.8, but the 
fake claimed the version number 8.2. The program had been infected 
with a slightly modified version of Butterfly - only the text the virus 
contains had been changed. The original virus contains the text 
"Goddamn Butterflies" at the end of its code. In its place, the new FJM 
version has an obscene comment about John Mcafee, the creator of the 
SCAN antivirus application. 

Although both versions of Butterfly use the same code, the FJM variant 
may yet prove a more successful infector than the original. That is 
because Butterfly only infects files in the current directory. Most users 
install auxiliary programs such as LIST somewhere along the hard 
disk's path to make them easily accessible. When the infected LIST is 
executed from some other directory, the virus can jump the directory 
boundary that normally limits its spreading.    

Butterfly-Crusaders
-------------------
Another descendant of the Butterfly virus was found in the middle of 
August. Yet again, the new variant had been disguised as a shareware 
program and put into circulation via electronic bulletin boards. This 
time, the virus was hidden in the packet SPORT21C.ZIP. According to 
the packet's description it contained a program for inspecting the 
functioning of the computer's serial- and parallel ports.
The program INSTALL.EXE included in the packet was infected. 

Some changes had been made to the original virus - the most 
significant difference is that the new variant is capable of infecting both 
COM and EXE files, whereas the original virus infects only COMs. The 
virus text was also changed to read "Hurray The Crusaders". 

None of the Butterfly variants which have so far been discovered 
activates in any way. F-PROT finds all known versions of Butterfly. 

Stoned.Empire.Monkey.A
----------------------

The Monkey virus was first discovered in Edmonton, Canada, in 1991. 
The virus quickly spread to USA, Australia and UK. Monkey is one of 
the most common boot sector viruses.

As the name indicates, Monkey is a distant relative of Stoned. Its 
technical properties make it quite a remarkable virus, however. Like 
Stoned, the virus infects Master Boot Records on hard disks and DOS 
boot records on diskettes. Monkey spreads only through diskettes. 

The original Stoned leaves the partition table in its proper place in the 
hard disk's zero track, but Monkey does not . Instead, it copies the 
whole Master Boot Record to the hard disk's third sector to make room 
for its own code. The hard disk is inaccessible if the computer is booted 
from a diskette, since the operating system cannot find valid partition 
data in the boot sector - attempts to use the hard disk result in the 
DOS error message "Invalid drive specification".

When the computer is booted from the hard disk, the hard disk can be 
used normally because the virus is executed first. The virus can, 
therefore, escape notice, unless the computer is booted from a diskette. 

As Monkey not only moves but also encrypts the Master Boot Record, 
it is difficult to remove. The changes to Master Boot Record cannot be 
detected while the virus is active, since it rerouts the BIOS-level disk 
calls through its own code. Upon inspection, the hard disk seems to be 
in its original shape.  

There are two often-used procedures, either of which can disinfect most 
boot sector viruses. One of these is the MS-DOS command FDISK /MBR,
which rewrites the code in the Master Boot Record, and the 
other is using a disk editor to restore the Master Boot Record back on 
the zero track. In this case, the relocation and encryption of the 
partition table render these methods unusable. Although both 
procedures destroy the actual virus code, the computer cannot be 
booted from the hard disk afterwards.

There are five viable ways to remove the Monkey virus:

o	The original Master Boot Record and partition table can be 
        restored from a backup taken before the infection. Such a backup
        can be made with the MIRROR /PARTN command of MS-DOS 5, for 
        example.
        
o	The hard disk can be repartitioned by using the FDISK 
        program, after which the logical disks must be formatted. The 
        procedure will also destroy all data on the hard disk, however.

o       The command FDISK/MBR can be used to overwrite the virus 
        code, after which the partition table can be restored manually. In this 
        case, the partition values of the hard disk must be calculated and 
        inserted in the partition table by using a disk editor. The method 
        requires expert knowledge on the disk structure. 

o       It is possible to exploit Monkey's stealth capabilities by taking a 
        copy of the zero track while the virus is active. Since the virus hides the 
        changes it has made, this copy will actually contain the original Master 
        Boot Record. This method is not recommendable, because the diskettes 
        used in the copying may well get infected.    

o       The original zero track can be located, decrypted and moved 
        back to its proper place. As a result, the hard disk is restored to its 
        exact original state. F-PROT uses this method to disinfect the Monkey 
        virus.
        
The Monkey virus is quite compatible with different kinds of diskettes. 
It has a built-in table containing structural data for the most common 
diskette types. Using this table, the virus is able to move a diskette's 
original boot record and a part of its own code to a safe area on the 
diskette. If Monkey does not recognize a diskette, it moves the boot 
record to the diskette's third physical sector. This is what happens also 
to, for instance, 2.88 megabyte ED diskettes, with the consequence that 
Monkey partly overwrites their File Allocation Tables.

The virus is difficult to spot, since it does not activate in any way.  A 
one-kilobyte reduction in DOS memory is the only obvious sign of its 
presence. The memory can be checked with, for instance, DOS's 
CHKDSK or MEM programs. However, even if MEM reports that the 
computer has 639 kilobytes of available memory instead of the more 
common 640, that does not necessarily mean that the computer is 
infected. In many computers, BIOS allocates one kilobyte of DOS 
memory for its own use.

F-PROT recognizes and removes all known variants of the 
Stoned.Empire.Monkey virus.


A New Variant of Cascade on the Move in the Nordic Countries
------------------------------------------------------------

Most new viruses are modifications of old, known viruses. The source 
codes for many old viruses are easily available, and it seems that many 
virus writers are only too glad to use them as groundwork for their own 
creations.

At the end of August, yet another new variant of the old Cascade virus 
was found in Oslo, Norway. This new variant was found in two 
different companies at almost the same time.

All in all, the Cascade family has approximately forty known members. 
The new virus infects COM files when they are executed. Since it 
increases the size of infected files by 1701 bytes, it will probably be 
named Cascade.1701.K. The virus is not markedly different from the 
original Cascade.

Although the new variant bears a close resemblance to the original 
virus, it is clearly different in one way: it never displays its activation 
routine, the dropping of letters to the bottom of the screen. It is, 
therefore, more difficult to notice. Other than that, the differences 
between the original virus and the new variant are minuscule - the 
creator of the new virus has probably used the original source code, but 
a different assembler compiler.

F-PROT recognizes all known variants of Cascade, and  it is able to 
remove the most common ones.

Several other new viruses have been found in Norway lately, including 
a completely new encrypted boot sector virus called Ripper.


Made in Sweden: Moose
---------------------

In the beginning of September, a new series of viruses was found in 
Gteborg, Sweden. The discovery was made in the local university - it 
may be that the viruses were written by some student.

The viruses have very similar structures, and for the time being they are 
all known as Moose. Four different variants have been discovered so 
far, and they all contain the word "Moose" somewhere in their code. 
The viruses also come equipped with version numbers, somewhat like 
members of the Yankee Doodle virus family.

All members of the Moose family infect files and append their code to 
the end of the victim file. Different variants infect different files: the 
alternatives are COM, EXE and SYS. When the virus infects SYS files, 
it overwrites their headers, the consequence being that the infected 
device drivers crash the computer when they are executed.

The Moose viruses do not stay resident in the computer's memory. 
They infect files only when they are executed along with an infected 
file.

When a Moose-infected program is executed, the virus looks for a 
suitable victim in its current directory. If it doesn't find one, it moves 
one directory upwards and tries again. If the virus doesn't find a 
suitable file somewhere along the way, it goes up all the way to the root 
directory.

When Moose finds its victim, it performs infection and may change one 
byte somewhere in the infected file. The consequences of this kind of 
corruption cannot be guessed - sometimes the alteration doesn't affect 
the program's functioning at all, sometimes it causes the program to 
crash upon execution, and in certain cases the program goes completely 
haywire. The virus draws lots by using the Real Time Clock to decide 
whether or not it should perform the corruption.


Sweden Is Going to Make Virus Writing Illegal
---------------------------------------------

Sweden's criminal legislation is being updated, and the changes will 
also extend to laws concerning computer crimes. A six-hundred-page 
report of the matter, which also includes views on computer viruses, 
has been left for the Swedish Parliament to consider. The report dwells 
extensively on how to define computer viruses and on the juridic points 
of developing and spreading such viruses, and studies also cases where 
a computer's functioning has been hindered, by loading the system with 
worms for instance.

In the report, primarily the spreading of viruses or other malware is 
considered to be a crime. However, such activity qualifies as a crime 
only if the perpetrator endangers public safety. If the perpetrator cannot 
be proven to have intended potential damage to certain data or 
computer system, the crime is likened to spreading poison or disease. 
The report considers this to be the best way to avoid the juridic 
problems arising from the need to differentiate between perpetrating, 
attempting and preparing for a crime.

For the instrument the crime is committed with, the report suggests the 
definition "a computer program or program instructions developed in 
such a way that they can affect an object without having authorization 
to do so". The report emphasizes that the code must be objectively 
functional to fulfil the definition. Dysfunctional code does not qualify as 
an instrument of crime.

For viruses, the report suggests that the law should include the 
following:

        Whoever creates a computer program or program 
        instructions constructed in such a way that they are 
        capable of affecting data or the technical equipment used 
        to process data without having authorization to do so
        
        or
        
        spreads the aforementioned programs or instructions, and 
        thus causes a risk of data being destroyed or altered, or 
        causes damage to the aforementioned equipment or 
        disturbance in its functioning, shall be judged guilty of 
        manufacturing or spreading computer viruses, and 
        sentenced to pay fines or to no more than two years of 
        imprisonment.

If the law is approved, it is estimated to take force in the middle of 
1994 the earliest. If its approved as it stands, it will be the world's first 
piece of legislation to criminalize the writing of computer viruses in 
itself.

Switzerland is also in the process of changing their legislation to cover 
computer viruses specifically.


The Globally Most Common Viruses
--------------------------------

Joe Wells of Symantec Inc has compiled a list of globally common 
viruses.

Practically all significant antivirus societies have contributed 
to the list. Among them are the University of Hamburg, IBM, S&S 
International, KAMI, Datawatch, Symantec, CSIR Virus Lab, CYBEC, 
Stiller Research, Frisk Software International and Data Fellows 
Ltd.

According to the combined list, the following viruses are globally most 
common.

Stoned.Michelangelo             Maltese Amoeba       
Stoned.Standard.B               Dark_Avenger.1800.A  
Form                            Yankee Doodle.TP-44.A
Dir-II.A                        Vacsina.TP-05        
Stoned.NoINT                    V-Sign               
Stoned.Azusa                    Stoned.June_4th      
Joshi.A                         Stoned.Empire.Monkey 
Jerusalem.1808.Standard         Keypress.1232.A      
Green Caterpillar               Kampana.3700:Boot    
Chinese Fish                    Cascade.1704.A       
Tequila                                             



Virus Bulletin Magazine's Annual Conference in Amsterdam
--------------------------------------------------------

Virus Bulletin magazine's annual conference was held in Amsterdam, 
from 9th to 10th of September. Approximately 200 data security 
specialists from all over the world were present.
Among others, Jan Terpstra, Frans Veldman, Vesselin Bontchev, 
Righard Zwienenberg, Roger Riordan and Dmitry Gryaznov gave 
speeches in the conference this year. The topics ran from the virus 
situation in the former U.S.S.R. to how to keep up a neat and ordered 
virus collection, advice on how to compare antivirus programs, and a 
lot of else.

Still, to most participants the most rewarding thing about the 
conference was the chance to chat with fellow experts outside the 
official program. It was also noteworthy to see the high esteem in 
which F-PROT Professional, distributed by Data Fellows Ltd., was held 
around the world.

The Virus Bulletin conference will be held again next autumn. More 
information about the matter can be had from Data Fellow Ltd's 
F-PROT Support, or directly from the Virus Bulletin magazine, phone 
number +44 235 555 139.


Phalcon/Skism Strikes Again
---------------------------

Phalcon/Skism is active again. The originally Canadian virus group, 
which nowadays boasts an international membership, has once more 
gained publicity with its stunts. The group is clearly competing with 
NuKE for public notice.

A Printed Version of the 40Hex Magazine
---------------------------------------
Since 1991, Phalcon/Skism has been publishing an electronic magazine 
called 40Hex. 40Hex deals with viruses in general and how to make 
them in particular. 12 issues of the magazine have been published so 
far.

In August, the magazine's editor-in-chief, "Leni Niles", announced  that 
40Hex will soon become available in printed form in addition to the 
traditional electronic distribution. If the magazine actually reaches print, 
it will be the second regularly published magazine to contain 
instructions on how to design viruses. Mark Ludwig, who has also 
written the Little Black Book of Computer Viruses, has been publishing 
his own Computer Virus Developments Quarterly for a year.

 From: fortyhex (geoff heap) 
 Subject: 40Hex is now a print magazine 
 Date: Mon, 16 Aug 93 17:19:02 EDT 

 40Hex, the world's most popular underground virus magazine is now 
 available in two versions -- the familiar online magazine and a new 
 printed magazine.

 In the past two and a half years, 40Hex has become the most popular 
 virus magazine in the underground. The new printed magazine (dubbed 
 40Hex Hardcopy) is intended for anyone who wishes to learn as much 
 as they can about computer viruses -- from the source, the virus 
 writers.

 Each issue will contain -- 

 o  A complete virus disassembly, fully commented in the 40Hex tradition, 
 o  Detailed programming articles, intended for those fluent in assembly, 
 o  Introductory articles intended to help those on all levels of ability
 o  Interviews with virus writers and virus researchers.

 Also included is an editorial column, which will provide a forum for 
 discussions about any virus related issue. Submissions from both sides 
 of the argument are welcome, and will be given an equal voice. 
 
 Subscriptions -- 

 The price for 40Hex Hardcopy is $35 per year for individuals, $50 per 
 year for corporations. The magazine is bimonthly (six issues per year). 

 The online magazine is available free of charge from many privately 
 operated BBSs. You may receive a disk with the latest issue from us for 
 $5. Please send a note specifying whether you would like a 5 1/4 or a 3 
 1/2 inch disk. 

 Correspondence -- 
 Subscription requests should be addressed to 
 Subscriptions 40Hex Magazine PO Box xxx New City, NY, xxxxx 

 Article submissions should be addressed to 
 Articles 40Hex Magazine PO Box xxx New City, NY, xxxxx 

 Letters to the editors should be addressed to 
 The Editors 40Hex Magazine PO Box xxx New City, NY, xxxxx 

 if you have access to internet E-Mail, you can send a note to xxx@xxx.com 

 note: manuscripts will not be returned to the sender unless they are 
 accompanied by postage. All submissions must be marked "manuscript 
 submitted for publication." 

 The online magazine will still be published, and will remain separate 
 from the new hardcopy magazine with no article overlap. 

 Leni Niles Co-Editor, 40Hex Hardcopy 
 
New Virus Writing Competition
-----------------------------
A new virus writing competition was also announced in the latest issue 
of 40Hex. The competition's purpose is to find new members for  
Phalcon/Skism's Canadian Division: 

---------------------------------------------------------------------------- 

           *****       Phalcon/Skism Internet Headquarters   
   *****
            ***           Phalcon/Skism Canadian Divison     
    ***
             *                                               
     *
        ***** *****        -= Virus Writing Contest =-       
***** *****
         ***   ***                                           
 ***   ***
          *     *         September 1993 -> December 1st     
  *     * 
---------------------------------------------------------------------------- 

   Due to the new formation of the canadian division of 
Phalcon/Skism, there will be a virus writing contest that will 
start as of this publication in every sub you see it.  The 
contest is mainly Canadian oriented but EVERYBODY is welcome to 
participate.  The new canadian division needs fresh new blood to 
start with.  Already numerous excellent writers have joined are 
ranks up north where we stand.  Do expect new viruses soon.  It's 
just a matter as to who else will join.  The award for this 
contest will be either or both:

       1.  Publications of the virus and it's author in 40HEX magazine.
       2.  If the person wishes to, a membership into Phalcon/Skism.

   All submissions must be transmitted to this internet site at 
"virus-contest@skism.xxxxx.xx.ca" with compiled executable code 
AND commented source codes to it NO Dissassembly will be 
accepted. If you wish to send your file encrypted the public key 
of PGP 2.3 is at the end of this file. Please send files 
uuencoded. After evaluation by two different writers the winner 
will be published in every sub this message was posted on and 
also in the 40HEX magazine.

These are the following criterias that the viruses will be judged on:

HANDLE          : VIRUS NAME      :

FILES AFFECTED:   [ ]COM   [ ]EXE   [ ]SYS   [ ]OVR   [ ]DOC   [ ]OTHER

Brief 
Description:__________________________________________________
        
Description:

I.   TYPE OF VIRUS

        [ ]...Overwriting   [ ]...Appending   [ ]...Boot Sector

II.  INFECTION METHOD

        [ ]...Direct Action
        [ ]...Memory Resident

                [ ]...Uses stealth routines

Brief 
Description:__________________________________________________

                [ ]...Uses tunneling routines

Brief 
Description:__________________________________________________

                List interrupts that you hooked and how you achieved this.

Brief 
Description:__________________________________________________

III. ENCRYPTION

        [ ]...Virus is not encrypted

        [ ]...Virus is encrypted

                [ ]...Uses external engine

                [ ]...Routines are internal

Brief 
Description:__________________________________________________

        [ ]...Virus is polymorphic

               Possibilities of reoccurrence: 1 to nTH _____________

Brief 
Description:__________________________________________________


IV.  PAYLOAD

        [ ]...Virus is non-destructive

        [ ]...Virus is destructive

  code it before sending it over the internet:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3

mCAx1kAEELuP08IHVbh+P6agKQGXMR9HjXz1q
2G8KWNE0GA3kA0G1zwbcKMio1P2r2AUR
ApWlA==6q---EDPPPBI KYB****oe:

  If you don't have internet access, please forward your submission to 
Memory Lapse on Total Mayhem.



Rumours of Form
---------------

Tenacious rumours about preformatted 3.5" HD diskettes infected by 
Form are still in the circulation. A certain diskette manufacturer has 
been faced with several accusations, but the truth about the matter has 
yet to surface. It is, therefore, probably a good idea to check also new, 
unused diskettes for viruses. When VIRSTOP is run with the /BOOT 
parameter on, it prevents infected diskettes from being used. 



Case: The Crepate virus
-----------------------
Mikko Hypponen, Data Fellows Ltd's F-PROT Support.

An ordinary day at work; testing F-PROT's OS/2 version, answering 
support calls and writing the upcoming Update Bulletin. It's over 
five o'clock, time to get home - the fall is far advanced and 
I'll have to get my lawn sown before winter sets on.

The phone rings and shatters these thoughts. The call comes from 
Symbolic, our distributor in Italy. Jeremy Gumbley, who works in 
Symbolic's technical support, is on the line.

Jeremy gives it to me in a nutshell: A person had just dropped by and 
told him that a new, unknown virus had been found in one Italian 
university. There are probably tens of infected computers - the exact 
number is not known, because none of the antivirus programs that have 
been tried has been able to identify the new virus. The situation is 
serious and all the computers will remain on hold until the virus is under 
control. The visitor brought along a disketteful of files suspected to be 
infected.

Jeremy has already taken a look at the files and is quite certain that
they contain a new virus. I tell Jeremy that the I'll start working on
the subject immediately. Via modem, Jeremy transfers a sample packet to
the Data Fellows BBS system, and the examination begins. I extract the
samples and put them through an automated examination system, which
checks the files with thirteen different antivirus programs and stores
the reports in an easily readable form. The system reports no alarms,
although some programs report that certain sample files have counterfeit
time stamps: in their creation date, the clock's seconds field shows an
impossible value, 62. Some viruses use this trick to mark files they
have already infected.

I give the files a quick once-over with a hex editor, enough to conclude 
that if they contain a virus, it is a brand-new one. Certain files have the 
text "(c)Crepa" at their end. Via Internet, I transfer the files to Frisk 
Software International's FTP server in Iceland. Just to be sure, I call 
Iceland and recount the incident to Fridrik Skulason. He says that the 
files will be taken under close inspection right away. We decide to 
divide our forces: I and Jeremy will concentrate on examining how the 
samples function, in other words find out what the virus really does. 

The people in FSI will focus on building detection- and disinfection 
routines for the new virus. We'll keep contact by phone and E-mail. I 
hang up and start the classification of samples. Seems like I won't get 
any time off for my lawn today.

I find out quickly that there are three different kinds of samples. Some 
of the files contain extraneous code at their end. This is not caused by a 
virus but the "Immunize" function of the Central Point Antivirus 
program. To be on the safe side, I remove the Immunization code and 
check the original programs. The files are clean. Some of the other 
programs contain code which seems to have been added to their 
beginning. The remaining files have the text "(c)Crepa" at their end. 

It seems that we need to divide the analysing task if we want to resolve 
the problem as quickly as possible. I call back to Iceland, and we agree 
that they will start working on incorporating the detection and 
disinfection of the virus while I and Jeremy start to disassemble and 
document the functioning of the little beast.

I give the Crepa files a closer look. There are four of them, all parts of 
the Italian MS-DOS 6. I choose to probe KEYB.COM, since it is a 
comfortably short program to examine and I know its structure of old. 
First I take a hex dump of the program by using Borland's TDUMP 
application. Then I proceed to run a debug listing of it with good old 
DEBUG. 

It proves extremely difficult to follow the program's execution with a 
DEBUG listing: the virus completes only one or two instructions at a 
time before jumping to somewhere else in the code. Therefore I turn to 
Zanysoft Debugger, and use it to analyze the infected KEYB.COM. 
Along with Borlands Turbo Debugger, I have found ZD to be a handy 
tool to examine virus samples with. 

The program's execution is easier to follow with ZD, and it soon 
becomes clear that the author of the virus has wanted to make the 
program difficult to examine by coding it full of jump instructions. 
However, a careful inspection of the code reveals that the commands 
executed between jumps form a complex routine that decrypts 3900 
bytes at the end of the file. At this point it becomes obvious that this is 
a self-encrypting virus.

I execute the virus one command at a time until it has decrypted itself. 
Then I store the virus code back on the diskette. When I go over the 
decrypted virus code, I notice that two new lines of readable text have 
surfaced from beneath the encryption:

        COMcomEXEexeOV?ov? 
        Crepate  (c)1992/93-Italy-(Pisa)

The first line appears to indicate that the virus is capable of infecting 
COM, EXE and Overlay files. The second line confirms the virus to be 
of Italian origin.

I discover that the task of separating the virus code and the original 
KEYB.COM code from each other is too arduous. Instead, I decide to 
see whether I can get the virus to infect a bait file. As bait, I use a 
collection of COM and EXE files which contain nothing more than a 
termination instruction and a lot of zeros to pad the files to a certain 
length. Such programs do nothing else than terminate their execution, 
and since the file lengths are even numbers, a change in size caused by a 
virus can be noticed at the first glance.

I transfer the virus to our much-abused test computer, and copy a sample
of clean baits into the same directory with the virus. When I run the
KEYB.COM, it gives an error message in Italian complaining about
incorrect parameters. I use a memory mapping program to check for
changes in memory allocation. No changes are evident, which means that
the virus is either not resident in memory or capable of bypassing
memory mapping applications. I check the bait files - no changes in
those either. I run the infected KEYB.COM a couple of times to be
certain, but the bait programs are simply ignored. Why? There are many
possible explanations. Maybe the virus is picky about the files it
infects. Maybe it won't infect anything on even days. Maybe it doesn't
infect files in its current directory, but somewhere else on the disk.
Maybe it is a stealth virus, in which case the changes cannot be seen
anyway, at least not while the virus is active.

Jeremy calls while I'm thinking about all this. We get to a discussion
on its peculiar jump structure. "I'm sure I have never seen so many jump
instructions", "For a moment I thought it was a new version of the
Commander Bomber virus, but no, at least not that", "I think that this
jump-spaghetti has been added just to confuse heuristic analysis".
Indeed - F-PROT's Heuristic Analysis failed to give warning of an
infected file even when the /GURU option was enabled. Goes to show that
any software-based protection can be overcome by software. Jeremy has
managed to examine the virus a bit further. I ask what the words "Crepa"
and "Crepate" mean, and he tells me that Crepa means death and Crepate
stands for "You will all die". We agree to name the virus Crepate for
the time being.

Jeremy says that, right after decrypting itself, the virus gets into the
business of doing some absolute disk writes. Immediately, I get a
brainstorm. - It is a multipartite virus we are talking about here,
operating in the same way as, for instance, Tequila. When the virus is
executed in a clean computer, it infects the hard disk's Master Boot
Record but does nothing else. The next time the computer is turned on,
the virus stays active in memory and starts infecting other program
files. I test my theory - and yes! The F-CHECK checksum program reports
an altered Master Boot Record.

I use Norton's DISKEDIT to take a copy of the Master Boot Record's code
before restarting the computer. The boot-up seems to be completely
normal. I run MEM and find the familiar sign indicating the presence of
a boot sector virus: the amount of DOS memory has dropped from the 640
kilobytes normally available in this computer. There are only 636
kilobytes left, which means that the virus takes up four kilobytes.

I go back to the virus directory and run the bait files again. Strangely
enough, the baits are still not infected. The filesizes stay the same,
whatever I do. Without giving the matter further thought, I run DOS's
CHKDSK and attain instant enlightenment. CHKDSK reports "Allocation
error" for every COM and EXE file I have executed during this session.
The report includes all the files referred to in AUTOEXEC.BAT, all bait
files, and CHKDSK.EXE itself. This is a clear sign of an active stealth
virus that is operating in the computer and hiding the changes it has
made to files. However, the virus is not sophisticated enough to hide
the changes from the CHKDSK program, which is reporting errors caused by
contradictions between directory information and File Allocation Table.
The closer I look, the more advanced this virus is beginning to seem.

When I compare the infected bait files, I notice that the decryption
routine varies between different samples. In addition to everything
else, the virus has polymorphic characteristics mixed in.

The phone rings - Fridrik is calling from Iceland. His staff has gone 
through the same sample files, concentrating first on the samples which 
I and Jeremy had decided to leave alone for the time being. Some of the 
samples had indeed been clean, though packed by using CPAV. Some 
other files had been found to contain a new virus, which was named 
March 25th. In other words, two different viruses are on the loose in 
the Italian university! Frisk hands me a short account on the 
characteristics of the March 25th virus: a memory-resident COM and 
EXE infector that structurally changes COM files into EXEs. The virus 
activates on the 25th of March and overwrites most data on the hard 
disk. The size of this virus is only 1024 bytes, and it is much simpler 
than Crepate.

Frisk has also gone over the Crepate files, and he is already well 
acquainted with the virus's functioning. For some reason, though, the 
virus does not function in his test computers. Although it manages to 
infect the hard disk's Master Boot Record, the computer won't boot 
afterwards. Curious. Fridrik is ready to build a disinfection routine for 
the virus, but he is hampered by the fact that he cannot get it to spread. 
I promise to send him a program packet containing both clean and 
infected versions of the same sample files.

After hanging up I take a closer look on the code the virus writes on 
the Master Boot Record. Aha, it tries to make inspection more difficult 
with commands that modify the commands next in line...I get another 
brainstorm. Immediately, I call back to Frisk and ask what kind of a 
computer he used to test the virus. Frisk tells me he has used his newest 
virus testing computer, a 33 MHz 386DX. "Does it have internal cache 
memory", I ask. "Yes, 8 kilos", Frisk answers. The mystery unravels. I 
had tested the virus in a 16 MHz 386SX computer with no cache 
memory. 

The cache memory of Fridrik's computer buffers commands that are to 
be executed next, and makes it unnecessary to retrieve them all the way 
from the main memory. Because of that, though, the changes the virus 
tried to make in its own code never got through. The bytes it tried to 
change had already been read into the cache memory where they could 
not be altered. In other words, the Crepate virus cannot function in 
computers with internal cache memory - it will only crash them during 
boot-up.

I start to create a sample of demo files, beginning with a collection of 
programs that are different from each other both structurally and in file 
size. I pack the clean programs and transfer the packet into the infected 
computer. There I execute, open and copy programs. Any of these 
operations infects the program in question, but I notice that the virus 
won't infect the smallest files. I boot the computer from a clean 
diskette, pack the infected files and transfer them back to my own 
computer. Again, I open a telnet session and send the sample packet to 
Iceland via FTP.

I continue to examine the virus. It seems that Crepate uses a very
peculiar method to hook the DOS interrupt 21h. The virus would gain
nothing by jumping to hijack the interrupt for the first thing it does
after it has been executed from the boot sector, because DOS takes the
interrupt into use only later on. Instead, at the very beginning the
virus hijacks BIOS's timer interrupt, activating 18.2 times in a second.
The virus uses this interrupt to check 18 times in a second whether DOS
has loaded itself. When that happens, the virus hooks the interrupt 21h
to its own code. That way it gets to be the first program to clam onto
the interrupt.

The phone rings again, this time it's Jeremy. We quickly exchange what 
we have learned from the virus. He tells me he has found a date check 
and destruction routine further along the code. The virus activates on 
the 16th day of any month, and executes a remarkably thorough 
destruction routine. It overwrites all the data on the first hard disk, 
going through the disk from beginning to end. Since that kind of a 
routine is quite difficult to code, most viruses use destruction routines 
that overwrite only a part of the hard disk. For example, even the 
notorious Michelangelo virus destroys only a certain amount of the 
hard disk's data. After such partial destruction, it is usually possible to 
salvage some data from the hard disk without turning to expensive data 
recovery services. Crepate is a different breed of cat and goes through 
the disk thoroughly, sector by sector.

The 16th day. That was a week ago -- maybe the virus was discovered a
week ago, when the first hard disks were wiped? No matter. It must be
stopped now, before it causes further damage.

I code a routine that checks files for Crepate infection. Using it, I
scan the test computer's hard disk. Practically all the programs I have
used during the evening have been infected. I wipe the hard disk and
restore a basic combination of clean software on it. I run the routine
also on diskettes I have used to carry files between the test computer
and my own. I'm surprised when I notice that the boot sectors on the
diskettes have also been infected. What on Earth - to the best of my
knowledge, the virus code contained no routines for infecting diskettes.

I go over the code more carefully, looking for something that hints at
diskettes. After a time it becomes clear that the virus uses the same
routine to infect both hard disks and diskettes. Crepate is a true
multipartite virus -- capable of infecting three different file types and
two kinds of boot sectors. Its maker must have spent a long time
finishing his creation.

Fridrik sends a completed search routine via FTP. Using it as the base,
I create F-PROT Professional 2.09e. After a quick check to make sure the
program recognizes both March 15th and Crepate faultlessly, I transfer
it to the file areas of Data Fellows BBS. I call Jeremy to tell him he
can pick it up with his modem. At the moment, he is putting together a
summary of the virus to be delivered to the client. He says he will take
F-PROT to the university in the morning.

Everything is just about finished for the evening. Frisk E-mails a
message saying that he'll send a sample of the virus to other antivirus
program developers so they can add the recognition of the new virus to
their own products. After that, Frisk says, he will go home. Jeremy
sounded tired too.

The time is 01.30 in Finland, 00.30 in Italy and 22.30 in Iceland. I'll
go and get some sleep, too - the fall is far advanced and I'll have to
get my lawn sown before winter sets on.

A Summary of the Virus
-------------------------------
Compiled by Jeremy Gumbley, Symbolic, Italy

The Name:
        The final name has not been decided yet.
        Suggestion: Crepate
Discovered In:
        Pisa, Italy
When:
        September the third, 1993
Virus type:
        A multipartite stealth virus with some polymorphic abilities
Infects:
        The Main Boot Records of hard disks
        The DOS Boot Records of diskettes
        COM files sized between 400 and 62000 bytes
        EXE- and OVL files regardless of size
Size:
        About 2910 bytes in infected files
        6 sectors (3072 bytes) in infected boot sectors
        The virus also uses one extra sector to store the original boot
        sector code in.
Interrupts:
        The virus uses interrupts in the following manner:
        INT 09h (Keyboard Interrupt)
                Hooked while the virus executes the destruction routine.
                Because of this, the routine cannot be interrupted with
                Ctrl-Break or Ctrl-Alt-Del.
        INT 13h (absolute disk reads and writes)
                Hooked while the virus infects boot sectors
        INT 1Ch (Clock Interrupt)
                Hooked while the computer boots itself
        INT 21h (A DOS Interrupt)
                Gets hooked when the Command Interpreter is loaded
                into memory
        INT 24h (handling of critical errors)
                Hooked while the virus infects files. Because of this,
                the user does not receive an error message when the
                virus tries to infect a file on a write-protected
                diskette.
Memory Allocation:
        The virus allocates four kilos at the top of DOS memory for
        itself. The missing memory can be noticed with the commands
        CHKDSK and MEM.
Side Effects:
        CHKDSK reports allocation errors for all infected files while
        the virus is active in memory
Destruction routines:
        The virus uses random data to overwrite all sectors on the
        system's first physical hard disk. The destruction routine is
        executed on the 16th day of every month
Description:
        The functioning of the Crepate virus is divided into several
        distinct phases. When an infected file is first executed in a
        clean system, the virus replaces the code in the primary hard
        disk's boot sector with its own. The virus also overwrites seven
        sectors at the end of the hard disk, using this area to store a
        part of its own code and the original Master Boot Record. Since
        it does not mark these sectors as having been allocated, some
        other program may afterwards overwrite them as well.

        Next, the virus checks the date from the computer's Real Time
        Clock (INT 1Ah/4h). If the date happens to be the 16th of any
        month, the virus overwrites all data on the primary hard disk.

        The virus enters into its second phase when the computer is
        rebooted. The virus code in the boot sector activates and loads
        the main part of the viral code into memory. Crepate hooks the
        Timer Interrupt INT 1Ch and uses it to check when the Command
        Interpreter is loaded into memory. After the virus has hooked
        the Timer Interrupt routine, it executes the original Master
        Boot Record and allows the booting to continue normally.
  
        When the Command Interpreter (usually COMMAND.COM) has been
        loaded, the virus hooks the DOS interrupt INT 21h into its own
        code. This way it can bypass most memory-resident antivirus
        programs, since they are usually loaded later from AUTOEXEC.BAT.
 
        After hijacking INT 21h, the virus begins to infect COM and EXE
        files. The virus infects files whenever something is done to
        them with the following INT 21h functions:

        3Dh     (Open)
                3Eh     (Close)
                43h     (Lseek)
                41h     (Delete)
                4Bh     (Load and execute program)
                6C00h   (Extended open/create)

        The curious thing about the above listing is that the virus does
        indeed infect also files  that are being deleted.
	
        In addition to this, the virus uses the following INT 21h
        functions to hide the changes it has made to files:

                11h     (Find first/FCB)
                12h     (Find next/FCB)

        Because of this, the file sizes seem unchanged when the
        directory listing is browsed with, for example, the Dir command.

Other Observations:

        The virus marks the files it has infected by inserting the bytes
        6373h ("cs") at the end of the file. It also changes the seconds
        field in the file's time stamp to show an impossible value, 62.
        The stealth routines of the virus use the seconds field value
        for recognizing an already infected file.

        When the virus infects a file, it links a varying code part to
        the beginning of the actual viral code. This code strip is
        different in every infected file, and its purpose is to make
        finding the virus by either signatures or heuristic methods more
        difficult.

        When the virus activates its destruction routine, it is able to
        bypass most of the protection applications which monitor the
        functioning of the absolute disk write interrupt INT 13h. No
        wonder, since the virus marks up the BIOS address for INT 13h
        when the computer is booted, and calls the interrupt directly
        when it overwrites the hard disk.


F-PROT Support Informs: Common Questions and Answers
----------------------------------------------------

Your local F-PROT Professional support is ready to help you on
questions concerning information security and the prevention of viruses.
You can also contact Data Fellows directly; our phone number is
+358-0-692 3622, fax +358-0-670 156. You can also write to us at:
Data Fellows Ltd, F-PROT Support, Wavulinintie 10, SF-00210 HELSINKI,
FINLAND. By electronic mail, you can reach us at  f-prot@df.elma.fi or
via X.400 at S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi.


I installed the new Windows-capable VIRSTOP that was included in F-PROT
2.09. When I tried to run Windows, I received the following message:

    Cannot find a device file that may be needed to run Windows in
    386 enhanced mode;
    C:\F-PROT\VIRSTOP.EXE
    Run Setup again.

Windows did start, but the Windows elements of VIRSTOP were not 
activated. Why not? I use the Stacker disk compression.

        The VIRSTOP for Windows documentation describes that the DOS-
        and Windows elements of VIRSTOP are both stored in the same
        file, the VIRSTOP.EXE. This file must be available during the
        startup of Windows, because the Windows elements of VIRSTOP are
        loaded into memory only when Windows starts, and not earlier.
        When VIRSTOP is run for the first time, it marks up its own
        location on the hard disk. If this location changes, or if
        VIRSTOP is removed from the disk before Windows is started,
        Windows displays an error message.

        In this case, VIRSTOP is loaded from an unpacked disk section
        before Stacker is executed. Upon execution, Stacker 's program
        SSWAP changes the order of logical disks. In other words,
        VIRSTOP is loaded from disk C, but afterwards the logical disks
        C and D swap disk letters with each other. When Windows starts,
        the directory for VIRSTOP is no longer  C:\F-PROT\VIRSTOP,EXE,
        but D:\F- PROT\VIRSTOP,EXE.

        You can solve the problem by either storing VIRSTOP on a packed
        disk section, or by executing it from an unpacked disk section
        after the SSWAP command has been given.

        Windows reports a similar message if VIRSTOP is loaded from a
        diskette and the diskette is thereafter removed from the drive,
        or if VIRSTOP is loaded from a server and the network connection
        is terminated before Windows is run. The message does not mean
        that Window's won't start, but VIRSTOP will function like it had
        been given the /NOWIN parameter.

I started using F-SCHEDULER, and configured it to run automatically
every time I start a Windows session. I also use F- SCHEDULER's Screen
Saver, which allows me to leave my computer logged on for the night
without having to worry about unauthorized use. The Screen Saver
functions otherwise normally, but for some reason it switches on every
time I am in a DOS session under Windows. It doesn't seem to matter how
much or how little I use the computer at the time, the Screen Saver may
activate even while I am just typing on the keyboard.

        F-SCHEDULER's Screen Saver is switched on when the keyboard and
        the mouse have been left untouched for a certain time.
        F-SCHEDULER cannot see whether they are used inside a DOS
        window, however, since such information is not relayed to
        Windows. One way to solve the problem would be by configuring
        the Screen Saver not to activate if a DOS window is active at
        the same time. There's a snag, though, because the computer
        would remain unprotected at night if a DOS program was left
        running after hours.

        A better way to deal with the problem is to raise the Screen
        Saver's activation time to 15 or 30 minutes. It usually does not
        take longer to handle typical DOS window operations, but the
        Screen Saver will be switched on if the computer has been left
        alone for long enough.

I tried to run F-PROT check by using F-SCHEDULER's default settings and
pressing the "Execute" button. F-PROT did not start. Instead, Windows
reported an error message claiming  insufficient memory. Program
Manager, on the other hand, reports several megabytes of available
memory.

        In this case, it's not a question of available Windows memory.
        The problem is caused by the amount of available DOS memory.
        When F- PROT is executed under F-SCHEDULER, it requires 400
        kilobytes of available DOS memory. In most configurations, this
        can be easily achieved through memory optimization.

        If the amount of available memory is only slightly below 400
        kilobytes, you can probably run F-PROT by using the F-SCHEDULER
        function Execute File instead of Execute F-PROT.
 
If F-PROT is run from F-SCHEDULER, the check continues only until 
my Screen Saver activates. When I press a key, the check picks up
again.

        You have used the Windows Control Panel to prevent programs from
        being executed in the background. There is a setting called
        "Exclusive in Foreground" in Control Panel's 386 enhanced
        -section. If it is switched on, Windows stops the execution of
        all but the foremost program. Therefore, the F-PROT check
        proceeds only until the Screen Saver activates, and while the
        Screen Saver is active, all other programs are on hold. You can
        remedy the situation by switching off the setting.

I have switched F-SCHEDULER's Screen Saver off, since I am using another
Screen Saver product to protect my computer from unauthorized use. For
some reason, F-SCHEDULER's saver is switched back on every time I start
Windows. How can I get the Screen Saver to stay switched off?

        For this part, Screen Saver does not function correctly. We have
        fixed the problem, and will deliver the new version to all who
        want it. Raising the Screen Saver's activation time to 30
        minutes or above will probably suffice for most users.

When VIRSTOP is started, does it check the computer's memory for all 
known viruses?

        When started, VIRSTOP uses generic methods to ensure that the
        computer's memory does not contain an active boot sector virus.
        VIRSTOP also checks itself against a file virus infection. If
        you want your computer's memory checked for all known viruses
        during every boot-up, you must add the command

        F-PROT . /NOFILE /NOBOOT

        to the file AUTOEXEC.BAT. Verify the result by checking the
        errorlevel -return code. It can be done as follows, for example:

        IF NOT ERRORLEVEL 4 GOTO END
        ECHO There is an active virus in memory. Contact Bob at ext. 517.
        ECHO Machine is halted.
        CTTY NUL
        :END

Network drivers take up a large part of my computer's DOS memory, 
so that I have only 350 kilos of available memory left. Will F-PROT 
function in a computer that has so little memory available?

        It depends on the scanning method, but generally speaking the
        answer is yes. F-PROT is designed to function in almost any
        computer environment. Even the original IBM 8086, equipped with
        a green-black monochrome monitor, a 360 kb diskette drive, 512
        kb of memory and PC-DOS 2.0, can run F-PROT.

        At minimum, F-PROT requires about 300 kilos of available memory.
        The memory requirement depends on the mode the program is
        executed in. The following table gives an indication of how much
        available DOS memory F-PROT needs in order to function. The
        numbers presented in the table are valid for F-PROT 2.10, but
        the memory requirements of future versions may vary.

        Command Line Mode:
                Secure Scan             303 kb
                Heuristic Analysis      376 kb
        Interactive Mode:
                Secure Scan             311 kb
                Heuristic Analysis      412 kb

I checked my hard disk with the latest F-PROT. It gave the following 
message of several files:

  Note: C:\XCOPY.EXE has been inoculated by Central Point Anti-Virus.

What has CPAV done to my files?

        This message is not alarming, it only informs the user that
        Central Point Anti-Virus has been executed in the computer with
        the "Inoculate" option on. When the option is on, CPAV modifies
        all  scanned programs by adding code to their ends. This code
        checks the program's length as well as its first few bytes. In
        fact, the functioning of this code strip greatly resembles the
        functioning of certain viruses.

        If the file size of a CPAV-protected program changes, the
        Inoculate code displays the following message when the program
        is next executed:

                Central Point Anti-Virus (c) 1991 CPS
                Self Integrity Check warning - File was changed !
                Choose an option:
                [R] Self Reconstruction.
                [C] Continue execution.
                [E] Exit to DOS.
                Press R,C or E:

        Then why does F-PROT remark on the modified files? Simply
        because many programs do not function after they have been
        "inoculated". Some programs (like, for instance, F-PROT and
        VIRSTOP) refuse to start at all, while others only crash after
        the modification. Besides which, some programs modify their own
        file, causing the CPAV warning to be displayed time and again.

        CPAV's Inoculate function is especially hazardous if it is used
        to protect files that have already been infected with a virus.
        CPAV's code blankets the viruses very efficiently, preventing
        most antivirus programs from noticing them. Notwithstanding
        that, the virus is in most such cases able to continue
        functioning quite normally.

        Many heuristic antivirus programs give warning of the inoculated
        files as well, because the code added by CPAV is very suspicious
        in nature. The reason why this particular message was added to
        F-PROT was to help a user to find and recognize the inoculated
        files. While the change in programs may be easy to notice, it is
        not necessarily obvious what has happened to them. The modified
        files can be returned back to normal by using CPAV.


Changes to F-PROT in version 2.10
---------------------------------

The command line switch /TROJAN is no longer needed. The corresponding
menu item has also been removed from the Scan menu. Nowadays, when
F-PROT scans for viruses, it also looks for known Trojan Horses.
Although the switch /TROJAN does still exist, it is only a convenience
whose purpose is to keep old batch files functioning without
modifications. The switch no longer affects the functioning of scans in
any way.

F-PROT notifies the user of files that have been modified by the
"Immunize" function of Turbo Antivirus or Central Point Antivirus.

Two new command line parameters have been added to F-PROT. The parameter
/640 prevents F-PROT from checking the memory above 640 kilos - the
switch may be needed in computers having a nonstandard motherboard and
only 640 kilos of memory. The parameter /MONO starts F-PROT in
monochrome mode, and it can prove useful when the program is run on a
laptop, for instance.

Results of memory scan are now written to a report file if a virus is
found and the /REPORT= switch is used - previously only an errorlevel
value was returned.

The method F-PROT uses to deal with new variants of known viruses has
been redesigned. Previously F-PROT would always refuse to disinfect a
new variant of some known virus, even if it was only slightly different
from a variant it recognized.  Now it will attempt to determine if the
new variant is sufficiently similar to a known variant for the same
disinfection procedure to be attempted. Still, we would like to ask
F-PROT users to continue sending us samples of all viruses that are
reported as new, modified or unknown variants.

F-PROT 2.09 occasionally missed samples of the Tremor and Phoenix.2000
viruses. This is fixed now.

When disinfecting certain viruses, such as Jerusalem from COM files,
F-PROT would not retain the date/time of the file, but instead set it to
the current date/time. This has been fixed.

If F-PROT was run twice in a row in interactive mode, and found some
viruses on the first pass, on the second run it would occasionally claim
that the MBR was infected. This has been fixed.

F-PROT would search boot sectors for user-defined signatures only with
"Quick Scan", not "Secure Scan" - it should have been the other way
around. This has been fixed.

We have significantly increased the use of "exact" identification of
viruses, where F-PROT uses a 32-bit checksum to distinguish between very
similar variants. This is one of the explanations for the large number
of new variants listed below.

New Viruses Recognized by F-PROT:
---------------------------------
The following 58 viruses are now identified, but can not be removed 
because they overwrite or destroy infected files. Some of them were 
detected by earlier versions of F-PROT, but were only reported to be 
new or modified variants:

Abraxas (1171)              SillyOR (69)           Trivial (27)
Abraxas (1200)              SillyOR (74)           Trivial (28)
Atomic.480                  SillyOR (76)           Trivial (29)
Burger (405.B)              SillyOR (77)           Trivial (30.D)
Burger (560), 8 variants    SillyOR (88)           Trivial (30.E)
Civil War.444               SillyOR (94)           Trivial (40.D)
Knight                      SillyOR (97)           Trivial (40.E)
Leprosy (350)               SillyOR (98)           Trivial (40.F)
Leprosy (647)               SillyOR (99)           Trivial (42.C)
Leprosy (Clinton)           SillyOR (101)          Trivial (42.D)
Milan.WWT.67.C              SillyOR (102)          Trivial (43)
Naught (712)                SillyOR (107)          Trivial (44.D)
Naught (865)                SillyOR (109)          Trivial (45.D)
Proto-T.Flagyll.371         SillyOR (112)          Trivial (102)
SillyOR (60)                Tack (411)             VCL.527
SillyOR (66)                Tack (477)             Viruz
SillyOR (68)                Trivial (26.B)         ZigZag

The following 448 new viruses can now be detected and removed. 
Some of these viruses were detected by earlier versions, but are now 
identified accurately:

3y                                     Mgtu (269)
4-days                                 Mgtu (273.B)
4res                                   Mgtu (273.C)
_127                                   Minimite
_130                                   Mirror.B
_132                                   MPS-OPC II.754
_205                                   Mr. G.314
_330                                   Mshark.378
_409                                   Multi.B
_524                                   Murphy (1277.B)
_584                                   Murphy (Woodstock)
_593                                   Mutator (307)
_655                                   Mutator (459)
_1417                                  Never Mind
_1536                                  Nina (B)
_2878                                  Nina (C)
Abbas                                  No Bock.B
Alabama.C                              No Frills.835
Ambulance.E                            November 17th (690)
Andro                                  November 17th (800.A)
Andromeda                              November 17th (800.B)
Arcv.companion                         Npox (955)
Armagedon.1079.D                       Npox (1482)
Atomic (Toxic)                         Npox (1722)
Atomic (166)                           Npox (1723)
Atomic (350)                           Nygus (163)
Atomic (831)                           Nygus (227)
Attention.C                            Nygus (295)
Aurea                                  Nympho
Australian Parasite.272                OK
BadSector                              Oropax (B)
Best Wishes (1024.C)                   Oropax (C)
Best Wishes (1024.D)                   Osiris
Black Jec (284)                        Override
Black Jec (323)                        Parity.B
Black Jec (235)                        Particle Man
Black Monday (1055.E)                  PC-Flu
Black Monday (1055.F)                  Phx
Black Monday (1055.G)                  Pit
Black Monday (1055.H)                  Pixel (277.B)
BloodRage                              Pixel (300)
Bootexe                                Pixel (343)
Bubonic                                Pixel (846)
Bupt.1279                              Pixel (847.Advert.B)
Cascade (691)                          Pixel (847.Advert.C)
Cascade (1701.G)                       Pixel (847.Near_End.B)
Cascade (1701.H)                       Pojer.1935
Cascade (1701.J)                       PS-MPC (331)
Cascade (1701.K)                       PS-MPC (349)
Cascade (1701.L)                       PS-MPC (420)
Cascade (1704.L)                       PS-MPC (438)
Cascade (1704.N)                       PS-MPC (478)
Cascade (1704.O)                       PS-MPC (481)
Cascade (1704.P)                       PS-MPC (513)
Checksum.1253                          PS-MPC (547)
Chris                                  PS-MPC (564)
Civil War III                          PS-MPC (574)
Clonewar (238)                         PS-MPC (578)
Clonewar (546)                         PS-MPC (597)
Clonewar (923.A)                       PS-MPC (615)
Clonewar (923.B)                       PS-MPC (616)
Cobra                                  PS-MPC (1341)
Coib                                   PS-MPC (2010)
Comasp.633                             PS-MPC (Alien.571)
Coffeshop.1568                         PS-MPC (Alien.625)
Cybercide.2299                         PS-MPC (Arcv-9.745)
Cybertech (501)                        PS-MPC (Arcv-10)
Cybertech (503)                        PS-MPC (Deranged)
Danish Tiny (163                       PS-MPC (Dos3)
Danish Tiny (Kennedy.B)                PS-MPC (Ecu)
Dark Apocalypse                        PS-MPC (Flex)
Dark Avenger (1800.F)                  PS-MPC (Geschenk)
Dark Avenger (1800.G)                  PS-MPC (Grease)
Dark Avenger (1800.H)                  PS-MPC (Iron Hoof.459)
Dark Avenger (1800.I)                  PS-MPC (Iron Hoof.462)
Dark Avenger (1800.Rabid.B)            PS-MPC (Napolean)
Dark Avenger (2000.Copy.C)             PS-MPC (Nirvana)
Dark Avenger (2000.DieYoung.B)         PS-MPC (Nuke5)
Dark Avenger (2100.DI.B)               PS-MPC (Page)
Dark Avenger (Jericho                  PS-MPC (Shiny)
Dark Avenger (Uriel)                   PS-MPC (Skeleton)
Dashel                                 PS-MPC (Soolution)
DataCrime (1168.B)                     PS-MPC (Sorlec4)
DataCrime (1280.B)                     PS-MPC (Sorlec5)
DataLock (920.K1150)                   PS-MPC (Soup)
DataLock (1740)                        PS-MPC (T-rex)
Dbase.E                                PS-MPC (Toast)
Dejmi                                  PS-MPC (Toys)
Destructor.B                           PS-MPC (McWhale.1022)
Devil's Dance (C)                      Quadratic.1283
Devil's Dance (D)                      Radyum (698)
Digger.600                             Radyum (707)
Dos 7 (342)                            Rape (2777.A)
Dos 7 (376)                            Rape (2877.B)
Dos 7 (419)                            Rasek (1489)
Dosver                                 Rasek (1490)
Doteater (C)                           Rasek (1492)
Doteater (D)                           Red Diavolyata (830.B)
Doteater (E)                           Red Diavolyata (830.C)
Dracula                                Retribution
Du                                     Ripper
Dy                                     Russian_Mirror.B
Dzino                                  Sata.612
Finnish.709.C                          Saturday 14th.B
Friday the 13th (540.C)                Satyricon
Friday the 13th (540.D)                Screaming Fist.I.683
Frodo (F)                              Shake.B
Frodo (G)                              Shanghai
Frodo (H)                              SI-492.C
Fumble.E                               SillyC (208)
Gemand                                 SillyC (215)
Genc (502)                             Sistor (1149)
Genc (1000)                            Sistor (3009)
Goga                                   Skew.445
Golgi (465)                            Slub
Golgi (820)                            Smoka
Granada                                Sofia-Term (837)
Grog (Lor)                             Sofia-Term (887)
Grog (990)                             Stardot.789.C
Grog (1641)                            Sterculius
Guppy.D                                Spring
Halloechen (B)                         Stimp
Halloechen (C)                         Storm (1172)
Hates                                  Storm (1218)
Headcrash.B                            Stupid.Sadam.Queit.B
Helloween (1227)                       Sundevil
Helloween (1384)                       Svc (1689.B)
Helloween (1447)                       Svc (1689.C)
Helloween (1839)                       Svc (3103.D)
Helloween (1888)                       Sybille
Helloween (2470)                       Sylvia (1321)
Hi.895                                 Sylvia (1332.E)
Hidenowt                               Syslock (Syslock.C)
HLLC (Even Beeper.C)                   Syslock (Syslock.D)
HLLC (Even Beeper.D)                   Taiwan (708.B)
Infector (759                          Taiwan (743.B)
Infector (822.B)                       Taiwan (752.B)
Intruder.1317                          Testvirus-B (B)
Italian Boy                            Testvirus-B (C)
IVP (540)                              Thirty-three
IVP (Bubbles)                          Tic.97
IVP (Math)                             Timid.302
IVP (Silo)                             Tomato
IVP (Wild Thing)                       Totoro
Jackal                                 Traveler Jack (854)
Japanese_Christmas.600.E               Traveler Jack (979)
Jerusalem (664)                        Traveler Jack (980)
Jerusalem (1960)                       Traveler Jack (982)
Jerusalem (1829.Anarkia)               Unexe
Jerusalem (2223)                       Uruk Hai.427
Jerusalem (Anticad.2900.Plastique.B)   Ussr-707.B
Jerusalem (Anticad.2900.Plastique.C)   Vacsina (634,TP.5.B)
Jerusalem (Anticad.2900.Plastique.D)   Vacsina (TP.16.B)
Jerusalem (AntiCad.3012.C)             Vbasic.D
Jerusalem (AntiCad.3012.D)             VCL (506)
Jerusalem (Fu Manchu.D)                VCL (507)
Jerusalem (Sunday.G)                   VCL (604)
Jerusalem (Sunday.H)                   VCL (951)
Jerusalem (Sunday.I)                   VCL (Anti-Gif)
Jerusalem (Sunday.J)                   VCL (ByeBye)
Jerusalem (1765)                       VCL (Earthquake)
Jerusalem (Groen Links.D)              VCL (Paranoramia)
Jerusalem (PSQR.B)                     VCL (Poisoning)
Jerusalem (Solano.Syslexia.B)          VCL (VF93)
Jerusalem (Solano.Subliminal.B)        VCL (VPT)
Jerusalem (Westwood.B)                 VCL (Ziploc)
Jest                                   VFSI.B
K-4 (687)                              Vienna (566)
K-4 (737)                              Vienna (623.B)
Kemerovo.257.E                         Vienna (627.B)
Keypress (1215)                        Vienna (644.C)
Keypress (1232.D)                      Vienna (648.J)
Keypress (1232.E)                      Vienna (648.K)
Keypress (1232.G)                      Vienna (648.O)
Keypress (1232.H)                      Vienna (648.Reboot.B)
Keypress (1232.I)                      Vienna (648.Reboot.C)
Keypress (2728)                        Vienna (648.Reboot.D)
Kernel                                 Vienna (648.Q)
Lapse (323)                            Vienna (648.R)
Lapse (366)                            Vienna (648.S)
Lapse (375)                            Vienna (648.X)
Leningrad II                           Vienna (758)
Literak                                Vienna (Choinka.B)
Little Girl.985                        Vienna (Choinka.C)
Lockjaw (808)                          Vienna (W-13.534.H)
Lockjaw (Black Knight)                 Vienna (W-13.534.I)
Lock-up                                Vienna (W-13.534.J)
Loki.1234                              Vienna (648.Abacus)
Lyceum.930                             Vienna (Bush)
M_jmp (122)                            Vienna (IWG)
M_jmp (126)                            Virdem (1336.Bustard.A)
M_jmp (128)                            Virdem (1336.Bustard.B)
Magician                               Virdem (1336.Cheater)
Manuel (777)                           Wilbur (B)
Manuel (814)                           Wilbur (D)
Manuel (840)                           Wildy
Manuel (858)                           Willow.2013
Manuel (876)                           Wisconsin.B
Manuel (937)                           Wolfman.B
Manuel (995)                           Wvar
Manuel (1155)                          Xph (1029)
Manuel (1388)                          Xph (1100)
Matura.1626                            Xtac
Mel                                    Yankee Doodle.Login.2967
Merry Christmas                        Year 1992.B
MG (2.D)                               Youth.640.B
MG (3.C)

The following 71 new viruses can now be detected but not yet removed:

_1403				       Mutator.780
_1798				       Mystic
Arcv (916)			       Necro-fear
Arcv (Friends.839)		       November 17th.1007
Arcv (Jo.911)			       Number of the Beast (B.2)
Arcv (Scroll)			       Number of the Beast (E.2)
Arcv (Slime)			       Phalcon.Emo
Arusiek.817.B			       Predator (1072)
Atas II.1268			       Predator (1137)
Barrotes.1303			       Predator (1148)
Bobo				       Predator (1195)
Calc				       Predator (2448)
Civil War.552			       Proto-T.1053
Close				       Rape.1885
Darkray 			       S-bug.Fruit-Fly
Digger (1000)			       Sarov
Digger (1512)			       Screaming Fist (II.650)
Dir-II (G)			       Screaming Fist (II.652)
Dir-II (J)			       Screaming Fist (II.724)
Dir-II (L)			       Screen+1.1654
Du				       Seat
Dwi				       Serene
Error Inc			       Shoo (2803)
Fairz				       Shoo (2824)
Honey				       Skater (699)
Inoc				       Skater (977)
IVP (Mandela)			       Skater (1021)
IVP (Swank)			       Soupy (1001)
Jerusalem.Zerotime.Australian.B        Soupy (1072)
Little Red			       Student
Malmsey.806			       Suriv 1.Xuxa.1405
Marzia				       SVC.2936
Mayak				       Svm
Mr D (A)			       Velvet
Mr D (B)			       Yankee Doodle.2189
Multichild.110			       Zherkov.2435

The following 3 viruses can now be disinfected. The earlier versions of
F-PROT could only destroy the infected files.

HLL (3680)
HLL (Antiline)
Loren

Appendix: Combined antivirus reviews 1993
------------------------------------------

During 1993, F-PROT has been the product to dominate Antivirus reviews
throughout the world. Here's a reference table of the results of some
of the most important tests:

PC Magazine, Germany, January 1993:
 1. F-PROT 2.05a
 2. Antivir IV 4.04
 3. AntiVirus Toolkit 5.61

Virus Bulletin, Great Britain, January 1993:
 1. F-PROT 2.06b
 2. AntiVirus Toolkit 6.02
 3. AVScan 0.98H

Software Digest, USA, May 1993:
 1. F-PROT 2.07
 1. CPAV 2.0
 2. AntiVirus Toolkit 6.02

VSUM 307, USA, July 1993:
 1. F-PROT 2.09
 2. ViruScan V106
 3. AntiVirus Toolkit 6.53

PC Magazine, Italy, August 1993:
 F-PROT 2.06a
 AntiVirus Toolkit 6.5
 Norton Antivirus 2.1

VSUM 308, USA, August 1993:
 1. F-PROT 2.09
 2. ViruScan V106
 3. AntiVirus Toolkit 6.53

Computer Sweden, Sweden, August 1993:
 F-PROT 2.09
 AntiVirus Toolkit 6.30
 ViruScan V106
 TBScan 6.03

CM-Corporate, Belgium, September 1993:
 1. F-PROT 2.09
 2. AntiVirus Toolkit 6.53
 3. TBAV 6.03

Personal Computer Magazine, The Netherlands, November 1993:
 F-PROT 2.09
 ThunderByte Antivirus 6.05
 Sweep 2.53

------------------------------------------------------------------------------
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.10 Update Bulletin; Copyright (c) 1993 Data Fellows Ltd.

