F-PROT Professional 2.18 Update Bulletin ======================================== Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi This material can be freely quoted in Europe, Africa and Asia when the source, F-PROT Professional Update Bulletin 2.18 is mentioned. Copyright (c) 1995 Data Fellows Ltd. ------------------------------------------------------------------------------ Contents 3/95 ============= 1994 WAS GOOD - 1995 LOOKS EVEN BETTER! The Global Virus Situation A Packet of 2800 Viruses in the Internet Let the Good Times Roll Dual_GTM in France A New Version of Disinfectant Now Available Viruses in the Wild News in Short Data Fellows Ltd's Popular WWW Service F-PROT Professional Praised by Monitor Magazine Slovenia Hong Kong's First Hacker Case Common Questions and Answers Changes in F-PROT Professional version 2.18 1994 WAS GOOD - 1995 LOOKS EVEN BETTER! --------------------------------------- F-PROT Professional has been quite a success. To illustrate the development: F-PROT sales in Finland increased with 144% during 1994 from the previous year. Export increased with 147%. During the first three months of 1995 our F-PROT sales outside Finland have grown with more than 250%. The growth rate in sales in Finland is somewhat smaller than last year but remains considerable. Many large international companies have chosen F-PROT. Our release of the first device driver-based full scanner has made a considerable impact on the market. Our forthcoming Windows NT version will be one of the first, as well. Data Fellows has been a profitable, debtfree company from the first fiscal year 1989 onwards. We have never been in as good a shape as now to take on the challenge in the evolving anti-virus market. The Global Virus Situation -------------------------- A Packet of 2800 Viruses in the Internet ---------------------------------------- In the middle of April, a private user in Canada made a contribution to a usenet newsgroup dedicated to computer viruses by sending there a ZIP file which contained over 2800 computer viruses. The newsgroup was accessible in hundreds of thousands of computers all over the world. However, the packet did not present an immediate threat, since users had to decode and extract it first in order to run the viruses and this doesn't happen automatically. The packet raised a lively discussion about the freedom of speech and its limits. There was also contention about whether the spreading of such packets serves some purpose. F-PROT is able to detect the 2806 viruses included in the packet. Let the Good Times Roll ----------------------- In this year's first Update Bulletin, we published an article about the "Good Times" virus hoax which was going on in the Internet. The Good Times rumor was thought to be well on its way to extinction, but it seems to have gained new strength recently. The Good Times hoax is based on warning messages which carry the subject "Good Times". These messages warn about other messages titled "Good Times", claiming that they contain a dangerous virus which activates when the message is read. Finally, the messages exhort users to spread the warning message as widely as possible. Despite extensive efforts to put a stop to Good Times, the messages have continued to spread and multiply in numerous e-mail systems worldwide. On some occasions, Good Times warnings have even been published in newspapers and broadcasted on radio. As was to be expected, it did not take too long for virus writers to realize how they could take advantage of the Good Times rumor. In April, an Australian virus group known as VLAD published a real PC virus called 'Good Times'. This version of 'Good Times' is an ordinary file virus which infects COM and EXE files. To further confuse the issue, the following message is included in the viruse's source code: ; The act of loading the file ; into a mail server's ASCII ; buffer causes the "Good ; Times" mainline program to ; initialize and execute. ; Remember to email all your ; friends, warning them about ; Good Times! For obvious reasons, anti-virus programs will not recognize this virus by the name 'Good Times'. Instead, it has been named 'GT-Spoof'. A similar incident took place also in the beginning of 1993. It involved a rumor about a fictional virus called 'Proto-T', which was soon followed by the real thing. This incident was discussed in the F-PROT 2.07 Update Bulletin. Dual_GTM in France ------------------ Reported by Pierre Vandevenne, DataRescue, Belgium The Dual_GTM virus is in the wild and has been reported in France during May 95. It is memory resident COM and EXE file infector. Programs are infected when they are executed. Dual_GTM avoids infecting EXE files whose name begin with SCAN, CLEA and QBAS. It's COM infection routine is buggy and multiple infections of the same COM file are possible. The code of the virus presents some irritating characteristics _ the virus tries to avoid heuristic scanners by doing it's things in non-obvious way. For example, when it wants to move value 4200 to a register, it will first move 4201 and then decrease the value of the register by one. The virus activates on the 20th of March if the year is greater than 1993. At this time the virus beeps and displays slowly the text: "Beware of the BUG !!!". After this the virus hangs the machine. Otherwise the activation routine is harmless; Dual_GTM's main danger lies in its buggy infection routine that can corrupt the files it infects. A New Version of Disinfectant Now Available ------------------------------------------- Things have been slow in the world of Macintosh viruses for a long time, but the pace seems to be picking up again. In April, a new variant of the old nVIR B virus was discovered and dubbed CLAP. The capability to detect this virus has been added to most Macintosh anti-virus programs. If there are Macintosh workstations in your organization, you can order an updated version of the Disinfectant anti-virus program from your F-PROT distributor or directly from our F- PROT Support without a separate charge. Viruses in the Wild ------------------- According to the latest "Wildlist" statistic, the world's most common viruses at the moment are AntiEXE.A, Cascade.1701.A, Form.A, Green_Caterpillar.1575, Jerusalem.1808.Standard.A, Joshi.A, Kampana.A, Parity_Boot.B, Ripper, Stoned.Azusa.A, Stoned.Empire.Monkey.B, Stoned.Michelangelo.A, Stoned.Standard.A, Tequila.A and V-Sign. The list of common viruses published in May contained altogether 222 different viruses. Wildlist is compiled and maintained by the IBM employee Joe Wells (jwells@watson.ibm.com). In this, he is assisted by 30 anti-virus parties from all over the world, including Data Fellows Ltd. Wildlist is available from your local F-PROT distributor or directly from Data Fellows Ltd's F-PROT Support. News in Short ------------- Data Fellows Ltd's Popular WWW Service -------------------------------------- Data Fellows Ltd's WWW service has proved very popular. Our host server went on-line a year ago, and so far it has served over 25000 visitors. We continue to welcome at: http://www.datafellows.fi/ F-PROT Professional Praised by Monitor Magazine Slovenia -------------------------------------------------------- The Slovenian Monitor Magazine published comprehensive test of anti-virus products in its April issue. F-PROT Professional was proclaimed the editors' choice as a hands-down winner over the other contestants. The technology used by F-PROT Gatekeeper was especially praised. During 1995, F-PROT has also prospered in tests published by the Virus Bulletin and SECURE Computing magazines, among others. Hong Kong's First Hacker Case ----------------------------- Reported by Allan Dyer (adyer@yuikee.com.hk) of Yui Kee Co. Ltd, Hong Kong: Raymond Chen, son of a Hong Kong University lecturer, has become Hong Kong's first convicted Internet Hacker. He was convicted on three counts under the Telecommunications Ordinance and ordered to pay fines and costs totaling HK$45,000. The magistrate indicated his wish to deter others, saying, "Although a deterrent sentence is not usually imposed upon a first offender, there is no absolute bar". The offenses took place between August and October 1994, and involved access to computers operated by Hong Kong Polytechnic and Hong Kong University of Science and Technology. After a monitoring operation, the Commercial Crimes Bureau officers gained access to Mr. Chen's home posing as neighbors concerned about a water leak, and seized the computing equipment. Raymond Chen is considering an appeal and claims he may have been framed by the gay community: "I didn't do anything except harass the fags and of course I harass them mercilessly", referring to his activities on IRC. Chen claimed he had been given the passwords to various friends' accounts as "payment" for technical assistance. Police and local Internet experts dismissed his claims of being framed. Chen was not convicted under the Computer Crimes Ordinance, as there was no evidence that he had any criminal or dishonest intent in his unauthorized access. Common Questions and Answers ---------------------------- If you have questions about information security or virus prevention, contact your local F-PROT distributor. You can also contact Data Fellows directly in the number +350-0-478 444. Written questions can be mailed to: Data Fellows Ltd, F-PROT Support, P„iv„ntaite 8, 02210 ESPOO, FINLAND. Questions can also be sent by electronic mail to: Internet: f-prot@datafellows.fi; X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi; Should DLL files be checked for viruses? I compared different anti-virus programs and noticed that _ in addition to the normal COM, EXE and overlay files _ some of them scan also files with the DLL extension by default. Under normal conditions, it is not worth the effort to check DLL files. Including them in the virus check only slows down scanning but does not really provide any additional security. DLL files are structurally similar to Windows EXE files. They are divided into two separate parts: a basic DOS stub and the actual Windows code section. The only purpose of the DOS section is to print "This program requires Windows" or something similar on the screen. Many DOS viruses distinguish between COM and EXE files by checking whether the file begins with the signature 'MZ'. DLL files contain the MZ marker. So far, no viruses which try to spread by infecting DLL files have been found. However, DLL files may occasionally contain viruses. This may be due to the following reasons: 1) The virus infects all files. For example, viruses which belong to the Trivial family write their code on all files located in the same directory. 2) The virus is meant to infect only normal program files, but, due to a programming error, it also infects other files, including DLLs. 3) The virus infects all executed files which contain the EXE header. Since DLL files are never executed in the traditional sense of the word, the only way to get a virus to infect them is to change their file extension to EXE and run them under DOS. 4) Some multipartite viruses monitor disk writes. Whenever a sector beginning with an EXE header or the 'MZ' marker is written to the disk, these viruses add their own code to it. BootExe is one of these viruses. It may infect also DLL files. Cases 1) and 2) are not valid reasons for including DLL files in particular in the virus scan. Such viruses will also infect, for instance, TXT and XLS files, corrupting them in the process. To find all copies of such viruses, it is necessary to scan all files, including data files. In the entries describing these viruses in F-PROT's virus database, there are remainders about the necessity of a comprehensive data file scan. Cases 3) and 4) can be used as arguments for a DLL scan. However, in such cases the virus will also infect all other Windows files containing an EXE header. This means, for example, all files with the extensions 386, CPL, DRV, FON, FOT and VBX. These files are as likely to get infected as DLL files, but there are no anti-virus programs which include them in the scan by default. The general rules about virus infections apply also to cases involving DLL files. Normally, only program files should be scanned. However, if a virus is found, ALL files should be checked _ including DLLs and data files, just to be on the safe side. What happens to a DLL file if it is infected by a virus? That depends on the structure of the original file. Since viruses do not target DLL files in particular, the infection usually damages the file so badly that an attempt to use it leads to an error message. Even if the file remains functional, the virus cannot spread from it under normal conditions; the only way to get a virus to spread from such a file is to change its extension to EXE and execute it under DOS. So far, no viruses which infect exclusively DLL files have been found. There haven't even been cases where a virus could spread from a DLL file without considerable help from the user. Therefore, it is not necessary to include DLL files in the virus scan. Are there any viruses which can spread through GIF or JPG files? No. Next question, please. Can viruses hide themselves in the video RAM or CMOS memory? What about the memory of peripherals, such as printers or modems? Video RAM is structurally similar to normal PC computer memory, so it is possible to execute programs in it. There are known viruses that install themselves in video RAM. However, this doesn't pose any special challenge to anti- virus programs, as these viruses can readily be detected from there. CMOS memory is backed up with a battery, so it doesn't disappear when you turn off the computer. However, CMOS is very small and its contents never get executed. Thus, you can't run any programs in it. There are viruses that do corrupt the information in CMOS, but they can't hide in it. Some printers and modems have non-volatile memory, but it is not technically possible to write a program that would "infect" that memory. Besides, such a program could not spread from the peripheral back to the main PC. Changes in F-PROT Professional version 2.18 ------------------------------------------- Changes in F-PROT for DOS The following problem has been corrected: The virus No_of_the_Beast was not disinfected correctly. The following false alarm has been fixed: The latest version of Mc Afee's CLEAN.DAT file contains some unencrypted code taken from the November_17th virus, and this caused F-PROT to give a false alarm. McAfee is expected to correct this, but in the meantime F-PROT has also been provided with the means to avoid giving a false alarm of this file. Minor Changes Files infected by the Cybercide.1307 virus are usually unable to start afterwards. F-PROT can now disinfect these files also. Changes in F-PROT for Windows The default font size used by DFWIN has been changed. The program now uses a font which has readable proportions. This was a problem in some environments. Installation support for TSR programs has been added to Autoinst. For example, VIRSTOP.EXE can now be defined to be installed from AUTOEXEC.BAT. We have created a Windows version of the Autoinst program. The program uses the same INI files as the DOS version. The name of the program file is AUTOW31.EXE. Autoinst supports the installation of F-PROT Gatekeeper's F-PROTW.386 file from the local directory: The setting "f-protw.386=" can be used for defining the F- PROTW.386 device driver's path in SYSTEM.INI. When this setting is used, the defined path _ instead of the installation's destination directory _ will be added to SYSTEM.INI. This makes it possible to load the device driver from a different location than F-PROT Gatekeeper's other files. For example: [Gatekeeper] f-protw.386=c:\f-protw.386 Autoinst will also write a corresponding setting to the F- PROTW.INI file. Thus, the setting in SYSTEM.INI will remain correct even when F-PROT Gatekeeper is activated from F- Agent with a menu command.The setting is needed in environments where networks disks become accessible only after Windows is started. New Viruses Detected by F-PROT 2.18 ----------------------------------- The following 31 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but not identified accurately. Explorer.3063 Fkiller HLLO.3853 HLLO.4870.C HLLO.8000 HLLO.14186 Itti.99.B Leprosy.551 Leprosy.666.J Leprosy.666.N Leprosy.666.O Leprosy.666.P Leprosy.666.Q Leprosy.999 Leprosy.BadCommand Leprosy.Merci Leprosy.YH.880 Quasar.523 Raving Rush_Hour.A Rush_Hour.B Rush_Hour.C Rush_Hour.D Rush_Hour.E Suriv-1.Lunch Trivial.B&B Trivial.Diddle Trivial.FTW.101 Trivial.FTW.192 Trivial.Lame.98 Trivial.Lame.173 The following 258 new viruses can now be removed. Many of them were detected by earlier versions, but are now identified accurately. _814 _935 _1106 _1203 _1320 _1376 Adin Alphabet Amazon.468 Amazon.479 Amazon.500 AT.160 Avalanche Bengal.863 Better_World.G Blava Bobas BootCom Bua Bupt.1261.B BW.311 Cascade.1701.AD Cascade.1701.AH Cascade.1701.AI CCC Chukc.554 Chukc.838 CK.777 Clouds.588 Clouds.657 Clouds.718 Cluster.277 Croatia Darv Dead.979 Dead.1190 Dead.1459 Dead.1601 DK Drag DvD Fax_Free.1536.Meco.D Fax_Free.1536.New.A Fax_Free.1536.New.B Five_eights.609 Flash.688.E Friday_the_13th.456 Fumble.801 Fumble.867.B Funked.425 Funked.429 Glitch.407 Gondor Green_Caterpillar.1575.J Heja.623 HI.802 HI.892 HLL.4109 HLL.6176 HLL.Kasienka HLL.Sauron HLLC.10832 Immigrant Insert IVP.Angry_Samoans.593 IVP.Executor.429 IVP.Executor.460 IVP.Executor.473 IVP.Executor.507 IVP.Executor.522 IVP.Executor.583 IVP.Hot_Zone.561 IVP.Hot_Zone.815 IVP.Infesto.561 IVP.Infesto.604 IVP.Infesto.679 IVP.Infesto.697 IVP.Replico.317 IVP.Replico.324 IVP.Replico.350 IVP.Replico.352 IVP.Replico.357 IVP.Replico.390 IVP.Replico.392 IVP.Replico.422 IVP.Replico.462 IVP.Replico.478 IVP.Replico.495 Jerusalem.1808.Blank.E Jerusalem.1808.new10 Jerusalem.1808.SuMsDos.AR Jerusalem.Rulis Kaczor Kak Kela.690 Keyb.667 Keyb.756 Keyb.873 Khiznjak Lame.538 Liberty.2857.H LPT-off.271 Lutil Magda Magdazie.1114 Marky Marzia.P Mephisto.654 Mephisto.1000 Mephisto.1242 Milikk Ming.1262 Mnem.859 Morbid Mr_Twister.453 Natas.4740 Natas.4766 New_model Neither No_frills.813 No_frills.815 November_17th.800.C Npox.630 Number_of_the_Beast.AA Number_of_the_Beast.AB Olga Peligro Pendule.1059 Phalcon.Maria_K.1118 Pieck Playgame.A Playgame.B Possessed.2167 Princeptor PS-MPC.246 PS-MPC.574.G PS-MPC.574.H PS-MPC.582.A PS-MPC.582.B PS-MPC.583 PS-MPC.G2.Puppet PS-MPC.Shrimp.358 PS-MPC.Shrimp.423 PS-MPC.Skeleton.591.A PS-MPC.Skeleton.591.B PS-MPC.Skeleton.591.C PS-MPC.Skeleton.591.D PS-MPC.Skeleton.592.A PS-MPC.Skeleton.592.B PS-MPC.Skeleton.592.C PS-MPC.Skeleton.592.D PS-MPC.Skeleton.592.E PS-MPC.Skeleton.592.F PS-MPC.Skeleton.592.G PS-MPC.Skeleton.592.H PS-MPC.Skeleton.592.I PS-MPC.Skeleton.592.J PS-MPC.Skeleton.592.K PS-MPC.Skeleton.592.L PS-MPC.Skeleton.592.M PS-MPC.Skeleton.592.N PS-MPC.Skeleton.592.O PS-MPC.Skeleton.592.P PS-MPC.Skeleton.592.Q PS-MPC.Skeleton.593.A PS-MPC.Skeleton.593.B PS-MPC.Skeleton.593.C PS-MPC.Skeleton.593.D PS-MPC.Skeleton.593.E PS-MPC.Skeleton.593.F PS-MPC.Skeleton.596.A PS-MPC.Skeleton.596.B PS-MPC.Skeleton.596.C PS-MPC.Skeleton.596.D PS-MPC.Skeleton.597.A PS-MPC.Skeleton.597.B PS-MPC.Skeleton.597.C PS-MPC.Skeleton.597.D PS-MPC.Skeleton.597.E PS-MPC.Skeleton.597.F PS-MPC.Skeleton.597.G PS-MPC.Skeleton.597.H PS-MPC.Skeleton.597.I PS-MPC.Skeleton.597.J PS-MPC.Skeleton.597.K PS-MPC.Skeleton.597.L PS-MPC.Skeleton.597.M PS-MPC.Skeleton.597.N PS-MPC.Skeleton.597.O PS-MPC.Skeleton.597.P PS-MPC.Skeleton.598.A PS-MPC.Skeleton.598.B PS-MPC.Skeleton.598.C PS-MPC.Skeleton.598.D PS-MPC.Skeleton.598.E PS-MPC.Skeleton.598.F PS-MPC.Toys.762 Rex Rosario Sarampo Select.1112 Select.1258 SillyC.106 SillyC.113 SillyC.126 SillyC.140 SillyC.155 SillyC.207.B SillyC.292 SillyCER.263 SillyCER.266 SillyCR.122 SillyCR.132 SillyCR.178 Small_comp.85 Small_comp.87 Sofia.432 Sofia.528 Sphinx Storm.1153.B Svirus Synergy Tankar Tigre Timid.303.B Tokyo.1258 Topa.2476 Trance Trident.1313 Uneasy.658 UVR Variable_Worm Vbasic.H Vbasic.I VCL.380 VCL.417 VCL.Dad VCL.Dummy VCL.Fillo Vcode.2262 VE.504 Vienna.574 Vienna.923 Virnn.1023 Virnn.1100 Viros Volk.B Volk.C Waria Wanderer.400.B Wanderer.484 Witcode.1728 Xora XTC Yankee_Doodle.1223 Yesmile.4320 Yesmile.5504 Zor The following 84 new viruses are now detected and identified but can not yet be removed. Alien.1976 Antipode Ass Attitude.723 Backform.2345 Backform.2381 Bad_Boy.1000.C Bad_Boy.1041 Bad_Boy.1075 Bad_Boy.1135 Bandersnatch Blueshark Civil_Defense.A Civil_Defense.B Civil_Defense.C Civil_Defense.D Delwin.1199 DigDeath.958 DigDeath.963 Exe252 Exeheader.324 Exeheader.440 Father_Mac.306 Father_Mac.797 Father_Mac.838 Frida Godzilla Goomba Halka.720 Hamburger HWF Jerusalem.CVEX.5120.B Jerusalem.CVEX.5120.C Jerusalem.CVEX.5120.D Jerusalem.CVEX.5120.E Jerusalem.CVEX.5120.F Jerusalem.CVEX.5120.G Jerusalem.CVEX.5120.H Jerusalem.CVEX.5120.I Jerusalem.CVEX.5120.J June_12th,2695 Lame.435 MacGyver.3160 MacGyver.4112 MacGyver.4480 MacGyver.4643 MacGyver.4645 Mantis.1258 Marauder.855 Marbas Mike.252 Mike.256 Mnem.918 Monarch Mz1 Mzboot Keko.1964 Keko.1990 Keko.2690 Mephisto.615 Mephisto.815 Mephisto.914 Mephisto.928 Mephisto.937 Mephisto.938 Norge November_17th.1061 NRLG.776 NRLG.992 NRLG.1030 NRLG.1038 Olexy Oops Riot.Carpe_Diem.462 Riot.Carpe_Diem.1033 ShineAway SillyCR.86 Socks Stalker.310 Stalker.320 Uvst Vlad.651 Vlad.692 Xuxa.1096 The following 9 new viruses are now detected, but not identified. F-PROT will just report the virus family name with a (?), or report the virus as "New or modified variant", as it is not yet able to determine which variant it is dealing with. Disinfection of these viruses is not yet possible. DR&ET Dream GT-spoof K-hate Rajaat.871 Maverick.A Maverick.B Maverick.C Unfo The following 6 viruses which were identified by earlier versions can now be removed. Clone McGyver.2803.A McGyver.2803.B Necropolis.A Necropolis.B Necropolis.C The following viruses have been renamed: Pollution.* ->> Riot.Pollution.* Carpe_Diem.* ->> Riot.Carpe_Diem.* ------------------------------------------------------------------------------ F-PROT Professional 2.18 Update Bulletin ======================================== Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi This material can be freely quoted in Europe, Africa and Asia when the source, F-PROT Professional Update Bulletin 2.18 is mentioned. Copyright (c) 1995 Data Fellows Ltd.