
F-PROT Professional 2.13 Update Bulletin
========================================
Data Fellows Ltd, Wavulinintie 10, 00210 Helsinki, Finland
Tel. +358-0-692 3622, Fax +358-0-670 156, E-mail: f-prot@datafellows.fi

This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.13 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd.

-------------------------------------------------------------------------------

CONTENTS 3/94
=============
 Microsoft chooses F-PROT Professional
 News in Short
 - Electronic Support Services
 - A Virus Instruction Guide Published in France
 - Onwards the Evolution
 New Viruses In the Wild
 - Jumper
 - Junkie
 - SMEG
 - J&M
 A Closer Look at the Global Virus Situation
 - Virus Situation in South Africa
 - Virus situation in Japan
 Creating a Virus Prevention Strategy with F-PROT Professional
 Feature: False Alarms
 Dark Side of the Moon: What Motivates Virus Writers
 F-PROT support informs: Common Questions and Answers
 Changes in Version 2.13


Microsoft chooses F-PROT Professional
-------------------------------------

F-PROT Professional's fast progress continues on all fronts. New 
technical features are continuously being added to the product 
family, the program keeps proving its mettle by winning tests 
all over the world, and our clientele has been joined by such 
interesting companies as, for example, Microsoft Corporation.

In keeping with our traditions, the current version of F-PROT 
Professional can find several hundreds of viruses more than the 
previous full update which was distributed to all our customers 
two months ago. The Heuristic Analysis has been redesigned as 
well. It can now find new, previously unknown viruses even 
better than before. A detection mechanism for the new, highly 
advanced polymorphic generator, SMEG, has also been added to 
F-PROT.

F-PROT has again won several tests. Let us take two examples.

In a test arranged by the Swedish Windows World magazine, F-PROT 
was the only product to be "Recommended by the Editorial Staff". 
Software Digest in USA named F-PROT's NLM-version the Editor's 
Choice.

Many well-known international companies have switched to F-PROT 
Professional products. The most famous of these is probably 
Microsoft Corporation, which has acquired a world-wide internal 
license for F-PROT Professional and F-PROT NLM products.
Other new F-PROT users include such distinguished companies and 
organizations as Goodyear and Hong Kong University of 
Technology. 


News in Short
-------------

Electronic Support Services
---------------------------
Data Fellows Ltd's Internet domain name has been changed to 
datafellows.fi. Our support service can now be contacted at the 
address f-prot@datafellows.fi. Our X.400 address remains the 
same, namely X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet 
C=fi.

A Virus Instruction Guide Published in France
---------------------------------------------
A French version of Mark Ludwig's notorious virus instruction 
book, "The Little Black Book of Computer Viruses", has been 
published after a trial. The book's publisher, Addison & Wesley 
France, was sued at the end of last year to prevent the book 
from reaching print. The court, however, judged the book to be 
suitable for publication.

The court ordered the claimant to pay Addison & Wesley 20.000 
francs for damages to reputation caused by the trial.
Some time ago, Mark Ludwig published a sequel to his Little 
Black Book, called "Computer Viruses, Artificial Life and 
Evolution". The book contains examples of virus code and four 
functional viruses. The book's viruses could also be ordered on 
diskette for additional payment.

Ludwig's latest questionable stunt has been the publication of a 
CD-ROM virus disk. Ludwig's own publishing company, American 
Eagle, published a CD-ROM disk which contained a great number of 
different viruses, virus creation programs and other malicious 
software. The disk's price was one hundred dollars.

Onwards the Evolution
---------------------
A new virus, known as Evolution 2001, is on the move in Eastern 
Europe. The virus was spread through BBSs in files BREAKARJ.ZIP 
and ZIPCRACK.ZIP. Evolution 2001 has many exceptional 
characteristics: it uses 386 commands, loads itself into upper 
memory and employs polymorphic encryption. In fact, Evolution 
2001 bears a strong resemblance to the Tremor virus, which is 
still quite common in Germany.


New Viruses In the Wild
-----------------------

Jumper
------
The Jumper virus is known by many different names: its aliases 
include French Boot, Sillybob, Neuville, Touche, EE and _2kb. 
The variety of names is caused by the fact that, despite being 
widely spread, the virus is quite new. It was given a different 
name in each location where it was found, and no common name has 
yet established itself. The official CARO name, however, is 
Jumper.

Jumper was first found in France at the end of 1993, and it was 
spotted in Denmark in the beginning of 1994.
Functionally, Jumper is not especially noteworthy. Being a boot 
sector virus, it spreads only on infected diskettes. It infects 
diskette boot sectors and hard disk MBRs. The virus infects 
computers only when somebody tries to boot them from infected 
diskettes. Jumper can infect the hard disk even if the boot 
attempt is unsuccessful. Once the virus has infected the hard 
disk, it spreads to virtually all diskettes used in the 
computer.

Junkie
------
The Junkie virus was circulated through European BBSs at the end 
of May. It travelled in a file called HV-PSPTC.ZIP. According to 
the description, the file was supposed to contain a program 
which would make it possible to install illegal copies of the 
Pacific Strike-game directly from the hard disk instead of from 
diskettes. The packet's content, PSPATCH.COM, contained only the 
Junkie virus, however.

Junkie is a Swedish multipartite virus. It infects hard disk 
MBRs and COM files. When an infected file is executed in a 
computer for the first time, the virus overwrites the hard 
disk's MBR with its own code but does nothing else. During its 
next execution, the virus goes resident in memory and infects 
all executed COM files.

Infected COM files grow by approximately 1035 bytes. Since the 
virus infects all executed COM files, it corrupts files which 
are structurally EXEs but happen to have the extension COM.
The virus code is doubly encrypted. The following message is 
hidden under the second encryption layer:

        Dr White - Sweden 1994
        Junkie Virus - Written in Malmo...M01D
        
The Junkie virus can be noticed by the decrease of available 
memory in the system. Some programs also display the message 
"Program too big to fit in memory" when they are executed.
F-PROT is able to detect and disinfect the Junkie virus in both 
files and boot sectors.

SMEG
----
Two new viruses, Pathogen and Queeg, have been found in England. 
They have been produced with a utility which the author, who is 
known as The Black Baron, calls Simulated Metamorphic Encryption 
Generator (SMEG).

The viruses are highly polymorphic, which means that every new 
infection looks completely different from previous ones. 
Pathogen and Queeg are memory-resident file viruses. They infect 
COM and EXE files.

Pathogen activates on Mondays between 5 and 6 p.m. It overwrites 
part of the hard disk and displays the message shown below.
During May, the SMEG viruses gained a lot of publicity in 
England. In practice, however, they have not been able to spread 
very far.

F-PROT finds all known viruses using the SMEG encryption 
utility. F-PROT performs an accurate identification, reports the 
exact variant in question, and is also able to remove SMEG 
viruses reliably.

J&M
---
A new boot sector virus called J&M has been reported to be in 
the wild in the Czech Republic, Hungary and Poland. This virus 
infects diskette boot sectors and hard disk MBRs in the usual 
manner.

J&M is a destructive virus, activating on the 15th of November. 
Upon activation, it enters an infinite loop and formats the 
first tracks of the first hard drive.
There has also been a large-scale outbreak of J&M in Iceland. 
This is quite remarkable in itself, since before this incident 
no new viruses had been detected in Iceland for over two years. 
The virus was probably brought into Iceland in a portable PC 
which had been infected while its owner was traveling in Eastern 
Europe.

F-PROT is able to detect and disinfect the J&M virus.


A Closer Look at the Global Virus Situation
-------------------------------------------

Virus Situation in South Africa
-------------------------------
The latest overseas virus to show up in South Africa is Azusa. 
Azusa, which is probably written in Hong Kong, made its arrival 
in March. Azusa is a memory-resident boot sector virus. It 
infects diskette boot sectors and hard disk MBRs. After 32 
boots, the virus activates and disables the system's COM1 and 
LPT1 ports.

F-PROT is able to detect and disinfect the Azusa virus.
A couple of South African "natives", namely the original Bunny 
virus and three of its variants, have also been doing their 
rounds. These viruses are memory-resident boot sector infectors. 
They infect diskette boot sectors and hard disk MBRs. Bunny and 
its variants employ advanced stealth techniques and may damage 
the data on the hard disk to some degree.
F-PROT is able to detect and disinfect the Bunny virus and its 
variants.

Virus situation in Japan
------------------------
There are three groups of anti-virus products in Japan: 
 	Software supposedly used as stand-alone products
 	Software supposedly used on Networks
 	Hardware products

Among these, stand-alone software is the most widely used. This 
is clear from the recovery measures section of the IPA Virus 
Incidents Report. This section mentions discovery and repair 
methods and time taken, only 10% of the whole paragraph deals 
with means other than vaccines.

The IPA Virus Figures in Japan are: 
 	1991 - 57 cases,
 	1992 - 253 cases,
 	1993 - 897 cases,
 	1994 - 527 cases so far.


Creating a Virus Prevention Strategy with F-PROT Professional
-------------------------------------------------------------

Installing a virus protection software in a corporate 
environment needs to be planned. A functional virus protection 
must cover all workstations and networks. Different kinds of 
workstations require different prevention policies, though.
Workstations and VIRSTOP

All workstations should be protected with the memory-resident 
virus prevention program, VIRSTOP. VIRSTOP checks all programs 
before they are executed, and automatically scans the boot 
sectors of diskettes that are used in the computer. If VIRSTOP 
finds a virus, it prevents the infected file or diskette from 
being used, and informs the user about the infection.

VIRSTOP can be loaded from either CONFIG.SYS or AUTOEXEC.BAT. 
This can be done with the simple command:

C:\F-PROT\VIRSTOP.EXE /DISK

If VIRSTOP is started with the DISK parameter, its memory 
requirements decrease significantly. The program recognizes also 
other command line parameters. If you cannot prevent diskette 
boots directly in BIOS Setup, use the parameter WARM.  As a 
consequence, VIRSTOP will scan the boot sector of the diskette 
in drive A: every time Ctrl-Alt-Del is pressed.

The COPY parameter provides some extra security. It instructs 
VIRSTOP to scan every program file as it is copied. The use of 
this parameter slows the computer down slightly.

The command VIRSTOP /? gives you a list of all available command 
line parameters.

If VIRSTOP is loaded into the computer's memory before the 
workstation is logged into network, and you want to protect the 
network from being infected from unprotected workstations, you 
can add a command suitable for the purpose to the batch or 
script file which is used for logging into the network. The file 
IS_VS.BAT on the F-PROT distribution diskette provides an 
example of such a command.

If a user removes the VIRSTOP command, he or she is prevented 
from logging into the network. Another option is to load VIRSTOP 
during login. Normal users should not be allowed to modify the 
login batch or script.

Scheduled F-PROT Scans In Workstations
--------------------------------------
VIRSTOP is a good tool for preventing all typical infections, 
but you won't get perfect protection by using it alone. VIRSTOP 
scans only programs and diskettes that are actually used. If a 
virus is hiding in a file that is seldom or never used, the user 
won't know it. VIRSTOP doesn't detect as many viruses as F-
PROT's Secure Scan does, either - TSR programs must sacrifice 
some abilities in order to keep memory requirements down and 
execution speed up.

The workstations' hard disks should therefore be periodically 
scanned with F-PROT itself. The scans should happen 
automatically so that users do not need to worry about them.
The scans are easy to schedule with F-PROT Professional for 
Windows. The program contains a special option, `Schedule', 
which is designed for just this purpose. F-PROT for DOS can be 
scheduled to perform scans by using F-AUTO. A line which runs 
F-AUTO should be added to AUTOEXEC.BAT or to the login batch. As 
for the scan interval, seven days is usually sufficient, if 
VIRSTOP is in use. If machines are not running VIRSTOP for some 
reason, set the scan interval to 0, which means that machines 
are scanned once a day. The F-PROT distribution diskette 
contains examples on using F-AUTO and FP.BAT.

Utilizing the Network
---------------------
You can update and maintain F-PROT centrally if you have a 
functional network. F-PROT can also be updated to every 
workstation separately, but it is far easier to build an 
automatic installation and updating system by using shared 
disks.

Instead of scanning servers with F-PROT Professional for DOS or 
F-PROT Professional for Windows, you can use the program's OS/2 
or Novell Netware version to do that. You can use the F-CHECK 
integrity checker to attain further protection. To automate 
scanning or integrity checking, use F-AUTO. Some alternatives 
are listed below.

Alternative 1
-------------
Install F-PROT Professional for DOS on the file server's shared 
disk. The workstations can access the program through the 
network. The administrator can use the same program to scan the 
server's files. The program should be located in a read-only 
directory.

Install VIRSTOP on every workstation and construct an automatic 
updating system. VIRSTOP will protect the workstations even if 
the network is down for some reason. When a user logs into the 
file server, he or she can run F-PROT itself. After the initial 
installation, the administrator needs only to update the copy on 
the server. You can automate scanning with F-AUTO.

Alternative 2
-------------
This solution is otherwise similar to the one described above, 
but the automatic updating system is configured to install and 
update the whole F-PROT Professional for DOS into individual 
workstations. Use F-CHECK if you think extra protection is in 
order.

Once the system is installed, only the copy on the server needs 
to be updated manually. After that, F-PROT is automatically 
updated to individual workstations. You can automate scans and 
checks with F-AUTO. 

Look for examples of how to do this on the F-PROT distribution 
diskette.

Alternative 3
-------------
Install F-PROT for Windows to all workstations. Install also 
VIRSTOP to workstations. The Windows version includes an 
automatic updating system and a scheduler. With F-PROT for 
Windows, it is also possible to send scanning tasks and reports 
over the network.

If you want extra protection, use the F-CHECK integrity checker.

Alternative 4
-------------
Construct the system according to one of the above-mentioned 
alternatives. To protect the servers, use F-PROT Professional 
for OS/2 on Lan Manager servers, and F-PROT Professional for 
Novell Netware on Novell Netware servers. These programs include 
tools for automating scanning tasks.

Automatic updating of F-PROT via a network
------------------------------------------
F-PROT, F-CHECK and VIRSTOP are compatible with practically all 
LANs. F-PROT can be used with a network in two different ways: 
 	Use programs from a shared disk.
 	Use programs from a local disk.

If you choose to use only shared disks, users must log in the 
network regularly. VIRSTOP can usually be loaded only after the 
shared disks are available.

Check VIRSTOP's functionality by executing the command F-TEST. 
If the network connection disturbs VIRSTOP's link to DOS, F-TEST 
will report it. If this is the case, you must either load 
VIRSTOP after network drivers, or run VIRSTOP a second time with 
the parameter REHOOK after the network connection has been 
established. The REHOOK parameter does not change VIRSTOP's 
memory requirements.

If you choose to use local disks, users can run F-PROT even if 
the network is down. Automatic updating to workstations can be 
handled in two ways:
        Use the REPLACE command under DOS. This causes F-PROT to 
        be copied to workstations every time the users log into 
        the network. If the workstations connect to the network 
        during every boot-up, add the necessary commands to the 
        login batch or to AUTOEXEC.BAT .
        
        Use the FPUPDATE.BAT batch file. It uses a special 
        version file to check whether a new version of the 
        program has been updated into the server. Updating occurs 
        every time the server version has been updated and the 
        user logs in the network. Call FPUPDATE from the login 
        batch or script or from AUTOEXEC.BAT.

In both cases, the new F-PROT version can be used immediately 
after logging into the network. VIRSTOP can be used after the 
next boot-up.

For more information on how to construct an automatic updating 
system, read the files NETWORK.TXT and FPUPDATE.BAT on the F-
PROT update diskette. Both files can be found in the MATERIAL 
sub directory.

Scanning File Servers
---------------------
There are several ways to scan file servers: 
        The administrator scans the file server while logged in 
        with a special user name. This name should have read 
        rights to the whole server, but no write rights at all. 
        The user rights attributes should be chosen very 
        carefully. Although it is possible to choose a 
        combination of attributes that makes it impossible for 
        viruses to spread, it is very difficult to do (especially 
        when operating with a Novell network).
        
Scanning should be scheduled to happen at night, when the 
network load is lightest. Such scheduling is easiest to do 
with F-PROT's Windows or OS/2 versions.
        
        The administrator scans the file server by using a batch 
        file located on a special, bootable diskette. This batch 
        file should contain all the commands needed for logging 
        into the network and for scanning the file server. The 
        report can be directed to a file. A special diskette is 
        needed because the administrator may need to log in with 
        a high access level to be able to scan all disks.

The diskette must include all the programs needed for booting 
and for establishing the network connection. For safety 
reasons, the scanning should be performed after a clean boot. 
If the computer that is used for scanning harbors an active 
stealth virus using fast infection techniques, the virus may 
manage to infect every file in the file server during the 
virus scan. This risk can be avoided by booting from a clean 
diskette.
        
        The server can be scanned directly by using either F-PROT 
        Professional for OS/2 or F-PROT Professional for Novell 
        Netware, depending on which network operating system is 
        used. Updating workstations without a network

On workstations that are not connected to a network, F-PROT can 
be updated by using a specially prepared boot diskette. Commands 
for scanning the hard disk and for copying the new version of 
F-PROT to the hard disk can be added to the diskette's 
AUTOEXEC.BAT. Distribute such diskettes to the users. All they 
need to do is boot their workstations from the diskette.

Additional notes
----------------
Certain programs grab DOS interrupts to themselves, ousting 
other TSRs that are using them - this means that VIRSTOP will 
either have to be loaded after these programs or rehooked 
afterwards with the command VIRSTOP /REHOOK. Some of these 
situations are listed below:
 	NETX (Novell)
 	Stacker 4
 	DOS window under DESQview
 	logging in to a TOP-VIEW network

IBM AS/400 PC Support 

Since the AS/400 device drivers modifies the data areas of other 
TSR programs, the loading order of TSRs must to be changed. Load 
VIRSTOP from CONFIG.SYS with a DEVICE or DEVICEHIGH command, and 
change the loading order. The correct loading order of drivers 
is: 

1.      DEVICE=DXMA0MOD.SYS, DXME0MOD.SYS, DXMT0MOD.SYS and other 
        DXMA-drivers (which are generally needed for e-mail purposes)
2.	DEVICE=VIRSTOP
3.	DEVICE=EIMPCS.SYS and also ECYDDX.SYS, if it is needed 

Remember to test the functionality of VIRSTOP by running F-TEST.
More information on using F-PROT in a network environment can be 
had from your local F-PROT distributor, or from Data Fellows 
Ltd's F-PROT Support.



Feature: False Alarms
=====================

Every now and then, anti-virus programs produce false alarms. 
False alarms are virus alerts given of clean files. In fact, any 
situation in which a user suspects a clean computer to be 
infected can be construed as a false alarm, even if the alarm is 
not given by some anti-virus program.

Polymorphic Viruses and False Alarms
------------------------------------
In many cases, a false alarm occurs when an anti-virus program 
thinks it has found a polymorphic virus. Data files are often 
the source of such alarms.

Anti-virus programs tend to give false alarms of polymorphic 
viruses because they have to search for such viruses by using 
various algorithms. Every now and then, these algorithms produce 
false alarms, because a data file containing random data may 
sometimes look very similar to a file infected by polymorphic 
virus.

Conventional viruses which do not modify themselves can be 
detected by using one or more search strings. These strings are 
code strips taken from the viruses themselves. A string's 
purpose is to accurately identify the virus it is taken from, 
which is why each string must be carefully selected from the 
viral code.

Boot Sector Viruses
-------------------
False boot sector virus alarms are rare. Since there is only a 
limited number of legitimate boot sectors, it is simple enough 
to test an anti-virus program with all of them and so make sure 
that no false alarms are possible.

A boot sector is 512 bytes long. It is well within the 
capabilities of anti-virus programs to analyze such a small 
amount of code in its entirety. This, also, reduces the 
probability of false alarms.

Heuristics
----------
The number of false alarms may increase if files are scanned 
with heuristics. When heuristic analysis is used, anti-virus 
programs check the code inside files for suspicious routines 
which can often be found in viruses.

If heuristics reports a possible virus infection, it is not a 
case of a "normal" false alarm. The flagged file may be clean, 
but it contains code typical of viruses. Since heuristic 
analysis has been developed for the express purpose of detecting 
this kind of code, such alarms cannot be considered false in the 
way erroneous alarms given by a normal scan are.

If heuristic analysis reports that a formatting program contains 
code which performs direct disk writes, it is by no means a 
mistake - on the contrary, the antivirus program has obviously 
reached the correct conclusion.

Heuristics is, therefore, a tool which cannot be recommended for 
end users. The analysis of heuristic reports often requires some 
sort of expertise. When wielded by an expert, heuristic methods 
provide additional security against viruses. However, a user who 
is not acquainted with such matters may only be needlessly 
alarmed by the warnings given by heuristics.

Integrity Checkers
------------------
False alarms are quite common when integrity checkers, a.k.a. 
checksummers are used. Integrity checkers usually give warnings 
of all changes that have happened to files. Since integrity 
checkers do not search for viruses per se, they do not give 
alarms which announce clean files to have been infected by 
viruses, either. An integrity checker only reports the changes 
it has detected in the contents of a file or a boot sector.
Files may change for other reasons than virus infections, 
however. This happens when a program is updated, for instance. 
Some programs also alter their own code - the most famous 
example is MS-DOS's SETVER.EXE. In such cases the user must be 
able to distinguish false alarms from real ones.

An integrity checker's tendency to give false alarms can be 
limited by adding a heuristic faculty to the program. The 
checker itself can then make a rudimentary distinction between 
legitimate and virus-induced changes, and give a report of its 
observations. The user can then make a final judgment of the 
results.

How to Recognize a False Alarm
------------------------------
False alarms can usually be spotted fairly easily. Some advice 
on how to recognize a false alarm can be found below.

False alarms occur most often in situations where a virus's code 
is read into the computer's memory, but the virus is not 
executed.

This kind of a situation occurs when, for example, the contents 
of a boot sector-infected diskette are listed with the DIR 
command. DOS reads the boot record into memory, but does not 
execute it. As a consequence, the computer's memory will contain 
an image of the boot sector virus. This image will be detected 
by anti-virus programs during memory scan. A similar situation 
may occur when infected files are copied. These alerts, caused 
by virus images, are known as ghost alarms.

In other words, if an anti-virus program finds a virus in the 
computer's memory, but the virus cannot be found from the hard 
disk after a clean diskette boot, it is probable that an 
infected diskette has recently been used in the computer. Check 
all diskettes to find the culprit.

Some skepticism is in order if an anti-virus program reports 
only one, regularly used program to be infected. It may be a 
false alarm - otherwise many other files would also be infected. 
This kind of false alarms occur usually immediately after anti-
virus programs have been updated.

Alarms given of pure data files are almost always false ones. 
Since viruses cannot spread from data files, they avoid 
infecting them. An alarm given of a data file usually specifies 
some polymorphic virus.

Normally, only executable program files should be checked for 
viruses; even though there are some viruses which infect data 
files, they infect normal program files also. There's no reason 
to check all files unless an infection is actually found. 
Besides, a scan goes much faster if you check only executable 
files.

If an old version of some anti-virus program finds a virus which 
newer versions of the same program do not seem to be able to 
detect, the alarm is probably due to a bug which has been 
noticed and corrected in the new versions. Since the makers of 
anti-virus programs usually correct the false alarms given by 
their products as soon as they are noticed, it pays to use the 
latest versions of such programs.

If you use two different anti-virus programs, they may cause 
false alarms in each other. Since some anti-virus programs keep 
their search strings unencrypted in memory or in a file, other 
such programs may mistake these strings for real viruses. This 
kind of false alarms are quite usual. The problem can be avoided 
by removing the program using unencrypted strings.

Future
------
The continuing increase in the number of viruses will be 
reflected in the number of false alarms. Polymorphic viruses in 
particular will cause problems.

Many anti-virus programs strive to detect new, unknown versions 
of known viruses. In such cases, it is practically impossible to 
totally prevent false alarms.

False negatives, on the other hand, are much more dangerous than 
false alarms. A false negative means a situation where a virus 
goes unnoticed. Traditional anti-virus programs based only on 
search strings are virtually useless against completely new 
viruses, but programs incorporating integrity checking and 
heuristics can detect them with great accuracy.

Self-modifying viruses pose a special problem to anti-virus 
programs. If such a virus cannot be recognized in all its 
different forms, a supposedly disinfected computer may retain 
unnoticed copies of the virus in some of its files. The 
remaining viruses will continue to spread further.

False alarms should always be reported to the representatives or 
makers of anti-virus products so that the bugs causing them can 
be fixed. It is also a good way to make sure that the alarm in 
question is really a false one.



Dark Side of the Moon: What Motivates Virus Writers
===================================================
by Markus Salo, freelancer writer

 The views expressed in this story may not necessarily reflect
 the views of Data Fellows Ltd.

Many of us may have wondered what motivates some people to 
create viruses. At first glance, the act seems completely 
irrational: there is no money to be gained, and virus writers 
run the risk of being held liable for the destruction caused by 
their pets.

Virus writers have their reasons, of course. Few people do 
anything without a good reason, even less so these sometimes 
highly intelligent programmers. A good reason need not be a 
rational one, however. It need not even be conscious. We all do 
some things just because - let's face it - we feel like it.
Revenge and misantrophism aside, why do some of us feel like 
churning out malicious programs?

In the Interests of Research
----------------------------
Some people, particularly the top-class virus writers, maintain 
that their interest in viruses is purely scientific. They wish 
to find out everything there is to know about viruses and their 
uses. Well and good. The question is, why have they picked 
viruses as the search subject?

Limited Forums
--------------
For somebody interested in programming per se, but without a 
formal degree and/or inclination to direct his or her talents 
into some specific field, the world offers lean pickings. 
Software companies are relatively insular organizations which 
have trade secrets to protect. Theoretical research into 
computing usually requires an university degree and a post in 
some research team. What's left?

Virus groups are virtually the only organized programming forums 
open to anybody interested. They offer support, programming 
tips, camaraderie and few limitations. Group members can count 
on advice from other members, and they are free to pursue any 
subject that catches their fancy. Since the groups are more or 
less hobby organizations, members need not fear that somebody 
will cut off their funding or publishing avenues.

Army of Darkness
----------------
Why must such groups be especially virus groups? We haven't seen 
much in the way of games, utility programs or word processor 
groups. Even if such groups have been formed, they haven't 
survived, whereas virus groups have. Virus groups have drive.
Virus writing is in itself a powerful cohesive force. It places 
the programmer outside conventional rules of acceptable 
behavior. In return for relinquishing a place in ordered 
society, a virus writer gains the membership of a shadow 
society, a virus group. That the transition is largely imaginary 
is not important. It's the image that counts.

The image must, of course, be upheld. Look at all the 
paraphernalia associated with virus groups and writers. Handles 
with Dark this and Dark that. Fire and brimstone. Heavy metal 
citations. Weird bits.

The more sophisticated virus writers will no doubt argue that 
such things are pure self-irony. After all, no one could take 
such adolescent foolishness seriously. Indeed? The one thing 
that tends to characterize virus publications is a dreadful lack 
of humor. Most of these guys are dead set on their chosen roles. 
Got you, lamer! Ha-ha.

It must be noted, though, that most secretive societies display 
similar characteristics. The idea of freemasonry does not strike 
me as particularly mature, either.

Legalize Pot!
-------------
Somewhat out of keeping with their secret-society image, virus 
groups are trying to gain legitimacy for their activities. This 
can be partly seen as a response to toughening legislation. 
These groups definitely do not want to be shut down by 
governmental agencies. Official harassment might scare away 
prospective members, too.

The groups have been cleaning up their act by limiting public 
access to the viruses, polymorphic generators etc. they create. 
Moreover, many group members almost routinely equip their 
creations with notes which forbid them to be used for 
destructive purposes. This, they feel, gives them moral 
superiority. Legislative anti-virus measures must be seen as 
censorship. Freedom of expression must be protected at any cost.
These claims may well have certain validity. However, as long as 
the groups keep turning out software which is either potentially 
or actually harmful, such arguments are either outright 
hypocritical or at least morally one-sided.

More interesting, though, is what legitimacy would mean to the 
groups themselves. Virus groups exist to create and distribute 
viruses and other malicious software. If they stop doing that, 
or are brought under official control, they lose their reason 
for existence. A legitimate, official virus group would have 
very little cohesive force. Who would wish to join?
Do these guys know what they are doing to themselves?

Get the Lamers!
---------------
There are some talented virus writers outside the established 
virus groups. It is often among them that the most widely spread 
and destructive viruses originate.

These people are not in viruses for anything like research. They 
are out to catch lamers. In this context, a lamer is anybody who 
hasn't protected his or her system well enough. And why should 
lamers be caught? Well...why rip wings off a fly...stomp 
faggots...climb a mountain (because it's there, and you can).

Off the Beaten Path
-------------------
These people seem to want two things: thrills and reputation. 
They are not necessarily nerds, as has often been conjectured, 
but they are obviously not satisfied with their occupation 
and/or social life. Most of them also seem to be adolescent and 
male.

It is from this group that terrorists most often recruit, also.
Make no mistake: this kind of virus writers can often be very 
intelligent. They do not create destructive viruses because they 
lack appreciation of the consequences, but to satisfy emotional 
needs. The viruses themselves do not really matter. They are 
just a vehicle for negative self-expression. A means to 
establish a place in the world. Something to brag about (or 
something to drop hints of: Data Fellows has received letters in 
which virus writers deliberately gave clues about their 
identity).

Fortunately, few of these virus writers persist long in the 
adolescent stage. Usually they either get seriously interested 
in viruses and join an established virus group, or find 
something more profitable to occupy their time.

Romancing the Code
------------------
Finally, there are people who do not necessarily know the first 
thing about assembly language or virus programming. They are 
into viruses because it's cool. Viruses, polymorphic generators 
and trojan horses have a certain somber lustre about them. Who 
knows, maybe some of it will rub off if one hangs around them 
long enough.

...Just Add Some Water...
-------------------------
This is the target group for virus creation kits, polymorphic 
generators, documented source code and other goodies that virus 
groups keep churning out. It does not take very much programming 
experience to operate a menu-based virus generator, for example. 
This kind of virus writers tend to be more interested in 
claiming the title than in actually writing viruses. However, 
after practicing long enough some of them do graduate into more 
rarefied spheres.

For this kind of writers, the most fundamental reasons for 
creating viruses may be the sense of belonging, and of 
accomplishment. Viruses have also an attractive, outlaw air 
about them. So does scrawling tags on buildings, for that 
matter. However, the additional sense of intellectual 
accomplishment may well give viruses an edge over graffiti.

Stamp Collectors
----------------
Some people collect viruses like others do stamps or coins. They 
are not usually particularly interested in using these viruses 
for anything. They do not necessarily even understand how their 
collection items work. Well, how many collectors do?
But hey, it's great to have a big collection! 

Benefits of Virus Writing
-------------------------
Virus writers often rationalize their work. Some arguments claim 
that certain viruses can be beneficial, some defend the freedom 
of expression, still others emphasize new programming techniques 
to be learned...what nonsense. Viruses, be they of the computer 
persuasion or otherwise, are basically parasites. About the only 
thing to be learned from them is how to make better parasites. 
Useless creatures, really, unless you are working for the 
military...which is a thing that should not be forgotten, 
either.

However, computer viruses have had one beneficial side effect: 
they have made people more security conscious. Viruses are a 
highly visible threat, but by no means the only one. If the 
virus threat persuades users and administrators to improve the 
security of their systems, there may be some justification for 
the existence of viruses after all. Sort of.


F-PROT Support informs: Common Question and Answers
---------------------------------------------------
If you have questions about data security or antivirus issues, please 
contact your local F-PROT distributor. You can also contact Data 
Fellows Ltd. directly, in the number 358-0-692 3622. Written questions 
can be mailed to: Data Fellows Ltd, F-PROT Support, Wavulinintie 10, 
00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet 
is: f-prot@datafellows.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet,
A=mailnet C=fi.


Our company has some old PCs which can only read 5.25" 360 kB 
diskettes. I would like to scan these computers after a clean 
diskette boot, but the F-PROT files do not fit into one 
diskette.

        F-PROT for DOS does fit into a 360 kB diskette in a 
        stripped form. This means including only the absolutely 
        necessary files. Copy the files F-PROT.EXE, SIGN.DEF and 
        ENGLISH.TX0 into a diskette. Boot the computer from a 
        clean DOS diskette, insert the F-PROT diskette and run 
        the scan.

I use PC-Tools for Windows 2.0. When I try to run scans by 
dragging folders from PC-Tools's File Manager and dropping them 
on top of F-Agent's icon, I receive an error message.

        PC-Tools's File Manager is not wholly compatible with the 
        Windows File Manager. It is actually possible to drag 
        files from PC-Tools's File Manager, but only from the 
        right-hand window. Do so.

MS-DOS 6 multiconfig commands and VIRSTOP.

        With MS-DOS 6, it is possible to use several different 
        configuration files. This is done with the commands 
        menuitem and goto %config%. If the multiconfig option is 
        used, VIRSTOP's loading command must be added either to 
        each subsection separately, or to the common section. 
        This way, VIRSTOP is loaded regardless of the 
        configuration option.



Changes in F-PROT Professional 2.13
-----------------------------------

Heuristic Analysis
------------------
F-PROT's Heuristic Analysis has changed significantly. To sum it up:
  - The detection of new viruses has been greatly improved
  - Known false alarms have been eliminated.
  - When the  /GURU option is used, the report is significantly
    more comprehensive than before.

In version 2.13, the heuristics alarm threshold has been lowered 
considerably. This means that F-PROT will detect a greater 
portion of new viruses than before. However, it also means that 
heuristic will every now and then give warnings of files which 
are not infected.

F-PROT 2.13 heuristics may give warnings of files which, though 
clean, contain nonstandard or suspicious routines.
Don't be unduly alarmed if you receive warnings of files which 
previous F-PROT versions did not consider suspicious. 
If you want a comprehensive report about what has caused an 
alarm, use the command F-PROT C:\DIR /ANALYZE /GURU. You can 
also send the file to us for closer analysis.
The changes in heuristics do not affect Secure Scan.

Automatic Update
----------------
Two new files, NETWORK.TXT and FPUPDATE.BAT, have been added to 
the F-PROT update diskette's MATERIAL directory. NETWORK.TXT 
gives detailed instructions on the network usage of  F-PROT for 
DOS. FPUPDATE.BAT is one example of a batch file which 
automatically updates new versions of the program to 
workstations connected to a network. 

Other Changes
-------------
Boot sector virus disinfection has been improved. Viruses that 
do not preserve the original boot record can now be removed by 
overwriting the boot sector with a generic boot record 
substitute.  The same method can also be used to remove boot 
sector viruses for which virus-specific disinfection has not 
been implemented yet.

The French Boot virus has been renamed Jumper. 
F-PROT can now also remove the LZR virus. 
Many viruses created with the VCL code generator have been 
renamed. 

The following false alarms have been eliminated:
        `Possibly a new variant of Civil_Defense' given of the 
        file CSP.SYS, which was included on Sound Blaster AWE32 
        driver diskettes 
        
        `Possibly a new variant of AntiCMOS' given of hard disks 
        which were partitioned by using MITAC's utility program 
        published in 1987 
        
        A Jerusalem warning given of the file WIN31.EXE, which is 
        part of MS-Chigago's beta version (only when scanned with 
        Quick Scan or VIRSTOP) 
        
        "Possibly a new variant of Wisconsin" given of the file 
        SURPRISE.COM
        
        "Possibly a new variant of Pit" given of the file 
        BLOCKCUR.COM
        
        "Possibly a new variant of Civil_Defense" given of the 
        file PALETTE.COM

The following Cossiga virus has been renamed to Grazie in order to make
F-PROT follow the CARO naming standard as closely as possible.

New Viruses Detected by F-PROT 2.13
-----------------------------------
The following 44 viruses are now identified, but can not be 
removed as they overwrite or destroy infected files.  Some of 
them were detected by earlier versions of F-PROT, but only 
reported as "New or modified variant of..."

Bad_Brains.554.A             HLLO.3816
Bad_Brains.554.B             HLLO.Gov
Bad_Brains.570               HLLO.Orion
Budo.B                       HLLO.Shadowgard
Burger.505.K                 Jasmine
Burger.505.L                 Leprosy.Sandra
Burger.505.M                 Leprosy.Seneca.381
Burger.505.N                 Leprosy.Seneca.483
Burger.512.B                 Lockjaw.Flagyll.316
Burger.560.AO                Lockjaw.Flagyll.369
Burger.560.AP                Mayhem
Burger.560.AQ                Morrison
Burger.560.AR                Orchid.120
Burger.560.AS                Taiwan.752.C
Fasolo.176                   Trivial.Infernal
Faulkner                     VCL.356
Grog.Aver_Torto              VCL.418
Grog.Bruchetto               VCL.509
Grog.Delirious               VCL.541
Grog.Hop                     VCL.Cockroach
Grog.Il_Mostro               VCL.Jam
                             Vienna.526
                             Vienna.561.B

F-PROT can detect and remove the following 225 new viruses. 
Earlier versions of F-PROT could detect many of these viruses. 
Now they are also identified accurately.

AntiCMOS.B                        Mayberry.402
Arale                             Mayberry.409
Ash.449                           Mayberry.475
Australian_Parasite.1024          Mayberry.496
Australian_Parasite.1050          Mayberry.502
Australian_Parasite.1179          Mayberry.609
Australian_Parasite.118.A         Mayberry.687
Australian_Parasite.118.B         Mayberry.732
Australian_Parasite.122.A         Mayberry.747
Australian_Parasite.122.B         Mayberry.758
Australian_Parasite.213           Mayberry.799
Australian_Parasite.217           Mayberry.828
Australian_Parasite.221           Morrison
Australian_Parasite.229           MP1024
Australian_Parasite.440           No_of_the_Beast.BG
Australian_Parasite.482           Nympho.230
Australian_Parasite.588           Old_Yankee.1961.A
Australian_Parasite.591           Old_Yankee.1961.B
Australian_Parasite.726           Old_Yankee.1961.C
Australian_Parasite.784           Phalcon.Cloud.1110
Australian_Parasite.784           Phalcon.Cloud.1117
Australian_Parasite.AMSV          PHB.4461
Australian_Parasite.Gotter        Phunnie
Australian_Parasite.Lipo          Pixel.1268
Better_World.E                    Pixel.739
Budo.B                            Pixel.846.B
Burger.505.K                      Pixel.851
Burger.505.L                      Polifemo
Burger.505.M                      PS-MPC.G2.573.C
Burger.505.N                      PS-MPC.Page.780
Burger.512.B                      PS-MPC.Pikninny
Burger.560.AO                     PS-MPC.Powermen
Burger.560.AP                     PS-MPC.Small_ARCV.B
Burger.560.AQ                     PS-MPV.212
Burger.560.AR                     PS-MPV.606.D
Cascade.1701.Q                    PS-MPV.Arcv-1.731
Cascade.1701.R                    PS-MPV.G2.573.C
Cascade.1704.T                    PS-MPV.Pikninny
Cascade.1704.U                    PS-MPV.Powermen.717
Chaos.H                           PS-MPV.Powermen.718
Chaos_Year.2005                   PS-MPV.Small_ARCV.B
Creeper.472                       PS-MPV.Tim.405
Curse_IV                          PS-MPV.Tim.500
Dark_Avenger.1800.Satan           Quadratic.986
Diamond.1050                      Rape.1882
Doom_II.1249                      Rape.2887
Ear.Ear.B                         RedStar
Ear.Ear.C                         Screaminf_Fist.927
Espacio.8444                      Screen+1.1624
Espacio.8458                      Screen+1.919
Espacio.8486                      SillyCR.397
Espacio.8491                      Skater.1021
Espacio.8498                      Skater.699
Fasolo.176                        Skater.977
Faulkner                          SMEG.Pathogen
Fax_Free.1024.Abstract            SMEG.Queeg
Fax_Free.1024.F                   Stoned.Standard.Null.C
Fax_Free.1024.G                   Storm.1219
Fax_Free.1024.H                   Storyteller
Fax_Free.1536.Darkover.A          Suriv_2.I
Fax_Free.1536.Darkover.B          SVC.3241
Fax_Free.1536.Darkover.C          SysLock.Syslock.G
Fax_Free.1536.Mecojoni.A          Taiwan.752.C
Fax_Free.1536.Mecojoni.B          Taiwan_Over.2770
Fax_Free.1536.Mecojoni.C          Tankard.542
Fax_Free.1536.Pinniz.E            The MzBoot family
Fax_Free.2766                     The _484 family
Fax_Free.Mecojoni                 Totoro.B
Freddy_Soft                       Totoro.C
Frodo.Fish_6.E                    Traveling_Jack.1008
Fumble.867.F                      Trident.914
Genesis                           Tuawan_Over.2944
Genvir.1440                       VCL.2750
Grog.Danzerino                    VCL.3243
Grog.Enmity_2_0                   VCL.514
Grog.Enmity_2_1                   VCL.534
Grog.Joemetafora                  VCL.604
Grog.Joe_Anthro                   VCL.660
HLL.7940                          VCL.Dial.671
HLLO.3816                         VCL.Diarrhea.1221
IMI.A                             VCL.Heevahava.516
IMI.B                             VCL.Mimic.4863
IMI.C                             VCL.Pro-Choice
IMI.D                             VCL.Reptoid
IMI.E                             VCS.Standard.Bad_Poem
IMI.F                             VCS.Standard.Bad_Poem
Infector.847.A                    Vic.399
Infector.847.B                    Vienna.526
Ionkin.212                        Vienna.561.A
Ionkin.2372                       Vienna.561.B
Jerusalem.1506                    Vienna.608.B
Jerusalem.1808.Execute            Vienna.Violator.707
Jerusalem.1808.Frere.I            Vienna.Violator.779
Jerusalem.1808.Standard.AO        Virdem.1336.Killer.C
Jerusalem.AntiCad.2454            VS.2790
Jerusalem.AntiCad.26256           Wave.454
Jerusalem.AntiCad.2646            Wildfire
Jerusalem.Pipi.1536               Xak
Jerusalem.Pipi.1552               _339
Jerusalem.PSQR.Satan              _641
Jerusalem.Smile 
Jerusalem.Solano.Dyslexia.Satan 
Jerusalem.Sunday.Nai-Tai 
Jerusalem.Sunday.Satan 
Jerusalem.Sunday_II.B 
Jerusalem.Tarapa.B 
Jihuu.686 
Julia.1027 
Junkie 
Keeper.Lemming 
Leprosy.Sandra 
Leprosy.Seneca.381 
Leprosy.Seneca.483 
Lesson_I.306 
Lockjaw.894 
Lockjaw.Flagyll.316 
Lockjaw.Flagyll.369 
Lyceum.1950 
Maaike.164 
Maaike.250 
Maaike.757 
Marked-X 
Marzia.L 
Marzia.M 
Max 


The following 24 new viruses can now be detected but not yet be 
removed.

_484
Alien
ARCV.255
Australian_Parasite.440
Mike
Moonlite
MzBoot
Number_of_the_Beast.BG
PS-MPC.Page.780
Rape.1182 
Rape.2887
Rubbit.681
Rubbit.1018
Rubbit.2060.A
Rubbit.2060.B
Rubbit.3811
Rubbit.3839.A 
Rubbit.3839.B
Screen+1.919
Screen+1.1624
Skater.664
Skynet
Svc.3241
Variable_Worm.C

F-PROT's earlier versions could detect the following 7 viruses. 
Now they can also be removed.

Bravo 
Gippo.Bumpy
Gippo.Epidemic
Gippo.Stunning
LZR
Reverse A 
Reverse B

------------------------------------------------------------------------------
      This text may be freely used as long as the source is mentioned
               F-PROT Professional 2.13 Update Bulletin
                                   -
                 Copyright (c) 1994 Data Fellows Ltd
------------------------------------------------------------------------------
  This file may not be placed to be available for download in a system which
  allows users to access live computer viruses, source codes for viruses, or
  instructions for generating a new virus. Thank you.
