
F-PROT 2.08 Update Bulletin Copyright (c) 1993 Data Fellows Ltd

This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.08 Update Bulletin Copyright (c) 1993 Data Fellows Ltd.'

===============================================================================

F-PROT 2.08 Update Bulletin
---------------------------

The International Distribution Network for F-PROT becomes more effective
------------------------------------------------------------------------

The international distribution of F-PROT gets more and more effective 
as new agreements are signed between Data Fellows Ltd. and 
distributors in various countries. The latest distribution agreement 
has been signed with Symbolic, Inc. of Parma, Italy. The localization 
of F-PROT for the Italian market has already been successfully 
finished.

The topic very near the heart of anti-virus professionals is the 
success of Microsoft Anti-Virus (MSAV) which is included as a part of 
the DOS 6.0. Tests are beginning to appear in the computer magazines. 
We will report on the efficiency of the MSAV to you as well in an 
upcoming issue.


New Viruses and Their Descriptions
----------------------------------

Trivial
-------
At the beginning of April a new member of the Trivial virus family was 
found in Rovaniemi, Finland. 

Trivial is a peculiar one as virus families go, because, aside from 
having an extremely small size, its members have no common factor. 
Most of these viruses take up less than one hundred bytes - it seems 
that virus writers have competed on who can write the smallest 
functional virus. All viruses of the Trivial family infect a single 
COM file at a time, and they spread by overwriting the beginning of 
their victim.

The smallest known DOS virus that still retains its functionality 
(Trivial.25) is only 25 bytes long. In other words, it takes up about 
as much space as the first four words of this paragraph. 

The variant of Trivial discovered in Rovaniemi has a size of 45 bytes. 
The actual virus code is only 29 bytes long, the rest of the virus 
consisting of the message "Krtsy Rules!". From this message one can 
deduce that the virus is of Finnish make.

The functioning method of the virus is extremely simple. It checks the 
directory for files whose appendix starts with the letter C. If such a 
file is found, the virus replaces the beginning of the victim file by 
its own code. Having done this, it then terminates its execution. 

The Trivial viruses do not present a threat that should be taken 
seriously. They infect only COM files residing in the same directory, 
and, by their infection method, damage the victim file, thus making 
the infection easily recognizable.

Hitchcock.b
-----------
An initial finding of a new variant of the Hitchcock virus was made in 
Joensuu, Finland. The virus was, in fact, discovered in the middle of 
1992, but it took until March 1993 for a sample of it to reach 
examination.

The new variant has been named Hitchcock.1238. The name refers to its 
size. The original Hitchcock virus is 1247 bytes long. 

No previous variants of the virus have been discovered anywhere in the 
world. The native country of the original Hitchcock virus is not 
known, but the freshly discovered variant may have been made in 
Finland.

Hitchcock.1238 is a virus which spreads quite efficiently. The code of 
the original Hitchcock virus has been modified a little - the main 
purpose seems to have been to change the code to a degree where 
scanner-type anti-virus programs could no longer recognize it. In any 
case, the F-PROT 2.02, which is already over a year old, finds the 
virus with all of its search methods.  The only significant changes in 
the new variant have been made to the activation routines.

The most important alterations separating the new variant from the 
original Hitchcock are the decrease in size and a change in the "Are 
you There" -call the virus uses. The original virus checks whether it 
has already been installed in memory by calling an interrupt it 
hijacks, the INT 21h / AX=4BFEh. If the virus is already resident in 
memory, it recognizes the call and answers by returning the value 
1234h in the AX register. The new variant functions identically, but 
the interrupt it uses has been changed to INT 21h / AX=4BFFh. Neither 
of these interrupts is normally used.

Examination of the virus code leads one to the conclusion that the 
author of this new variant has probably had the source code of the 
original virus available to him or her.

The virus stays resident in memory, of which it reserves about 3.5 
kilobytes for itself. The reduction of memory can be observed by using 
the MEM command, although this does not show the name of the program 
that causes it. Besides the interrupt 21h, the virus hijacks also the 
interrupt 1Ch for its own use.

Hitchcock.1238 checks that the version number of the computer's DOS is 
at least 2.0. Otherwise it will not spread.

The virus infects every COM file that is executed, provided its size 
falls between 1288 and 64000 bytes. It does not trust the file-name 
appendix, but checks the program type by examining the first two 
characters in the file. The virus is able to bypass a Read-only-
protection set by using the ATTRIB command, but, since it does not 
install a critical-error handler, the execution of a COM file from a 
write-protected diskette produces the error message "Write protect 
error".

The virus does not alter the time stamp of an infected program, aside 
from the 'seconds' field, into which it sets the value 20 after having 
completed the infection. The virus uses this marker to indicate a file 
which has already been infected, and, consequently, it does not infect 
files whose 'seconds' field in the original creation date contains the 
value 20. A directory listing does not show seconds at all when DOS's 
DIR command is used.

The virus increases the size of infected files by 1238 bytes. This 
change is visible in the directory listing - the virus does not 
contain stealth routines. The viral code is placed in the beginning of 
an infected file, whose first 1238 bytes are moved to the end of the 
file.

The Hitchcock virus activates after having been resident in memory 4 
minutes and 7 seconds. After this it begins to play the theme from the 
Hitchcock television series. The song is quite easily recognizable and 
lasts about thirty seconds. The music goes on endlessly, with a pause 
of a couple of seconds between the finish and restart of the theme.

In the original version of the virus, the music routine was activated 
only if the virus was executed during August. This check has been 
removed from the new version. As a result, Hitchcock.1238 is quite 
obvious and very easy to spot. Because of this it is never likely to 
become very common.

The music routine functions as a part of the System Timer Tick 
interrupt [1Ch], which gets a slice of processor time 18.2 times a 
second. Because of this, the music is played completely on the 
background, without disturbing the execution of other applications in 
any way. The music routine functions even on Windows background.

The virus code contains no texts, and neither has it been encrypted in 
any way. From a technical point of view, the code has been written 
quite well if somewhat wastefully.

F-PROT 2.08 is able to recognize and remove the Hitchcock.1238 virus.

Cinderella.c
------------
The first finding of a new variant of the Cinderella virus was made in 
March, in Rovaniemi, Finland.

The new variant is likely to be named Cinderella.c. Three previous 
versions of the Cinderella virus are known, all of which have probably 
been made in Scandinavia.

The Cinderella.c virus is functionally based on the first known 
version of the Cinderella virus, Cinderella.a. The virus stays 
resident in memory and infects COM files. The virus does not contain 
actual stealth virus features, but it does not update the time stamp 
of the infected files. In addition to this, the Cinderella viruses are 
able to bypass the DOS Read-Only -attribute. 

The virus keeps a counter which is incremented which each keystroke 
This counter triggers the activation routine which creates one zero-
length file on the hard disk and boots the computer. In the original 
version of the virus the file in question was named cInDeReL.la, but 
in the new variant it has been changed to CindyRul.es!. When the 
directory listing is examined under MS-DOS, the names of the files are 
shown capital letters.

The designer of the Cinderella.c virus has meant to change the 
original viral code to the extent where scanner-type anti-virus 
programs can no longer recognize it. This has been done by changing 
the internal order of commands. Demonstrated in pseudo code, the 
principle is as follows:

The original code:                  The altered code:
...                                 ...
move the value in variable a to b   add to counter d
move value 5 to variable c          move value 5 to variable c
add to counter d                    move the value in variable a to b
add c to d                          add c to d
if value > 10 perform routine       if value > 10 perform routine
...                                 ...

Thus altered, the functioning of a program does not change at all, but 
the outlook of a virus differs almost completely from the original. 
The author of the Cinderella.c virus may not even have known the 
assembler language used by Intel processors in any way approaching 
perfect. 

In any case, even F-PROT 2.02, which is more than a year old, finds 
the new variant with any and all of its search methods. F-PROT 
recognizes the virus as "Probably a new variant of Cinderella".

The presence of a Cinderella virus in a system can be detected by such 
clues as reduction in the amount of available memory and a growth in 
the size of COM files. 

Hamster
-------
The Hamster virus was discovered in Norway in the middle of April. The 
virus seems to have spread widely in the southern Norway and has 
probably already spread to other countries as well.

Hamster has quite simple functions. It infects COM files which reside 
in the same directory with itself. The virus adds its own code to the 
end of the host program and alters the beginning of programs so that 
the virus code is executed first.

The virus infects only one file at a time, and it does not change the 
time stamp of its victims. Hamster does not set limiting conditions to 
its potential victims, but infects all COM files it finds if they are 
not already infected. The virus examines the program type by checking 
for the characters "MZ", which indicate that the program is 
structurally an EXE file.

The virus stores the names of the current host program and the 
previous one inside its code. This makes it possible to trace the 
route it has spread along. The virus code also includes one message: 
"Turbo Hamster Virus!".

F-PROT 208 is able to find and remove the Hamster virus.

Strike Commander Trojan on the move
-----------------------------------
Near the end of April, a file called SCTRNUNT.ZIP was circulating in
BBS's over the world. This program was supposed to grant endless lives
to the player of the popular game Strike Commander. It was, however,
really a wicked Trojan Horse. When the program is started, the
following message appears on screen:


By: Wayward

Welp, here it is.  Strike Commander Trainer. It was relatively easy
since most of the sub-routines were in the file. Also I also found a
nasty during take-offs. It's a randomly copy protection. It was a
bitch to find it since Origin has a weird way of encrypting their
files.  Just run SCTRNUNT.EXE and have approx. 2+ megs free since I
have to uncompress a couple of files. We' re sorry we didn't release
the speech pack, but get them anyways!  It's worth the FP's. See you
in the next release!

Have Fun!
This will take awhile.  Approx. 2 and a half mins.  Go grab your 
helmet!


The purpose of this text is to ease the user's suspicions, for after 
the text has been shown, the hard disk begins to spin wildly. The 
program does not, in fact, extract packed files, but destroys 
information on the disk.

This trojan has been written with the Borland Turbo Pascal, and it 
contains a destruction routine which overwrites the first 255 sectors 
on the first six logical disks. After such destruction practically all 
the information in the computer is lost. The damage is done by using 
an absolute disk write - the information on the disk is overwritten by 
random data found from memory. The program begins its sabotage at disk 
H and advances from there to disk C.

The program contains a character string which cannot be seen directly, 
because the Trojan has been packed with PKLITE:


HI--TC!.!!! Keith Reid, This is a trojan. Have fun taking it apart.
Later Titus Crow of Gallows Howe. I love you too!


Those who use the file services of BBS's might do well to remember an 
old and tried instruction: It is not worthwhile to be the first to 
test an unknown program. By waiting a couple of days before 
transferring a program to one's own computer, one can be sure it won't 
contain any unwelcome side effects - others will have had time to test 
it before that.


F-PROT Support Advises: Common Questions and Answers
----------------------------------------------------

If you have questions about information security or virus prevention, 
you can contact F-PROT support on the number +358-0-692 3622. You can 
also address your written questions to: Data Fellows Ltd.,  F-PROT 
Support, Wavulinintie 10, SF 00210 HELSINKI, FINLAND. Questions sent 
by electronic mail can be addressed directly to Mikko Hyppnen who 
handles technical support; his Internet address is 
mikko.hypponen@compart.fi. 


I have started using DoubleSpace, the disk-doubling feature of MS-DOS 
6. When using other disk packers, I have been advised to make a tool 
diskette that contains the drivers the packers use, because otherwise 
anti-virus programs and other tools cannot read the packed data after 
I have booted the computer from a diskette. Is this the case with 
DoubleSpace, also?

        DoubleSpace is a built-in part of the MS-DOS operating system.
        Because of this, the program does not need a separate driver.
        You can access the data on the packed disk directly after
        booting your computer from a diskette, as long as the diskette
        has been made by using MS-DOS 6.

        A new hidden system file that has appeared alongside the
        familiar IO.SYS and MSDOS.SYS, the DBLSPACE.BIN, makes this
        possible. DBLSPACE.BIN is loaded automatically during boot-up
        whether or not the diskette contains a CONFIG.SYS file.


I was testing out the new Microsoft DOS 6.0. After having tried the 
MSAV anti-virus program, I executed F-PROT, also. F-PROT reported a 
Stoned virus in memory. I booted the computer from a clean diskette, 
but the virus was nowhere to be found. What's up? 

        You have run into a false alarm caused by the Microsoft
        Antivirus program. Unlike practically all other anti-virus
        programs, MSAV does not clean up memory after having completed
        its check. This means that MSAV leaves a trail of virus
        signatures on its wake in memory. Most anti-virus programs
        produce false alarms of an active virus in memory if they are
        executed after MSAV.

        MSAV is, in fact, a reduced version of CPAV marketed by Central
        Point. CPAV, too, has this same problem. For nearly two years,
        people have been complaining of this to Central Point , but the
        problem has not been corrected. In fact, in their documentation
        Central Point states in no uncertain terms that their product is
        not compatible with any other anti-virus software. The suggested
        remedy in the CPAV manual is to refrain from using any other
        product than CPAV in one computer.

        Also the TSR programs that come with MSAV and CPAV, VSAFE and
        VWATCH, cause similar false alarms. The most common false alarms
        caused by MSAV and CPAV are given of the viruses Flip, Filler,
        Stoned and Telecom.

        According to tests, the MSAV that comes with MS-DOS finds about
        70% of known viruses.


We use the F-AUTO program to automate virus checks. For some reason 
the system does not act like it is supposed to; the check is only made 
on the hard disk of the user who first logs into our local network. 
The check is configured to happen every day. 

        You have installed the F-AUTO program into a network. Whenever
        F-AUTO is executed, it creates a file called F-AUTO.CFG in which
        the last execution date is stored. If F-AUTO is located on a
        shared disk area, the first user updates this file, and,
        consequently, other users do not activate the check any more. If
        you move the F-AUTO program to local hard disks on workstations
        the checks will function correctly.


I updated F-PROT to its latest version, but at the same time VIRSTOP 
destroyed a customized message I had installed, the purpose of which 
was to guide users in the case a virus infection was found. Is there a 
way to preserve the VIRSTOP message over version updates?

        Unfortunately there is not. The F-PROT function Install/Install
        stores the customized message of VIRSTOP to the program
        VIRSTOP.EXE itself, and it is consequently lost when the program
        is replaced by a newer version. Because of this, a manager has
        to renew the message during each update. It is possible for a
        manager to minimize the work this requires by altering VIRSTOP
        before the new version is circulated in the organization. An
        automatic network update will also ease the trouble this problem
        causes.


How does the F-PROT automatic network updating work?

        The automatic network updating means a system in which local
        area networks are used in the version management of the F-PROT
        program. When a new version comes out, the system manager copies
        it onto the hard disk of a file server. During login to the
        network, the workstations automatically check whether the server
        holds a newer version of the program than the local hard disk.
        If so, the local version is automatically replaced by the latest
        one.

        Data Fellows Ltd. has developed an automatic network updating
        system which functions in LAN Manager- and Novell networks as
        well as in almost all other network operating systems. The
        largest companies using the F-PROT update system manage updates
        into over a thousand PC's at a time by using just such a system
        - in such cases, manual updating would become an overwhelming
        task.

        For more information about the F-PROT automatic network update
        system, contact F-PROT Support of Data Fellows Ltd.


While I was checking a diskette with F-PROT, all of a sudden I 
received the message "An active Stealth virus was found in memory". 
I couldn't find this virus, however, not even after a clean booting. 
What is happening here? 

        Cold-start the computer from a clean diskette and run the check
        again. If the virus cannot be found from the hard disk or
        diskettes, the situation was caused by something else than a
        stealth virus.

        While checking files, F-PROT also continually monitors the state
        of the operating system. When F-PROT begins to examine a file,
        it marks up its assumed size, and, after the file has been
        searched, compares it to the actual file size. If there is a
        discrepancy, it can be assumed that something is feeding the
        operating system counterfeit information - something that active
        stealth viruses are known to do.

        A similar situation may also arise if the disk's directory
        system contains corrupted data. If the disk contains two files
        with the same name in a single directory, the second one cannot
        be handled with any of the functions of DOS. F-PROT opens files
        one by one with no regard to names, but it compares the file
        length to the value DOS announces for it. When the two values do
        not match, F-PROT remarks on this. Because DOS does not allow
        the creation of two files with the same name in a single
        directory, it can only result from an error situation or a
        deliberate alteration.

        The same message results also if the disk contains a file that
        has been named after a device driver. Such names are, for
        example, COM1, PRN, LPT1, XMS000, CON and CLOCK$, and they are
        exclusively reserved for DOS's use. Through these virtual names,
        data can be conducted directly to devices. DOS does not allow
        files to be named after device drivers, but such a file may
        result due to an error situation, or also if a diskette has been
        used in some other computer environment.

        In this case, F-PROT tries to compare information from a real
        file and a virtual device driver. Naturally enough, the two do
        not match.

        Logical disk errors such as the ones described above can be
        corrected by using the Norton Utilities or a similar tool
        programs.


In Short
--------

Michelangelo'93
---------------
This year, the damages caused by Michelangelo seem have stayed in 
check pretty well. There have, however, been some serious individual 
cases.

In Australia, the headquarters of an international company were found 
to be infected a couple of days before the time of activation, the 6th 
of March. Specialists who had been on site reported that they had 
cleaned thousands of diskettes.

In March the 7th, a middle-sized company in Iceland announced it had 
suffered serious damages because of Michelangelo. According to the 
company representative Michelangelo had erased the contents of three 
Novell-based servers. The monetary value of damages was not commented 
upon.

A Finnish company employee found out in the morning of March the 6th 
that his gigabyte-size hard disk had been completely erased. This was 
first thought to be a hardware-based problem, but a further 
examination revealed Michelangelo as the culprit. The virus was also 
found on the company's other computers, and its source was ultimately 
traced to an original diskette containing special software that had 
come directly from USA.

Irresponsible activities continue: Mark Ludwig organizes a virus competition
----------------------------------------------------------------------------
Mark Ludwig, the US. author of The Little Black Book of Computer 
Viruses, a book that deals with designing computer viruses, continues 
to stir up controversy. After writing the book he has begun to publish 
the Computer Virus Developments Quarterly, a magazine that contains 
advice on designing viruses.

In the latest issue Ludwig announced a virus writing competition, the 
purpose of which is to find the smallest functional computer virus. 
This virus has to meet certain conditions. It is not allowed to spread 
by overwriting its host, and it must function in a normal computer 
environment under DOS. The virus must also have been completely 
written by the competitor. Ludwig promises full immunity to all 
competitors.

The prizes will consist of diplomas and annual volumes of the Computer 
Virus Developments Quarterly.  

PC Magazine's test astonishes
-----------------------------
In the March issue of the international PC Magazine's US version there 
was an extensive test of anti-virus programs. The magazine announced 
Symantec Norton Antivirus and Central Point Antivirus to be winners. 
24 products were included in the test. The test methods and results 
gave rise to astonishment among information security professionals.

PC magazine was criticized for giving the programs' user interfaces 
excessive significance compared to, for example, their speed, hit 
rate, or the level of technical support available from the program's 
representative. What also caused amazement was the small number of 
viruses included in the test - only 12 two to three years old viruses 
were included in the test set. The test did not measure the programs' 
ability to find new viruses, nor their efficiency against collections 
of polymorphic viruses.

The most surprising item was the discrepancy in results with the same 
magazine's German version. In its January issue, the magazine PC 
Professionell published its own extensive virus test made in co-
operation with the professionals of the Hamburg University Virus Test 
Center. In this test, the winners of US PC Magazine took 20th and 11th 
places. 23 products were included in the German test.

The 40-Hex magazine in international circulation
------------------------------------------------
A so-far unknown French organization apparently considers world-wide 
spreading of virus code its duty, and to this end it has included the 
40-Hex magazine in its ftp-server's file collection.

Via the ftp-service, anyone connected to the world-spanning Internet 
network can log into a file server that may physically be located on 
the other side of the planet, and within a couple of seconds transfer 
files to his own computer. Many ftp-servers allow users to log in as 
anonymous.

The French ftp-server in question allows anyone to transfer issues of 
the 40-Hex magazine to himself. 40-Hex is an electronic newsletter 
published by the international virus group Phalcolm/Skism.

Issues of 40-Hex are usually quite extensive. They discuss topics 
connected to virus writing, such as the structures of different file 
types, the loopholes of DOS and the ways to bypass anti-virus 
programs. In addition to this, a typical issue of 40-Hex includes hex-
dumps or documented source codes of several different viruses. The 
publication is thought to have taken its name from the DOS interrupt 
service 21h's subfunction number 64, which enables the writing of data 
or code into an existing file. Given in a hexadecimal form, the number 
64 is 40.

The ARCV virus group arrested
-----------------------------
The January update bulletin told of a new English virus group called 
ARCV. The arrogance of this group proved short-lived when an unit of 
the English police that specializes in computer crimes, the New 
Scotland Yard's Computer Crime Unit, raided the homes of the group 
members at the beginning of February. Altogether three of the group's 
nine members were arrested, and the case is still being processed. The 
group, whose name comes from the words Association of Really Cruel 
Viruses, managed to write over 30 viruses before being caught. The 
group gained reputation by, among other things, addressing a letter 
that described its activities to the editor of the biggest computer 
magazine in England.

The English police are still processing the case, and they hope that 
any person whose computer has been infected by an ARCV-made virus 
would contact them on the matter. ARCV has written at least the 
following viruses:

159                         Dennis 1
199                         ECU
224                         Friends
240                         Jo V1.01
330                         Joanna Exersiser
334 (Made)                  Joanna V1.11
334-2                       McWhale
Alpha                       More
Anna                        Nichols
ARCV '93 (ICE-9)            Reaper Man
ARCV 1                      Scroll
ARCV 2                      Scythe
ARCV 3                      Small ARVC
ARCV 4                      Small EXE
ARCV 5                      Solomon
ARCV 6                      Spawn 1
ARCV 7                      Toxic
ARCV 8                      Toxic 2
ARCV 9                      Toxic 3
ARCV 10                     Toxic C
ARCV Sandwich               Two Minutes to Midnight
ARCV Xmas                   X-1
Benoit                      X-2
Chad                        Zaphod
Coolboot

In Scotland Yard, inspector constable Noel Bonczoszek works on the 
case. He can be contacted by phone on the number 990 44 71 230 1177. 
Reports on incidents involving ARCV will be treated confidentially.

The Nabob Trojan Horse on CD-ROM
--------------------------------
A rare discovery was made at the beginning of March: a Trojan Horse 
was found on a CD-ROM diskette that was marketed internationally. The 
diskette in question is called Libris Britannica and it contains all 
kinds of freeware- and shareware programs. The Trojan on the disk is 
called Nabob. Nabob can, however, be called more of a joke program 
than an actual Trojan Horse - it claims to be the most efficient 
packing program in the world, and when it is used, it does indeed pack 
great volumes of data into a single one-byte file. It is indeed a pity 
that Nabob cannot extract the packed files it creates... 

NuKE publishes its own mutation generator
-----------------------------------------
In April, a member of the international virus group NuKE informed the 
public that NukE has developed its own mutation generator. The group 
member, who is known by the pseudonym T*L*N, announced that the 
generator will be published soon. This product of NuKE is known by the 
work name NME, or NuKE Mutation Generator. 

The NuKE members do not intend to make their generator into a object 
module, like MtE or TPE, but will publish the source code of their 
program in its entirety. That way virus writers can familiarize 
themselves with the functioning of polymorphic viruses on a basic 
level. According to the technical information T*L*N has given out, NME 
can be compared to MtE in its complexity.


New Macintosh Viruses Discovered
--------------------------------

Viruses are a problem for companies using Apple Computer's Macintosh 
systems also. There have been quite few different viruses for the 
Macintosh - 16 in all - but some of them have caused large epidemics 
and continue to spread rapidly.

Two new Macintosh viruses appeared in April, 1993.

INIT-M
------
The INIT-M virus affects Macintosh computers running System 7. The 
virus infects all kinds of files, including extensions, applications, 
preference files and document files, and may severely damage file 
system on infected Macintoshes.

The virus was discovered at Dartmouth College, in a file downloaded 
off the Internet. It was found to rapidly spread to applications and 
other files under System 7. It did not spread or activate on System 6 
systems.

The virus spreads as the application files are run, and is likely to 
spread extensively on an infected machine.  The infection is 
accomplished by altering existing program code.

The virus does extensive damage to systems running on any Friday the 
13th. Files and folders are renamed to random strings, creation and 
modification dates are changed to Jan. 1, 1904, and file creator and 
type information is scrambled.  This changes the icons associated with 
the files and destroys the relationship between programs and their 
documents.

In some cases, one file or folder on a disk may be renamed "Virus 
MindCrime". In some very rare circumstances, the virus may also 
delete a file or files. The virus, when present on an infected system, 
may interfere with the proper display of some application window 
operations.  It will also create a file named "FSV Prefs" in the 
Preferences folder.

Recovery from this damage will be very difficult or impossible.

The damage caused by the INIT-M virus is very similar to that caused 
by the INIT 1984 virus. Despite this similarity, the two viruses are 
very different in other respects, and should not be confused.

The INIT 17 Virus
-----------------
The INIT 17 virus infects both the System file and application files. 
It does not infect document files. It was discovered in New Brunswick, 
Canada.

The virus displays the message "From the depths of Cyberspace" the 
first time an infected Macintosh is restarted after 6:06:06 A.M. on 
October 31, 1993. After this message has been displayed once, it is 
not displayed again.

The virus contains many errors which can cause crashes and other 
problems. In particular, it causes crashes on Macintoshes with the 
68000 processor like the Macintosh Plus, SE, and Classic.

For technical reasons, the virus does not infect some applications, 
and on some systems, it does not spread at all. It does, however, 
spread under both System 6 and System 7. 

 Sources: Usenet newsgroup comp.virus; spaf@cs.purdue.edu; John
 Norstad, Northwestern University, USA.


Disinfectant Version 3.2 Protects Macintoshes
---------------------------------------------
Disinfectant, the leading anti-virus tool for the Macintosh has been 
upgraded to version 3.2 to recognize the new Macintosh viruses that 
appeared in April 1993. Disinfectant 3.2 finds and disinfects all 
Macintosh viruses known to date. It can actively protect a system 
against infections, so that no known virus will get into the system.

Disinfectant 3.2 is compatible with Macintoshes running System 6.0 or 
newer, including System 7. Data Fellows Ltd. is an authorized 
distributor of the Disinfectant anti-virus toolkit. The Disinfectant 
package is delivered free of charge to our registered F-PROT 
customers. Contact your local F-PROT dealer for more information.


Changes in F-PROT Version 2.08
------------------------------

More functionality in the VIRSTOP program

The VIRSTOP program includes many new features. They are:

o	automatic checking of the boot sectors on disks and diskettes

o	the checking of program files when they are copied or when 
        other operations are performed on them

o	checking the boot sector of the diskette in drive A when the 
        user presses Ctrl-Alt-Del

These are not default functions, and they are not normally performed 
when VIRSTOP is run without parameters. VIRSTOP now recognizes the 
following parameters:

/DISK	
        VIRSTOP stores the virus signatures on the disk, thus reducing
        the program's memory requirement from 15 kilobytes to 3
        kilobytes. The /DISK parameter should not be used with the
        DEVICEHIGH clause. DEVICE and LOADHIGH, on the other hand, are
        completely functional.

/FREEZE
        if the /FREEZE-parameter is used, VIRSTOP stops the computer
        when it finds a virus. VIRSTOP displays and names the virus and
        brings a customized message on the screen before stopping the
        computer. By using the /FREEZE-parameter, the risk of a virus
        succeeding to spread is minimized - the user cannot ignore a
        virus infection even if he wants to.

/BOOT
        this parameter commands VIRSTOP to check the boot sectors of all
        disks and diskettes when they are used. The check is made if any
        operation, like, for example, directory listing, is performed on
        the disk. The function can be turned off with the parameter
        /NOBOOT.

        When somebody attempts to use an infected diskette, VIRSTOP
        brings the following message on the screen:

VIRSTOP alert! - virus on diskette
Press [ENTER] to continue.

/COPY
        if the /COPY-parameter is used, VIRSTOP checks program files
        when they are read. This means that if programs are copied or
        edited, they are checked at the same time. This function can be
        turned off with the parameter /NOCOPY.

        When a virus is found, the /COPY function announces it in the
        same way as when it notices an attempt to execute an infected
        file:

C:\TEST.EXE is infected with the Cascade virus.

        And prevents the use of the program, whereupon DOS announces,
        depending of the version:

Cannot execute: TEST.EXE

Access denied: "test.exe"

Bad function


/WARM
        If VIRSTOP is started with the /WARM parameter on, it checks
        whether the computer's drive A contains a diskette when the user
        presses Ctrl-Alt-Del. If the drive contains a diskette, its boot
        sector is checked for viruses. If the diskette is clean, the
        computer is rebooted, but if it contains a virus, the user is
        informed of the matter and advised to remove the diskette before
        booting the computer again:

VIRSTOP: Virus-checking A:
VIRSTOP alert! - virus on diskette
Press [ENTER] to continue.
Remove diskette and reboot again.

        The use of /WARM parameter does not give a foolproof protection
        against boot sector viruses, because it cannot prevent booting
        from an infected diskette if the computer is reset by using the
        reset switch or by turning off power. In addition to this, some
        badly designed TSR programs hijack the Ctrl-Alt-Del -function
        for their private use, in which case VIRSTOP cannot perform the
        check. The check cannot be made under Windows, either.

        When VIRSTOP is started without any parameters, it reports its
        status. For example:

C:\F-PROT\VIRSTOP

VIRSTOP is already installed.
VIRSTOP will scan programs when they are run.
VIRSTOP will scan programs when they are run or copied.
Diskette boot sectors are scanned when the diskette is accessed.
The A: boot sector is scanned when Ctrl-Alt-Del is pressed.

        The check on executed files is always performed regardless of
        other parameters. VIRSTOP slows the computer down a little,
        because it is a background program which activates every now and
        then while the computer is used. In most cases, however, the
        slowdown is not even noticeable. The following test gives some
        kind of an idea of VIRSTOP's speed, though:

        A group of programs was executed. Among them were normal MS-DOS
        auxiliary programs, ARJ, Image Alchemy, MODE, MEM and most of
        the programs of Norton Utilities. Altogether 200 programs were
        executed. The programs' execution time was timed with the TIMER
        function of 4DOS v4.02. The tests were performed as batch
        processing without human interference.

        Without anti-virus programs the batch processing took 2 minutes
        19 seconds. When VIRSTOP was used, it was slowed down by three
        seconds. When VIRSTOP was run with the /DISK parameter on, the
        slowdown was more noticeable one minute and two seconds.

        The test was performed on a 20 MHz 386 -computer with no disk
        cache.

The functioning of Heuristic Analysis has changed
-------------------------------------------------
The Heuristic Analysis of F-PROT has been undergoing revisions for 
almost two years. Its hit rate has improved constantly while the 
number of false alarms has gone down. From the version 2.08 onwards, 
the structure of the reports produced by the Heuristic Analysis is 
simpler.

When a heuristic search is initiated, F-PROT begins to check through 
files using Secure Scan using it's normal search signatures and 
algorithmic methods. If a file is found to not contain a virus, it is 
searched also with heuristic methods. F-PROT 2.08 no longer gives a 
free-form report on the nature of the files. Instead it states either:

C:\TEST.EXE seems to be infected with an unknown virus.
Please contact Data Fellows Ltd. or FSI and send us a copy for 
analysis.

or:

C:\TEST.EXE contains virus-like code.
Please contact Data Fellows Ltd. or FSI to check if this is a known
false alarm or send us a copy for analysis.

In addition to this, F-PROT classifies damaged program files 
separately. It reports them either as:

This is an invalid executable file.  It starts with an instruction
which transfers control out of the program.  Any attempt to run this
program will result in a system crash.

or:

This is an invalid executable file.  The entry point is outside the
program. Any attempt to run this program will result in a system 
crash.

In this way, the user can easily find the potential corrupted program 
files.

The Heuristic Analysis reports should be taken seriously. A file must 
meet several different conditions before it is suspected of having 
been infected. In the tests that Data Fellows performed using the new 
Heuristic Analysis, not a single false alarm was produced.

Users who still wish to use the old, free-form descriptions can start 
F-PROT with the parameter

C:\F-PROT /guru

in which case traditional-style heuristics are used.   

F-PROT 2.08 - other changes
---------------------------
At the same time when the functioning of heuristics was changed, all 
the  individual search- and disinfection routines for viruses were 
also moved to the file SIGN.DEF. This was done to reduce the amount of 
memory F-PROT needs in order to function. F-PROT 2.08 requires about 
320 kilobytes of available memory, and the Heuristic Analysis needs 
about 50 kilos more.

If the APPEND auxiliary program, which distorts directory information, 
was loaded before VIRSTOP of F-PROT 2.07, VIRSTOP would not install 
itself, but declared incompatibility instead. This problem has now 
been solved. 

The following false alarms have been fixed:

o       "Possibly a new variant of ARCV", caused by the SPINRITE.COM
        made in the year 1988

o	the TPE alarms caused by certain data files



Although F-PROT did remove the following viruses, the disinfected 
files were not an exact copy of the original ones. The matter has now 
been taken care of.

Tula-419
Prudents
Tiny.198
Macedonia
Gotcha.C
Vbasic.B
Vbasic.C

New viruses recognized by F-PROT 2.08

F-PROT 2.08 is able to find and disinfect the following new viruses (94):

_388
_558
Arcv.Lurve
Armagedon.1074
Beer (2794)
Beer (2850)
Beer (3164)
Baobab.731
Black Jec.307
Comvirus
Creeper.476
Danish Tiny (177)
Danish Tiny (180)
Dark Avenger.1800.Quest
Diamond (444)
Diamond (465)
Diamond (594)
Diamond (602)
Diamond (606)
Diamond (607)
Diamond (608)
Diamond (620)
Diamond (621)
Diamond (624)
Diamond (626)
Diamond  (891)
Diamond (1013)
Diamond (Sathanyk-1399)
Dreamer
Dutch Tiny.124.B
Frajer
Fumble.D
Gotcha.F
Hamster
Intruder (1326)
Intruder (1440)
Intruder (1967)
Intruder (1988)
Intruder (2136)
Jerusalem.Glory
July 13th.1199
Kiwi
Liquid
Marauder.860.B
Phalcon.Elvis
Pixel (Cheef)
Pixel (762)
Polish Tiny.176
Print Monster
Problem.854
Protect.2535
Russian Tiny (C.146)
Russian Tiny (C.150)
Russian Tiny (C.157)
Russian Tiny (D.129)
Russian Tiny (D.130)
Russian Tiny (D.132))
Semtex (619)
Semtex (1000.C)
Shaman
SillyCR.178
Simple 1992
Sinep
Star One (222
Star One (Cybertech.A)
Star One (Cybertech.B)
StinkFoot.2-E
SVC (1228)
SVC (5.0-C)
Timid (290)
Timid (297)
Timid (320)
Timid (371)
Timid (382)
Timid (513)
Timid (526)
Uruk-hai (300)
Uruk-hai (361)
Uruk-hai (394)
Vienna (518)
Vienna (561)
Vienna (600)
Vienna (618.B)
Vienna (648.E)
Vienna (700)
Vienna (851)
Vienna (MD.354)
Vienna (MD.498)
Vienna (MD.499)
Vienna (MD.557)
Vienna (New Years)
Vienna (Vio-lite)
Vienna (Violator.Baby))
Youth.Hannibal

F-PROT 2.08 is able to find, but not yet disinfect, the following new 
viruses (6):

VCL (933)
VCL (Chuang)
VCL (Diarrhea)
X-1.570
Yankee.XPEH.4752
Zherkov.1940

F-PROT 2.08 recognizes the following new PS-MPC viruses created by the 
virus generator (20):

Alien
Bamestra.1
Bamestra.2
Bamestra.3
Bamestra.4
Bamestra.5
Bamestra.6
Bamestra.7
Bamestra.8
Bamestra.9
Bamestra.10
Cinco
Demoexe
Gold
Jo.916
Jo.942
Tim.301
Tim.401
Tim.515
Warez

The version 2.08 recognizes the following new viruses (14). These 
viruses cannot be disinfected because they overwrite or otherwise 
damage the files they infect. They can only be removed by destroying 
the infected file.

Burger.560.Liquid
Itti.Toxic
Leprosy (FVHS.1644 )
Leprosy (Surfer)
Milan.BillMe
Trivial (Wolverine)
Trivial (30-D)
Trivial (64)
Trivial (81)
VCL (408)
VCL (423)
VCL (481)
VCL (666)
VCL (Dome)

The following viruses can now be disinfected. The earlier versions of 
F-PROT could only destroy the infected files. 

Cascade (1703-Jojo)
Cascade (Formiche)
Ear.Ear

The capability to recognize about a hundred new viruses has also been 
added to F-PROT 2.08, but these viruses have not yet been analyzed and 
given actual names. F-PROT knows them by names that consist of an 
underline and the size of the virus.


Appendix: PC Professionell Antivirus Test
-----------------------------------------

PC Magazine's German edition, PC Professionell,  tested the most 
common anti-virus applications in its January 1993 issue. The products 
were tested against a collection of 2791 infected files.

The products included in the test received the following scores:

Product         Version Producer                Found   Removed
---------------------------------------------------------------
F-PROT          2.05a   Frisk Software Intl     2686    1707
Antivir IV	4.04	H+BEDV Datentechnik	2618	2189
Solomon Toolkit 5.61    S&S International       2566    1301
Turbo Antivirus	8.3	Carmel Software 	2444	1142
McAfee Scan     8.7V95  McAfee Associates       2429     652
Anti Viren Kit  2.18    G Data                  2403     622
AntiVirus Plus  4.20    Iris                    2330    1154
ViruSafe Gold   4.6     Xtree                   2223     395
Virus-Police    1.31    Uti-Maco Software       2135     691
Virus-Blocker   3.2     Expert Informatik       2103     258
CPAV for DOS    1.2     Central Point Software  2006     996
Search&Destroy  1.1     Fifth Generation System 1995     478
CPAV 4 Windows  1.0     Central Point Software  1989     996
Allsafe         1.00    Xtree                   1951     651
Novi            1.01    Certus                  1788     341
Virus Utilities 1.60AE  Ikarus Software         1757     359
TNT Lite        1.0     EPG International       1709     694
PC Rx           2.0     Trend Micro Devices     1695     287
VirusCure-Plus  2.41    McAfee / IMSI           1655     684
Norton NAV      2.0     Symantec                1622     549
PC-cillin       3.2     Trend Micro Devices     1301     186
V-Care          4.32a   NSE Software            1115     731
AP-355                  Jrgen Liskowski        1074      81
---------------------------------------------------------------

F-PROT was selected as editor's choice.


===============================================================================

F-PROT 2.08 Update Bulletin Copyright (c) 1993 Data Fellows Ltd

This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.08 Update Bulletin Copyright (c) 1993 Data Fellows Ltd.'

