
F-PROT 2.09 Update Bulletin
===========================

This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.09 Update Bulletin Copyright (c) 1993 Data Fellows Ltd.'

-------------------------------------------------------------------------------

CONTENTS 3/93
-------------
 Period of Intense Development
 F-PROT Receives Status of "Very Important Product"
 Recent Virus Cases
 A Virus from TV
 Michelangelo Epidemic in US
 Butterfly on the Networks
 The _894 Virus
 Questions and Answers
 Batch File Viruses
 Briefly Noted
 Virus Groups March Out
 Changes in Version 2.09
 VIRSTOP for Windows
 New Viruses Recognized


A Period of Intense Development
-------------------------------

F-PROT's development has remained vigorous throughout its history. New 
viruses are continuously added into the program, and the new 2.09 
version recognizes viruses we received notice of only a couple of days 
before the update was to be published.

During this summer, the technical development of F-PROT is especially 
strong and visible. The first tools for the Windows environment are 
included in version 2.09. These tools contain interesting technical 
solutions which cannot be found in other anti-virus products. An example 
of this are the Windows features of VIRSTOP.

VIRSTOP automatically notices when Windows is started, and loads a 
Windows device driver into memory. This driver interprets virus warnings 
for the Windows environment and relays them to the user. Two programs 
are thus contained one program file, and there is no need for a separate 
Windows installation. The virus warnings are shown even if some Windows 
start-up file is infected, because the solution employs a device driver.

We will continue the active development of the F-PROT product line. 
Among other things, a checksumming application called F-CHECK will be 
included in the next F-PROT update. F-CHECK contains two unique features 
in addition to normal checksumming qualities. F-CHECK reports changes to 
files and boot sectors like other checksumming programs, but it also 
estimates which of these have been caused by viruses and which have not. 
F-CHECK employs heuristic methods identical to those used by F-PROT in 
its search for previously unknown viruses. F-CHECK can, in most cases, 
also restore an altered file or boot sector. 

The progress in sales and marketing has also been strong. Data Fellows 
Ltd's network of F-PROT dealers has grown rapidly, and new references to 
big international companies have been added to previous ones.

At the moment, our dealer network extends to the following countries:

        Sweden          Anvndardata
        Sweden          Comma
        Norway          PDI-Gruppen
        Denmark         Control Data
        Denmark         Comma
        Belgium         DataRescue
        Italy           Symbolic
        Spain           EICS
        Portugal        EICS
        Hong Kong       Yui Kee Company Ltd.
        Slovenia        ABM d.o.o.
        Czech           SEA
        Great Britain   unpublished
        France          unpublished

We hope that our new products serve to make the F-PROT family a still 
more user-friendly and extensive an anti-virus solution for your 
purposes.


Recent Virus Cases
------------------

A Virus from TV
---------------
The Tremor virus, which was first spotted in Germany about half a year 
ago, spread itself in the beginning of May in quite a peculiar fashion. 
It was spread far and wide over Europe via the PRO-7 TV channel owned by 
the German company Channel Videodat.

The PRO-7 channel, which reaches most parts of Europe via satellite or 
cable TV, is used to distribute computer programs in addition to 
broadcasting normal TV transmissions. These programs can be transferred 
from the channel into a computer by using a special decoder. 60.000 
computer users are estimated to receive data through the channel, but it 
is not known how many of them caught the virus.

The virus research center of Karlsruhe University (Micro-BIT Virus 
Center) contacted  Channel Videodat about a week after the fateful 
transmission, but at the time the company denied anything had happened. 
The anti-virus program used by the company was found out to be unable to 
spot Tremor, however, and a week-and-a-half later Channel Videodat began 
to broadcast warnings and anti-virus programs to its viewers several 
times a day.

The virus had infected, and spread with, the PKUNZIP.EXE program 
transmitted together with a ZIP-packed anti-virus program. The program 
had become infected in a Dsseldorf-based software shop which supplies 
programs to Channel Videodat. The anti-virus program itself was 
originally clean, but it was unable to detect the Tremor virus.

Tremor is a retrovirus designed to attack several different checker- and 
anti-virus programs. It is a self-encrypting virus with great 
polymorphic abilities, capable of creating billions of different-looking 
copies of itself. Besides utilizing the usual random numbers, Tremor 
takes advantage of the data in a computer when it changes its code. This 
characteristic makes the virus hard to spot. Since Tremor's outlook 
varies considerably from computer to computer, anti-virus experts have 
difficulties in producing a good sample of the virus for testing.

The virus is very difficult to detect, especially so when it is in 
memory, because it employs complex stealth virus techniques. In this 
respect, Tremor is a remarkable virus. It can make it seem like no 
additional code is present in infected files, even though its appearance 
changes during every infection. No other virus can do the same.

When a Tremor-infected program is executed for the first time, the virus 
decrypts its code and checks the date in the computer's clock. If more 
than three months have passed since the original infection date, the 
virus activates. If the time is not yet up, Tremor checks the operating 
system's version number and, should the version be older than 3.30, 
allows the execution of the host program to proceed normally.

If the operating system's version number is 3.30 or greater, the virus 
searches the memory for a program  using the interrupt 01h's function 
30h. If the virus detects such a program, it allows the execution of the 
host program to proceed normally and does not install itself into 
memory. Most likely Tremor performs the check in order to avoid being 
detected by some anti-virus program using the interrupt 01h.

After having checked the interrupt 01h, the virus installs itself into 
memory. Tremor's way of installing itself into memory is unique; it 
copies itself into extended- or high memory, if such memory areas are 
available in the computer. If not, the virus installs itself into the 
upper part of conventional memory.

After having performed all its checks, Tremor automatically infects the 
command interpreter indicated by the COMSPEC environment variable. 
Afterwards, the virus can always get into memory before most anti-virus 
programs.

While active in memory, the virus is able to prevent several different 
anti-virus applications from detecting itself. It monitors the 
computer's functioning constantly and, should it detect certain checks 
being made, either cancels them altogether or prevents them from 
spotting itself. If Tremor discovers the presence of either Central 
Point Anti-Virus or Microsoft Anti-Virus, it blocks the functioning of 
their memory-resident parts. The virus can thereafter function without 
either CPAV or MSAV noticing it.

The virus is capable of taking advantage of several different 
procedures, such as the execution or copying of programs, to infect COM- 
and EXE files. Tremor checks how a file's name begins before infecting 
the file. If the name begins with the character combinations CH, ME, MI, 
F2, F-, SY, SI or PM, the virus makes certain changes to memory to avoid 
detection.

Tremor marks the infected files by adding one hundred years to the 
file's date of modification. This addition is not readily noticeable, 
because DOS usually displays only the last two numbers of the year in a 
date. If the virus notices that some program is trying to read the file, 
it changes the date back to normal and deletes its code from the file 
before allowing it to be read.

The copies of infected files do not carry the infection if the copying 
is done while the virus is active in memory, because Tremor removes its 
code from the source files when they are read. Therefore, the only 
likely situation in which the virus can infect a diskette is when a user 
executes a program from a diskette that is not write-protected. Because 
of this, Tremor spreads from one computer to another quite slowly.

The virus contains two separate activation routines. The first routine 
shakes the picture on the screen for a moment, after which it jams the 
computer. This happens only on very rare, random occasions.

The second activation routine hijacks the interrupt 15h. The interrupt 
15h is quite rarely used, since the practically only applications to 
take advantage of it are certain DOS multiprocessing environments, such 
as DesqView. Some programs do, however, use INT 15h to set the processor 
into protected mode. The activation routine is executed if another 
program tries to use the interrupt 15h, after which Tremor clears the 
screen and displays the text "T.R.E.M.O.R. was done by NEUROBASHER / 
May-June '92, Germany, -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-".

The sentence "Moment of terror is the beginning of life" has been 
borrowed from FRONT 242, a Belgian techno/industrial band. The sentence 
is printed on the inner envelope of their Front-By-Front album. 
Neurobasher is one of their songs.

So far, Tremor is the only known polymorphic stealth virus.

F-PROT 2.09 is able to find and recognize the Tremor virus reliably even 
if it has installed itself into memory.

Butterfly on the Networks
-------------------------
A new, formerly unknown virus slipped into worldwide circulation 
together with the popular, shareware terminal program Telemate. Telemate 
4.11 was published 17.6.1993, and the virus was not discovered before 
the distribution of the program had begun. Telemate could be downloaded 
from, for example, Compuserve. At the moment, there are probably 
thousands of contaminated copies of the program all over the world.

The distribution package of Telemate 4.11, TM411-4.ZIP, contains a file 
named VESA.EXE, which is a LHA-packed self-extracting archive. The 
package contains VESA drivers for different video cards. The files 
37VESA.COM and 67VESA.COM, which are meant for the OAK video card, are 
both infected.

The infection was noticed in Finland in 21.06.1993, and the software's 
manufacturer in Canada was notified immediately. Two days later, the 
contaminated distribution packet was replaced by a clean one. 

The virus in question functions quite simply, and it is only 302 bytes 
in length. When an infected program is executed, the virus searches the 
default directory for suitable victims. Depending on the availability of 
such, the virus infects up to four files every time it is executed. The 
virus does not do anything if it cannot find suitable victims, those 
being COM files whose size is between 121 and 64768 bytes.

The virus places its code at the end of contaminated files. Although the 
virus will not infect files protected with the Read-only attribute, it 
is capable of infecting hidden and system files.

The virus performs three checks before infecting a file. First, it 
checks whether the file begins with the command INT 20. After this, the 
virus examines the fourth byte in the file. If it is 1 (the IBM ASCII 
character for 1 is ), the virus assumes it has already infected the file 
and refrains from reinfecting it. After checking the file itself, the 
virus inspects its name. If the sixth and seventh letters in the file 
name are `N' and `D', the virus concludes that the file in question is 
the command interpreter COMMAND.COM, and does not infect it.

It is likely that the virus checks the beginning of files for the INT 
20h command in order to avoid infecting bait files created by virus 
researchers. As files which begin with this command will not do anything 
except exit to DOS, they are often used by researchers. When a virus 
infects such a simple file, the actual viral code is easy to study. The 
creator of the virus has probably wanted to stop his virus from 
infecting such baits in order to make the lifes of virus researches just 
a little bit harder. It seems, however, that during the testing of the 
virus it was modified to infect also files beginning with the interrupt 
20h. For some reason, probably simple forgetfulness on the part of the 
writer, this modification was never switched off, and the virus still 
infects such files regardless of the test.

Although the virus usually leaves its victim's modification date 
unchanged, it contains a bug which in some cases causes the date and 
time of infected files to show the time of infection. This bug surfaces 
if the directory the virus operates in contains several COM files, some 
of which are suitable for infection and some of which are not. In some 
cases, the same bug causes the virus to damage its victims. The size of 
the damaged files is not changed, but their first four bytes are 
replaced by a jump instruction inserted by the virus. The program cannot 
be executed, because the virus has not been able to place its code at 
the end of the victim file. 

The virus contains routines which look like having been borrowed from 
viruses created by using the VCL virus generator. It contains no 
activation routines. Since the text `Goddamn Butterflies' was included 
inside the viral code, the virus is temporarily named `Butterfly'. The 
virus is closely related to the Proto-T.Civil_War family.

F-PROT 2.09 is able to detect and remove the virus reliably. 

The _894 Virus
--------------
A new virus, infecting both COM and EXE files, was found in the 
beginning of June in Italy. It seems that this virus has rapidly become 
very common. The virus is very destructive.

Since the virus increases the size of contaminated files by 894 bytes, 
it was temporarily dubbed _894. Despite the name, however, the virus 
also adds up to 15 padding bytes to infected EXE files, so that the 
resulting file length is evenly divisible by 16. The virus doesn't yet 
have a final name.

The _894 virus is a self-encrypting virus which maintains two copies of 
itself once it has installed itself into memory. Both copies are 
initially unencrypted. The virus uses one in its functioning, while the 
other is appended to infected executable files. At the time of 
infection, the second copy is encrypted by using a key which is modified 
during each infection. After an infection has been completed, _894 
decrypts the second copy in order to use it further.

Upon execution, the virus inspects the interrupt handler for the 
interrupt 21h. By checking where the pointer of interrupt 21h points, 
the virus finds out whether it has already gone resident or not. If the 
handler's offset is 13h, _894 assumes that a copy of the virus has 
already been installed into memory and passes control to the original 
program. Otherwise it will perform the installation at this stage, 
reserving approximately 1840 bytes of memory for itself. After 
installing itself, _894 checks the time and the operating system's 
version number. If the operating system in use is older than DOS 4.0, 
the virus will not infect any files in the computer. It won't perform 
any infections in systems using newer versions of DOS, either, if the 
seconds field of the time it acquired from the computer's clock contains 
an odd number. This second-field check causes the virus to infect files 
in a semi-random manner.

The virus checks files before infection to ascertain whether it has 
already contaminated them. It deems an EXE file's status by analysing 
it's header information. The second word of a COM-file contains a 
similar marker.

_894 traps several subfunctions of the interrupt 21h. That way the virus 
can infect all opened or executed programs. The virus is quite unusual 
because it also infects programs when their file attributes are changed. 
The virus even hooks the interrupt 21h/6Ch, which is seldom used for 
opening files. The command interpreter of DOS (COMMAND.COM), however,  
uses this function.

The virus does set certain conditions to its victims. It will not infect 
any COM file smaller than 66 bytes or longer than 63488 bytes. If an EXE 
file is longer than the value in its header indicates, it is also left 
uncontaminated. By using this check, the virus ascertains it will not 
try to infect files having internal overlays or EXE-files of the NE 
format, such as Windows- and OS/2 EXE-files. The virus does not infect 
EXE files packed with PKLITE or LZEXE. It is unclear why these packed 
programs are not infected. They can be and are infected successfully by 
most other file viruses.

When the virus is installed and active in memory, it intercepts all 
calls to DOS write-file function. In one time out of sixteen, it will 
cause damage by changing a random byte in the output buffer. This way 
the virus can randomly corrupt all data created on the machine. 
Programs, too, get corrupted when they are copied. If the virus is not 
noticed in time, this sort of slow corruption can prove disastrous. The 
virus performs special checks to make sure it doesn't corrupt its own 
data when it uses the write function.

The virus does not contain any messages, nor does it advertise its 
presence by musical or video effects. It is, therefore, quite difficult 
to spot.

F-PROT 2.09 is able to detect and remove the _894 virus reliably.


A Michelangelo Epidemic in the United States
--------------------------------------------

The world's largest case of an inter-company virus infection known up to 
date occurred in the United States on March the 13th. The Michelangelo 
virus infected approximately 20.000 computers in one corporation.

A program, which was to be distributed to users, was copied to diskettes 
on a contaminated computer. All the 6.500 diskettes used in the copying 
were infected. These diskettes were then distributed to users inside the 
company. Due to the memory requirements of the program on the diskette, 
users were instructed to boot their computers directly from these 
diskettes. Since Michelangelo is a boot sector virus, it infected the 
hard disks in all the computers during this booting. The virus infected 
initially about 7.000 computers, but it was not detected until the 
number of contaminated computers had reached approximately 20.000. The 
company passed the infection to some of its partners also. The virus was 
eventually removed with F-PROT.

At the time of the infection the company had no anti-virus software in 
use. The entire incident could have been avoided if even a single anti-
virus program had been acquired and installed in the computer on which 
the diskettes where copied.

Even though an infection involving 20.000 computers is a serious matter, 
the situation could have been worse still. If the incident had happened 
a week earlier, it would have coincided with Michelangelo's activation 
day, in which case the virus would have wiped the hard disks empty 
instead of just infecting them.


F-PROT Support Advises: Common Questions and Answers
----------------------------------------------------

If you have questions about information security or virus prevention, 
contact your local F-PROT support. You can also reach Data Fellows on 
the number +358-0-692 3622, fax +358-0-670 156. Your written questions 
can be addressed to: Data Fellows Ltd., F-PROT Support, Wavulinintie 10, 
SF 00210 HELSINKI, FINLAND. Questions sent by electronic mail can be 
addressed directly to Mikko Hyppnen of F-PROT technical support 
department; his Internet address is mikko.hypponen@compart.fi. 


I use the Microsoft DOS 6.0 operating system. When I tried to remove the 
Form virus with the command SYS C:, MS-DOS 6.0 announced `Cannot operate 
on specified drive' and did not create a new boot record. What's wrong?

        Microsoft DOS 6.0 includes a disk-packing program called
        DoubleSpace. Normally, it addresses the original C disk as disk
        H, and the correct command is therefore SYS H:.

        The letter assigned to the original disk depends on the
        installation, and it is therefore not necessarily H, but in any
        case it comes after the letters assigned for the packed virtual
        disks.

        The DoubleSpace virtual disks do, in fact, have boot records,
        but they contain only zeros. The packed disks do not need actual
        boot records, since the operating system is loaded from an
        unpacked area of the original disk during the booting.

        I would like to take a back-up of my computer's Main Boot
        Record, but DOS 6.0 no longer recognizes the MIRROR /PARTN
        command. When I was using DOS 5.0, I could use that command to
        store the contents of the Main Boot Record in a file. How do I
        do that with DOS 6.0?

        DOS 6.0 does not contain Mirror or any other program that can be
        used to save the Main Boot Record. It is, therefore, worthwhile
        to save the file MIRROR.EXE before upgrading to DOS 6.0, for,
        unlike many other DOS auxiliary programs, Mirror does not check
        the DOS version number when it is executed.

        If DOS 6.0 has already been updated into your computer, you can
        use a disk editor, such as Norton Utilities, to save the Main
        Boot Record in a file.

        The Main Boot Record of a hard disk contains the partition
        table, where the information concerning the size and location of
        logical DOS disks has been stored. The data on a hard disk is
        difficult to restore should this information be destroyed, and
        therefore, in order to cope with possible problems, a back-up of
        the partition table should always be stored on a diskette.


While I was using the PC-Tools program, an icon looking like a gas pump
appeared on the Windows worktable. Under it was the text `NOT a bug! Do
NOT destroy!'. The icon remained on the screen for a couple of hours,
after which it disappeared by itself. I was unable to remove or
otherwise affect it. I used F-PROT to check my computer, but it did not
find any viruses. Is the gas pump caused by some virus? I use PC-Tools
for Windows 8.0.

        The gas pump incident is not the effect of a virus, but of a
        certain unusual feature of the Windows version of PC-Tools. The
        part of the code which causes it was probably forgotten inside
        the program while PC-Tools was still on the development stage.
        This code activates under certain, so far unknown, conditions.
        The text `NOT a bug! Do NOT destroy' is included in the
        WNFSVT.EXE file of PC-Tools for Windows. Since the program's
        maker, Central Point, has been informed of the matter, it is
        likely that the gas pump will not trouble future versions of
        PC-Tools.

        A somewhat similar incident, the `Tough Luck/This Is Too Bad For
        You' announcement given by the Microsoft Excel software, was
        discussed in the F-PROT 2.06 Update Bulletin.


Interrupts are often mentioned in F-PROT Update Bulletins. What, 
exactly, are interrupts, and what are they used for?

        Programs can easily access the services of the operating system
        and BIOS by taking advantage of interrupts.

        When a program calls an interrupt, its normal functioning stops
        while the computer executes the interrupt handler (= a program)
        appropriate to the interrupt in question. The interrupt handler
        performs them task assigned to it, after which the original
        program resumes its execution.

        In a DOS environment, new functions can easily be added to the
        basic services of the operating system by using interrupt
        handler routines. Programs using interrupt handler routines are
        also considerably more compatible with each other than programs
        applying direct device control.

        There are both BIOS interrupts and program interrupts in a DOS
        environment. BIOS interrupts are handled by a computer's BIOS
        and program interrupts by the operating system. DOS is able to
        use 256 different interrupts, most of which are not predefined.
        Some applications use these undefined interrupts in their
        functioning by first defining them themselves. An application
        uses program interrupts when it accesses the operating system's
        services, such as disk reads or writes.

        Most of the program interrupt calls are, in fact, eventually
        conveyed to the BIOS interrupt routines. If, for example, an
        application calls the program interrupt service INT 21h/2Ah
        which reads one character from the keyboard, DOS eventually
        directs the call to the BIOS interrupt 16h which is a commonly
        used low-level keyboard interrupt. DOS does, however, interpret
        the values returned by the BIOS interrupt to a form that is more
        readily understandable.

        The lowest page of memory contains the interrupt vector table,
        in which four bytes have been reserved for each interrupt.
        Depending on whether the interrupt in question is a BIOS- or
        program interrupt, these bytes contain a pointer to either BIOS
        or RAM memory. The memory area the vector table points to
        contains an interrupt handler for the corresponding interrupt.

        When a program runs into an interrupt, the operating system uses
        the interrupt vector table to find the corresponding interrupt
        handler, to which it then relays the interrupt. In an operation
        called hijacking, a virus may replace a pointer in the interrupt
        vector table with an address that points to its own code. When
        the virus has performed its task, such as infection, it conveys
        the interrupt to its proper handler.

        Viruses often use interrupt services to infect files, install
        themselves into memory or activate.

        Program- and BIOS interrupts must not be confused with device
        interrupts (IRQs). These are completely hardware-based interrupt
        calls the pheripherals (such as the serial port or the hard
        disk) send to the CPU when they need processor time for their
        own functioning .


I use VIRSTOP with the /DISK parameter on to save memory. I updated 
VIRSTOP by copying the new files over old ones, after which I continued 
working normally. After a while, however, the computer stopped 
functioning . When it was rebooted, I did not experience any further 
problems. Why did the problem arise in the first place?

        When VIRSTOP is used with the /DISK parameter on, it reads the
        search strings for viruses from the hard disk instead of memory.
        This decreases VIRSTOP's memory requirement from the current 16
        kilobytes to about 3 kilobytes. Programs, however, are a little
        slower to start, because VIRSTOP must always read the search
        strings on the hard disk before it can check a program prior to
        its execution. When VIRSTOP is run with the /DISK parameter on ,
        it marks up the address for the search strings, thus speeding up
        checks by eliminating the need to search for the strings
        separately every time.

        If the /DISK parameter is in use while VIRSTOP is being updated,
        the two copies of the program, one in memory and one on hard
        disk, do not match, causing the VIRSTOP in memory to use a wrong
        address when accessing the search strings. If such is the case,
        the functioning of VIRSTOP is unpredictable; it may crash the
        computer or otherwise function abnormally. The situation is
        documented in the F-PROT Manual.

        To ensure the reliability of VIRSTOP, the computer must be
        rebooted after updating. Upon next execution, VIRSTOP will mark
        up the address for the new search strings and function normally.
        Rebooting is recommended even if the updating is performed by
        using the Install function of F-PROT, in which case the computer
        may be booted after exiting F-PROT.

        The updating can be performed safely by using the network
        updating system that can be had cost-free from either your local
        F-PROT support or Data Fellows Ltd.


Batch File Viruses
------------------

Usually virus writers strive to make their viruses as complex as
possible to prevent anti-virus programs from detecting them. Certain
writers, however, try to push their creations to the utmost limits of
simplicity. Some of them have wanted to create the smallest possible
virus -- at the moment, the smallest virus consists of just 25 bytes --
while others have taken advantage of DOS's relatively simple batch
language and written viruses infecting BAT files.

BAT viruses do not usually pose a serious threat due to their
simplicity. They are generally unable to spread quickly between
computers, so infections that do happen are normally limited to small
areas.

Ralf Burger published the world's first known BAT virus in his book Das
groe Computerviren-Buch in 1987, calling it VR.BAT. VR.BAT did not,
however, function purely on DOS batch language, for it used also
machine-language code located in a separate file. Since the virus
destroyed its victim, it generally did not take long for a user to smell
something fishy.


Batman
------

A few other simple BAT viruses have been found since Burger's VR.BAT. At 
the turn of the year, however, a batch file virus unlike any other BAT 
virus previously encountered, called Batman, was discovered. What made 
Batman stand apart from other BAT viruses was its ability to install 
itself into memory. This is possible, since the Batman virus contains 
binary-form machine language code inside the BAT listing.

        @ECHO OFF
        REM  <binary code>
        copy %0 b.com>nul
        b.com
        del b.com
        rem  <binary code>

In other words, the virus first renames itself as B.COM, after which it 
executes this file as a normal COM program. This is made possible by the 
fact that the capital-letter @ECHO OFF and REM commands at the beginning 
of the file translate to machine language commands which have no bearing 
on the functioning of the virus whatsoever.

        Text                 Code
        -----------------------------------
        @                    INC AX
        E                    INC BP
        C                    INC BX
        H                    DEC AX
        O                    DEC DI
        <space>OF            AND [BX+46],CL
        F                    INC SI
        <enter><next line>R  OR AX,520A
        E                    INC BP
        M                    DEC BP

The first part of the binary code includes a jump command to the end 
part of Batman's code. The end part contains the commands for installing 
the virus into memory. Since Batman does not check memory before 
installing itself, the virus reinstalls itself into memory every time an 
infected file is executed. Little by little, it eats away the available 
memory.

The virus monitors write operations to files while it is active in 
memory. It checks the beginning of files every time they written to. If 
the file in question starts with the command @ECHO, the virus judges it 
to be a batch file and infects it. Since Batman makes no attempt to 
check whether it has already infected a file, the same file can be 
infected many times over. Moreover, if several copies of the virus have 
installed themselves into memory, every single one of them infects the 
batch files that are being written to.

Case: The Batch Virus "BAT-Parasite" in Finland
-----------------------------------------------
At the beginning of June, the F-PROT Support of Data Fellows Ltd. 
received a letter from Lahti, Finland, signed by a person using the 
pseudonym Pelimies (Player). A diskette containing a virus that spreads 
via BAT files was included in the letter. In the letter, the writer 
explained that the virus had infested his and his friends' computers for 
months, and that it had also infected the microcomputers of his school.   

Closer examination proved the virus to be wholly functional, if somewhat 
simple. It consists of BAT files, the joint length of which measures 
1111 bytes. The virus conceals itself by hiding three of its four BAT 
files by using the DOS command ATTRIB. One of its files, CHECK.BAT, 
contains the following text in its beginning:    

        Copyright (c) 1993 damage program laboratory,  Finland
        Program  PARASITE
        This version is harmless voyager

The virus was duly named BAT-Parasite.

The virus spreads via diskettes. A contaminated diskette contains one 
visible file, PELI.BAT (Peli is Finnish and means "game"), which, when 
executed, copies itself and the hidden virus files to the \DOS directory 
of the logical disk C. At the same time, BAT-Parasite renames the file 
FORMAT.COM, giving it the name F.COM. A compensating file called 
FORMAT.BAT has been included in the virus to prevent the user from 
noticing the switch.

BAT-Parasite infects diskettes when they are formatted. When a user 
tries to run the FORMAT program, the viral FORMAT.BAT file first 
executes F.COM, using the command line switches the user has given. 
Having done that, the CHECK.BAT file copies the viral files to the 
diskette. 

All the diskettes formatted in a contaminated computer contain the 
visible file PELI.BAT and the three hidden viral files. The creator of 
BAT-Parasite has relied on an enticing name to have people execute the 
BAT file in their computers. When PELI.BAT is executed, the virus copies 
itself from the diskette to the hard disk and displays the message:  

        ERROR,  game not start

after which it terminates its execution.

The virus is unable to spread if a computer does not contain the 
directory C:\DOS. The functioning of BAT-Parasite is also hindered, but 
not completely blocked, by the lack of the programs ATTRIB and FORMAT. 

Even though BAT-Parasite is not a serious threat, it can spread quite 
unnoticed despite its simple structure. The virus can be removed by 
simply deleting the files PELI.BAT, RESIDENT.BAT, CHECK.BAT and 
FORMAT.BAT, and changing the name of F.COM back to FORMAT.COM.


Briefly Noted
-------------

Death Penalty for a Computer Felony
-----------------------------------
Death penalty has been carried out in China on a person who hacked his 
way into a bank's computer system. In 1991, Shi Bao embezzled 192.000 
dollars from the Agricultural Bank of China by using a computer. Shi Bao 
was executed as a warning to would-be computer criminals.

A 5000 Dollar Virus Competition
-------------------------------
In the beginning of summer, Digital Enterprises announced a virus 
competition, the purpose of which was to prove the effectiveness of 
Digital's V-Card Anti-Virus System against viruses. The following 
message was sent to Internet's comp.virus conference area, where it 
whipped up a lively discussion, particularly on the ethical questions 
raised by such competitions.

        DIGITAL ENTERPRISES IS CHALLENGING COMPUTER HACKERS to defeat
        its anti- virus technology. The Gaithersburg, Md-based company
        says virus experts have tried unsuccessfully for more than 2
        years to defeat its V-Card Anti-Virus System. It's inviting
        hackers to come to its headquarters through mid-July to try
        their hand at loading a true virus (Trojan horses and bombs
        don't count) onto the system. The computer must be rendered
        non-bootable and files must be non-recoverable while V-Card is
        operating. The company will reward the triumphant hacker with
        $5000.

Viruses for Sale
----------------
On Tuesday the 15th of June, somebody sent the following message to 
Internet's alt.security conference area from Canada.

--
From alt.security
From: (DSO)
Newsgroups: alt.security
Subject: Virus writing techniques exposed!
Date: 15 Jun 93 20:28:00 GMT

** MS-DOS Virus Research Kit (Advertisement) **

Virus author's know that ignorance and fear are the best weapons in
their arsenal. They shroud their efforts in hyperbole and propaganda,
how their next work will be the undoing of all PC-users everywhere.
Most, if not all, so called "anti-virus experts" are not privy to the
inside information on modern virus-writing techniques, thus leaving
PC-users unprotected until the next virus strikes. This need not be so.

Unknown to Phalcon/Skism and many other virus groups, some of their
members have contributed to one of the most complete virus research kits
ever assembled. Complete "how to" instructions by the infamous "Dark
Angel" and other authors, COMMENTED SOURCE CODE and disassemblies for
hundreds of virii, and a vast library of "read to go" compiled virii
(some still undetectable by current anti-virus software!) are included,
along with the infamous VIRUS CREATION LAB (and it's new upgrade
package!) and a collection of shareware ASM tools.

The entire kit is about 10MB, and is shipped PKZIP'ed on four 1.2MB
5.25" floppy disks. In our opinion, no PC-user should be without the
invaluable information contained in this kit.

Send 50$ U.S. funds or 75$ Canadian funds (postage included) to:

DSO Enterprises, ** *** **, ******* ***, ********, ******, Canada, ***.

U.S. Orders : Personal checks drawn on U.S. banks can NOT be accepted!
Canadians   : Personal cheques drawn on Canadian banks will delay order!
              Canadian price includes any applicable taxes; orders shipped
              within Canada must be paid in Canadian funds (75$).
Overseas    : Personal checks drawn on foreign banks can NOT be accepted!
              Send in U.S. funds, please!

For fastest processing, send postal or bank money orders. Sorry, no COD's.

"IBM PC"      Copyright International Business Machines
"MS-DOS"      Copyright Microsoft
"PKZIP"       Copyright Phil Katz

Any other references to trademarks are copyright whomever, with apologies.

*****************************************************************************
 Please note that it is a violation of the terms of the contract under which
 this kit is sold to redistribute or resell it in part or whole or to use
 the contents for any purpose other than informational research. Violators
 will be prosecuted for damages! We reserve the right to refuse orders.
*****************************************************************************
--

The previous attempt to peddle viruses in the alt.security area took 
place in January this year, when a person called Albatross tried to sell 
four different virus diskettes. The incident has been discussed at 
greater length in F-PROT 2.07 Update Bulletin.

Virus Writer Groups March Out
-----------------------------
Certain groups of virus writers have recently begun to make themselves 
more conspicuous. The NuKE group, for example, has announced that it 
intends to shift the focus of its efforts from normal computer users to 
makers of anti-virus software. The group is also known to be setting up 
a company called Nuke in the United States. The purpose of this company 
is to protect NuKE's members.

Though NuKE was originally founded in Canada, it nowadays has members 
also in the United States, Australia and Switzerland. The group 
publishes a virus magazine called the NuKE Info Journal. It is spread 
via BBSs and contains, among other things, instructions for virus 
writing. Six issues of the magazine have been published so far. The 
assumed leader of the group, known by the pseudonym `Rock Steady', has 
announced that the issues will continue to come out at the approximate 
rate of one in a month.

Another group of virus writers, the United States -based Phalcon/Skism, 
has used the Internet network to introduce a system through which 
anybody possessing an Internet address can acquire functional viruses 
and material discussing virus writing. The group first revealed the 
existence of its system in the underground CyberCrime International 
message network, and after that Phalcon/Skism has actively taken 
advantage of several different occasions to advertise it.  


nVIR B for Macintosh in Finland
-------------------------------

An epidemic of the old "B" variant of the nVIR virus was found in 
Helsinki, Finland in May. The virus was identified with the Disinfectant 
anti-virus utility.

The nVIR virus was first discovered in Europe in 1987. Two basic 
variants of the virus, nVIR A and nVIR B, have been found so far, but it 
is probable that an earlier strain of the virus has also existed at some 
time. This variant, however, is currently extinct.

nVIR infects a system file and spreads to other files when they are 
executed. nVIR contains a counter, in which it sets the value 1000 when 
the virus infects a system file. The virus subtracts one from this 
counter every time the computer is turned on, and two whenever an 
infected file is executed. When the counter is reduced to zero, nVIR a 
says `Don't Panic' at random times if MacinTalk is installed in the 
system folder. If MacinTalk is not available, the virus beeps instead of 
talking.

The virus may also be activated when the computer is turned on or when 
an infected file is executed. The probability for activation is during 
booting 1/16 and during the execution of an infected file 15/128. The 
probability for the virus talking or beeping twice during the execution 
of an infected file is 1/256.

Since nVIR B does not use MacinTalk, it can only beep occasionally when 
its counter reaches zero. If this strain of the virus has infected a 
computer, it beeps during booting with the probability of 1/8. When an 
infected file is executed, the probability for a single beep is 7/32 and 
for a double beep 1/64.

In the case nVIR A and nVIR B have both infected the same computer, the 
strains are capable of combining their features and passing them on to 
their offspring. The Disinfectant anti-virus software identifies such 
viruses by both names. There are also different versions of the nVIR B 
virus, such as Hpat, AIDS and MEV#, all of which function just like the 
original nVIR B. Disinfectant recognizes them as nVIR B.

Disinfectant is available at your local F-PROT support.


PC Viruses on Mac Diskettes
---------------------------

In the beginning of the summer, Data Fellows Ltd. received a Macintosh 
diskette containing the Stoned.NoINT virus. The diskette had originally 
been formatted on a Macintosh, but when it had afterwards been used in 
an infected DOS computer, Stoned.NoINT had contaminated it just like an 
ordinary DOS diskette. The diskette could be used normally in a 
Macintosh environment even after the infection.

Even though Mac diskettes do not function in DOS computers, boot sector 
viruses can still infect them. Mac diskettes that have accidentally been 
used in a DOS computer can carry an infection as readily as common DOS 
diskettes, and they must therefore be taken into account when an 
infection is being removed.

The difference between Macintosh's and DOS's file systems may lead to 
problems when Mac diskettes are being disinfected. It is, therefore, 
sensible to only check the diskettes for viruses, and, if they are 
infected,  use a Macintosh to copy the files from the contaminated 
diskettes to a clean storage device. The diskettes can thereafter be 
formatted again.


Changes to F-PROT in Version 2.09
---------------------------------

VIRSTOP for Windows
-------------------
The VIRSTOP program included in F-PROT 2.09 has been altered to function 
also under Windows. Like its counterpart that functions under DOS, the 
Windows version is a memory-resident program that prevents viruses from 
being executed and infecting the computer. 

Since the Windows support has been built in the internal structure of 
VIRSTOP, the program can be taken into use directly, without such 
additional steps as installing it in Windows. VIRSTOP notices when 
Windows is started, and automatically loads its Windows part into memory 
as one of the Windows device driver routines. The VIRSTOP.EXE program 
file contains the code for both Windows- and DOS parts of the program. 
VIRSTOP does not need any other files to function. 

A Windows DOS window should not be used to load VIRSTOP, or any other 
TSR program, into memory. We recommend including VIRSTOP in the 
computer's AUTOEXEC.BAT file.

When an attempt to execute an infected program is made from Windows, 
VIRSTOP for Windows stops the execution and warns the user of an 
infected file. If VIRSTOP's /BOOT parameter is on, a corresponding 
warning is given of a diskette infected by a boot sector virus. The 
program's functioning can be tested by executing the familiar F-TEST.COM 
under Windows.

VIRSTOP for Windows displays the virus warnings in text mode. The 
warning box can be exited by pressing Enter, after which the previous 
program resumes its execution. VIRSTOP for Windows monitors also the DOS 
windows opened from Windows. 

If the keys Ctrl-Alt-Del are pressed, VIRSTOP for Windows cannot check 
the boot sector of a diskette in drive A even if the /WARM switch is 
turned on, because Windows interrupts the computer's functioning during 
a warm boot. The /BOOT switch, which causes VIRSTOP to check the boot 
sectors of all diskettes that are used in the computer, should therefore 
always be used.

The Windows routines of VIRSTOP have been made very small in order to 
save memory. The Windows support increases the memory requirement of 
VIRSTOP's DOS part only by 112 bytes. The device driver loaded during 
the Windows startup takes up approximately five kilobytes of Windows 
memory.  The Windows support of VIRSTOP can, if necessary, also be 
switched off by using the command line parameter /NOWIN.

New Viruses Recognized by F-PROT
--------------------------------
The following 202 new viruses can now be detected and also removed when 
at all possible (Not always, since a few of them are primitive, 
overwriting viruses). Some of these viruses could also be detected by 
earlier versions, but they are now identified accurately.

_125                        Fisher (1100)         Porridge
_160                        Fisher (2420)         Print Monster
_195                        Frajer                Proto-T (Flagyll)
_205                        Freak                 Proto-T (Lockjaw)
_225                        Grunt (346)           Proto-T (Number6)
_604                        Grunt (427)           PS-MPC (897)
_723                        Grunt (473)           PS-MPC (Arcv-9)
_894                        Halley                PS-MPC (Arcv.657.B)
Abraxas                     Hallo                 PS-MPC (Kouch)
Albanian                    Hamster               Puke
Alpha                       HH&H.4093             Radyum (448)
Amt (3000)                  Hitchcock.1238        Radyum (519)
Amt (4000)                  Hoa                   Radyum (860)
Aragorn                     Ice9.Two Minutes      Requires
Arcv (330)                  Infector (444)        Russian Tiny (129)
Arcv (Ice250)               Infector (624)        Russian Tiny (132)
Ash (817)                   Infector (726)        Russian Tiny (143)
Ash (1602)                  Infector (782)        Russian Tiny (145)
Atas II (3213               Infector (933)        Russian Tiny (146)
Atas II (3233)              Infector (984)        Russian Tiny (156)
Atas II (3321)              Intrep (946)          Screen
Australian Parasite (142)   Intrep (1092)         SillyCR (185)
Australian Parasite (147)   Itti.Toxic            SillyCR (189)
Australian Parasite (150)   James                 SillyCR (212)
Australian Parasite (155)   Jerusalem (Glory)     Silly Ice (159)
Australian Parasite (162)   Jerusalem (Unam)      Silly Ice (199)
Australian Parasite (550)   Jos                   Silly Ice (224)
Australian Parasite (615)   Keypress.1232.C       Skew
Backfont (472)              Kot                   Sleepwalker
Backfont (896)              Kudepsta              Storm.1163
Bad                         Leprosy (Crawler)     STSV.B
Barrotes                    Leprosy (Seneca.493)  Talking Heads
Beer.3192                   Leprosy (Surfer)      Tankard (493)
Butterfly                   Lesson I.263          Tankard (556)
Cascade (1704.J)            Little Girl.1004      Techno
Cascade (1704.H)            Log                   Timid (431)
Cfsk                        Lovechild.2710        Timid (557)
Chang                       Loz                   Trivial (30.C)
Chcc                        LPToff                Trivial (30.D)
Chr                         Luca                  Trivial (32)
Civil war (244)             Lyceum.1888           Trivial (34)
Civil war (Navigator)       Lythium               Trivial (44.B)
Civil War II (599)          Maffy.323             Trivial (68)
Civil War II (901)          Malign (575)          Trivial (71)
Code4-over                  Malign (630)          Trivial (84)
Coffeshop                   Matura.632            Turn
Coib                        Meta.1103             Tver
Cossiga.883.B               Metallica.1739        Ugur
Costeu                      Mithrandir            Ungame
Cpxk                        Mr G.                 Uruk-Hai.427
Crazy Imp.1402              MX                    V3000
Cybertech.Star One          Murphy.Delyrium.1780  VCL (384)
Cysta.2954                  Nanita                VCL (408)
Danish Tiny.Wild Thing      Nazgul                VCL (423)
Dark Avenger.1693           Naziphobia.A          VCL (476)
Dead                        November 17th.855.B   VCL (519)
Deicide II (Breeze)         Omt                   VCL (562)
Deicide II (2570)           Over.4032             VCL (Popoolar)
Denied                      Own                   Vengeance.613
Disdev                      Oxana (1436)          Vienna.1239
Doomsday                    Oxana (1572)          Voodoo
Dupacel                     Oxana (1670)          Wanderer
Dutch Tiny (122)            Oxana (1671)          Wilbur (B)
Dutch Tiny (124B)           Paramon               Wilbur (C)
E-riluttanza                PDP (822)             Willow
End of                      PDP (1477)            WWP
Experiment (416)            PDP (1564)            XAM
Experiment (755)            Perfume.653           Yam.3599
Filehider.1067              Pick                  Youth.970
Filename                    Pitch                 Zaphod
Fish6.B                     Pojer.1919            Ziuck.1372

The following 43 new viruses can now be detected but not yet removed.

AntiExe                 Dir II (H)              PS-MPC.Z10.662
Arcv (839)              Dir II (K)              Rape.Basilisk
Arcv (Benoit)           Explosion               Tchantches
Arcv (Joanna)           Harm                    Terminator II
Arcv (More)             Horror.1137             Tu
Arcv (Sandwich)         Invisible man (2926)    Ultimatum
Arcv (Scroll)           Invisible man (3223)    VCL (394)
Arcv (X-2)              Maffy.478               VCL (Divide.A)
Arusiek                 MSJ                     VCL (Mimic)
Beer.3164               Naziphobia (B)          VCL (Necro)
Black Jec.378           Naziphobia (C)          Vienna.561
Chipshit                No Frills.Dudley        Yankee (XPEH.5648)
Civil War.561           Npox (609)              Yankee (XPEH.5808)
Cysta                   Npox (1686)
Dir II (G)              Npox (1800)

The following 5 viruses can now be disinfected. 

Darth_Vader (3.A)
Darth_Vader (3.B)
Darth_Vader (3.C)
Horse.2248
PCBB.1141

F-PROT 2.09 -- Other Changes
----------------------------
Disinfection of boot sector viruses has been redesigned, and many boot 
sector viruses (most of which were of the "laboratory-only" category) 
that previously could only be detected can now be disinfected, also.

F-PROT 2.08 could not, in all cases, accurately identify Stoned.Azusa, 
but that should be fixed now.

When VIRSTOP /COPY was used, it interfered with Quick Scan, causing 
VIRSTOP, not F-PROT, to display a message about a file being infected. 
This is now fixed.

Before, F-PROT would only remove one "layer" of certain encrypted 
viruses capable of infecting the same file multiple times, such as 
PCBB.1658, forcing the user to disinfect the file several times before 
it was actually clean.

F-PROT will now always scan the main boot records (MBR) of hard disks 
even if the disk contains no logical partitions.

The behaviour of the /NOFILE switch has been changed -- it now implies 
/NOUSER (in files), /NOPACKED and /NOTROJAN as well.

A new exit code, 7, has been added: It indicates insufficient memory. 
Previously F-PROT would return errorlevel 1 (general error) in such a 
case.

-------------------------------------------------------------------------------

F-PROT 2.09 Update Bulletin Copyright (c) 1993 Data Fellows Ltd

This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.09 Update Bulletin Copyright (c) 1993 Data Fellows Ltd.'

<*** End of File ***>
