F-PROT Professional 2.18 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi

This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.18 is mentioned.
Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------

Contents 3/95
=============

1994 WAS GOOD - 1995 LOOKS EVEN BETTER!
The Global Virus Situation
        A Packet of 2800 Viruses in the Internet
        Let the Good Times Roll
        Dual_GTM in France
A New Version of Disinfectant Now Available
Viruses in the Wild
News in Short
        Data Fellows Ltd's Popular WWW Service
        F-PROT Professional Praised by Monitor Magazine Slovenia
Hong Kong's First Hacker Case
Common Questions and Answers
Changes in F-PROT Professional version 2.18


1994 WAS GOOD - 1995 LOOKS EVEN BETTER!
---------------------------------------

F-PROT Professional has been quite a success. To illustrate 
the development: F-PROT sales in Finland increased with 144% 
during 1994 from the previous year. Export increased with 
147%.

During the first three months of 1995 our F-PROT sales 
outside Finland have grown with more than 250%. The growth 
rate in sales in Finland is somewhat smaller than last year 
but remains considerable.

Many large international companies have chosen F-PROT. Our 
release of the first device driver-based full scanner has 
made a considerable impact on the market. Our forthcoming 
Windows NT version will be one of the first, as well.

Data Fellows has been a profitable, debtfree company from 
the first fiscal year 1989 onwards. We have never been in as 
good a shape as now to take on the challenge in the evolving 
anti-virus market.

The Global Virus Situation
--------------------------

A Packet of 2800 Viruses in the Internet
----------------------------------------
In the middle of April, a private user in Canada made a 
contribution to a usenet newsgroup dedicated to computer 
viruses by sending there a ZIP file which contained over 
2800 computer viruses. The newsgroup was accessible in 
hundreds of thousands of computers all over the world. 
However, the packet did not present an immediate threat, 
since users had to decode and extract it first in order to 
run the viruses and this doesn't happen automatically.

The packet raised a lively discussion about the freedom of 
speech and its limits. There was also contention about 
whether the spreading of such packets serves some purpose.

F-PROT is able to detect the 2806 viruses included in the 
packet.

Let the Good Times Roll
-----------------------
In this year's first Update Bulletin, we published an 
article about the "Good Times" virus hoax which was going on 
in the Internet. The Good Times rumor was thought to be well 
on its way to extinction, but it seems to have gained new 
strength recently.

The Good Times hoax is based on warning messages which carry 
the subject "Good Times". These messages warn about other 
messages titled "Good Times", claiming that they contain a 
dangerous virus which activates when the message is read. 
Finally, the messages exhort users to spread the warning 
message as widely as possible.

Despite extensive efforts to put a stop to Good Times, the 
messages have continued to spread and multiply in numerous 
e-mail systems worldwide. On some occasions, Good Times 
warnings have even been published in newspapers and 
broadcasted on radio.

As was to be expected, it did not take too long for virus 
writers to realize how they could take advantage of the Good 
Times rumor. In April, an Australian virus group known as 
VLAD published a real PC virus called 'Good Times'. This 
version of 'Good Times' is an ordinary file virus which 
infects COM and EXE files. To further confuse the issue, the 
following message is included in the viruse's source code:

; The act of loading the file
; into a mail server's ASCII
; buffer causes the "Good
; Times" mainline program to
; initialize and execute.
; Remember to email all your
; friends, warning them about
; Good Times!

For obvious reasons, anti-virus programs will not recognize 
this virus by the name 'Good Times'. Instead, it has been 
named 'GT-Spoof'. A similar incident took place also in the 
beginning of 1993. It involved a rumor about a fictional 
virus called 'Proto-T', which was soon followed by the real 
thing. This incident was discussed in the F-PROT 2.07 Update 
Bulletin.

Dual_GTM in France
------------------
Reported by Pierre Vandevenne, DataRescue, Belgium

The Dual_GTM virus is in the wild and has been reported in 
France during May 95. It is memory resident COM and EXE file 
infector. Programs are infected when they are executed.

Dual_GTM avoids infecting EXE files whose name begin with 
SCAN, CLEA and QBAS. It's COM infection routine is buggy and 
multiple infections of the same COM file are possible. 

The code of the virus presents some irritating 
characteristics _ the virus tries to avoid heuristic 
scanners by doing it's things in non-obvious way. For 
example, when it wants to move value 4200 to a register, it 
will first move 4201 and then decrease the value of the 
register by one.

The virus activates on the 20th of March if the year is 
greater than 1993. At this time the virus beeps and displays 
slowly the text: "Beware of the BUG !!!". After this the 
virus hangs the machine. Otherwise the activation routine is 
harmless; Dual_GTM's main danger lies in its buggy infection 
routine that can corrupt the files it infects.

A New Version of Disinfectant Now Available
-------------------------------------------
Things have been slow in the world of Macintosh viruses for 
a long time, but the pace seems to be picking up again. In 
April, a new variant of the old nVIR B virus was discovered 
and dubbed CLAP. The capability to detect this virus has 
been added to most Macintosh anti-virus programs. If there 
are Macintosh workstations in your organization, you can 
order an updated version of the Disinfectant anti-virus 
program from your F-PROT distributor or directly from our F-
PROT Support without a separate charge.

Viruses in the Wild
-------------------
According to the latest "Wildlist" statistic, the world's 
most common viruses at the moment are AntiEXE.A, 
Cascade.1701.A, Form.A, Green_Caterpillar.1575, 
Jerusalem.1808.Standard.A, Joshi.A, Kampana.A, 
Parity_Boot.B, Ripper, Stoned.Azusa.A, 
Stoned.Empire.Monkey.B, Stoned.Michelangelo.A, 
Stoned.Standard.A, Tequila.A and V-Sign.

The list of common viruses published in May contained 
altogether 222 different viruses.

Wildlist is compiled and maintained by the IBM employee Joe 
Wells (jwells@watson.ibm.com). In this, he is assisted by 30 
anti-virus parties from all over the world, including Data 
Fellows Ltd.

Wildlist is available from your local F-PROT distributor or 
directly from Data Fellows Ltd's F-PROT Support.

News in Short
-------------

Data Fellows Ltd's Popular WWW Service
--------------------------------------
Data Fellows Ltd's WWW service has proved very popular. Our 
host server went on-line a year ago, and so far it has 
served over 25000 visitors. We continue to welcome at:

http://www.datafellows.fi/

F-PROT Professional Praised by Monitor Magazine Slovenia
--------------------------------------------------------
The Slovenian Monitor Magazine published comprehensive test of
anti-virus products in its April issue. F-PROT Professional was
proclaimed the editors' choice as a hands-down winner over the other
contestants. The technology used by F-PROT Gatekeeper was especially
praised. During 1995, F-PROT has also prospered in tests published
by the Virus Bulletin and SECURE Computing magazines, among others.

Hong Kong's First Hacker Case
-----------------------------
Reported by Allan Dyer (adyer@yuikee.com.hk) of Yui Kee Co. 
Ltd, Hong Kong:

Raymond Chen, son of a Hong Kong University lecturer, has 
become Hong Kong's first convicted Internet Hacker. He was 
convicted on three counts under the Telecommunications 
Ordinance and ordered to pay fines and costs totaling 
HK$45,000. The magistrate indicated his wish to deter 
others, saying, "Although a deterrent sentence is not 
usually imposed upon a first offender, there is no absolute 
bar".

The offenses took place between August and October 1994, and 
involved access to computers operated by Hong Kong 
Polytechnic and Hong Kong University of Science and 
Technology. After a monitoring operation, the Commercial 
Crimes Bureau officers gained access to Mr. Chen's home 
posing as neighbors concerned about a water leak, and seized 
the computing equipment.

Raymond Chen is considering an appeal and claims he may have 
been framed by the gay community: "I didn't do anything 
except harass the fags and of course I harass them 
mercilessly", referring to his activities on IRC. Chen 
claimed he had been given the passwords to various friends' 
accounts as "payment" for technical assistance. Police and 
local Internet experts dismissed his claims of being framed.

Chen was not convicted under the Computer Crimes Ordinance, 
as there was no evidence that he had any criminal or 
dishonest intent in his unauthorized access.

Common Questions and Answers
----------------------------

If you have questions about information security or virus 
prevention, contact your local F-PROT distributor. You can 
also contact Data Fellows directly in the number +350-0-478 
444.

Written questions can be mailed to: Data Fellows Ltd, F-PROT 
Support, Pivntaite 8, 02210 ESPOO, FINLAND.

Questions can also be sent by electronic mail to: Internet: 
f-prot@datafellows.fi; X.400: S=F-PROT, OU1=DF, O=elma, 
P=inet, A=mailnet C=fi; 

        Should DLL files be checked for viruses? I compared
        different anti-virus programs and noticed that _ in addition
        to the normal COM, EXE and overlay files _ some of them scan
        also files with the DLL extension by default.

Under normal conditions, it is not worth the effort to check 
DLL files. Including them in the virus check only slows down 
scanning but does not really provide any additional 
security.

DLL files are structurally similar to Windows EXE files. 
They are divided into two separate parts: a basic DOS stub 
and the actual Windows code section. The only purpose of the 
DOS section is to print "This program requires Windows" or 
something similar on the screen. Many DOS viruses 
distinguish between COM and EXE files by checking whether 
the file begins with the signature 'MZ'. DLL files contain 
the MZ marker.

So far, no viruses which try to spread by infecting DLL 
files have been found. However, DLL files may occasionally 
contain viruses. This may be due to the following reasons:

1) The virus infects all files. For example, viruses which 
belong to the Trivial family write their code on all files 
located in the same directory.

2) The virus is meant to infect only normal program files, 
but, due to a programming error, it also infects other 
files, including DLLs.

3) The virus infects all executed files which contain the 
EXE header. Since DLL files are never executed in the 
traditional sense of the word, the only way to get a virus 
to infect them is to change their file extension to EXE and 
run them under DOS.

4) Some multipartite viruses monitor disk writes. Whenever a 
sector beginning with an EXE header or the 'MZ' marker is 
written to the disk, these viruses add their own code to it. 
BootExe is one of these viruses. It may infect also DLL 
files.

Cases 1) and 2) are not valid reasons for including DLL 
files in particular in the virus scan. Such viruses will 
also infect, for instance, TXT and XLS files, corrupting 
them in the process. To find all copies of such viruses, it 
is necessary to scan all files, including data files. In the 
entries describing these viruses in F-PROT's virus database, 
there are remainders about the necessity of a comprehensive 
data file scan.

Cases 3) and 4) can be used as arguments for a DLL scan. 
However, in such cases the virus will also infect all other 
Windows files containing an EXE header. This means, for 
example, all files with the extensions 386, CPL, DRV, FON, 
FOT and VBX. These files are as likely to get infected as 
DLL files, but there are no anti-virus programs which 
include them in the scan by default.

The general rules about virus infections apply also to cases 
involving DLL files. Normally, only program files should be 
scanned. However, if a virus is found, ALL files should be 
checked _ including DLLs and data files, just to be on the 
safe side.

What happens to a DLL file if it is infected by a virus? 
That depends on the structure of the original file. Since 
viruses do not target DLL files in particular, the infection 
usually damages the file so badly that an attempt to use it 
leads to an error message. Even if the file remains 
functional, the virus cannot spread from it under normal 
conditions; the only way to get a virus to spread from such 
a file is to change its extension to EXE and execute it 
under DOS.

So far, no viruses which infect exclusively DLL files have 
been found. There haven't even been cases where a virus 
could spread from a DLL file without considerable help from 
the user. Therefore, it is not necessary to include DLL 
files in the virus scan.

        Are there any viruses which can spread through GIF or JPG
        files?

No. Next question, please.

        Can viruses hide themselves in the video RAM or CMOS memory?
        What about the memory of peripherals, such as printers or
        modems?

Video RAM is structurally similar to normal PC computer 
memory, so it is possible to execute programs in it. There 
are known viruses that install themselves in video RAM. 
However, this doesn't pose any special challenge to anti-
virus programs, as these viruses can readily be detected 
from there. 

CMOS memory is backed up with a battery, so it doesn't 
disappear when you turn off the computer. However, CMOS is 
very small and its contents never get executed. Thus, you 
can't run any programs in it. There are viruses that do 
corrupt the information in CMOS, but they can't hide in it.

Some printers and modems have non-volatile memory, but it is 
not technically possible to write a program that would 
"infect" that memory. Besides, such a program could not 
spread from the peripheral back to the main PC.

Changes in F-PROT Professional version 2.18
-------------------------------------------

Changes in F-PROT for DOS

The following problem has been corrected:

The virus No_of_the_Beast was not disinfected
correctly.

The following false alarm has been fixed:

The latest version of Mc Afee's CLEAN.DAT file contains
some unencrypted code taken from the November_17th virus, 
and this caused F-PROT to give a false alarm. McAfee is 
expected to correct this, but in the meantime F-PROT has 
also been provided with the means to avoid giving a false 
alarm of this file.

Minor Changes

Files infected by the Cybercide.1307 virus are usually
unable to start afterwards. F-PROT can now disinfect these 
files also.

Changes in F-PROT for Windows

The default font size used by DFWIN has been changed.
The program now uses a font which has readable proportions. 
This was a problem in some environments.

Installation support for TSR programs has been added to
Autoinst. For example, VIRSTOP.EXE can now be defined to be 
installed from AUTOEXEC.BAT.

We have created a Windows version of the Autoinst
program. The program uses the same INI files as the DOS
version. The name of the program file is AUTOW31.EXE.

Autoinst supports the installation of F-PROT
Gatekeeper's F-PROTW.386 file from the local directory:

The setting "f-protw.386=" can be used for defining the F-
PROTW.386 device driver's path in SYSTEM.INI. When this 
setting is used, the defined path _  instead of the 
installation's destination directory _  will be added to 
SYSTEM.INI. This makes it possible to load the device driver 
from a different location than F-PROT Gatekeeper's other 
files. For example:

        [Gatekeeper]
        f-protw.386=c:\f-protw.386

Autoinst will also write a corresponding setting to the F-
PROTW.INI file. Thus, the setting in SYSTEM.INI will remain 
correct even when F-PROT Gatekeeper is activated from F-
Agent with a menu command.The setting is needed in 
environments where networks disks become accessible only 
after Windows is started.

New Viruses Detected by F-PROT 2.18
-----------------------------------
The following 31 viruses are now identified, but can not be 
removed as they overwrite or corrupt infected files.  Some 
of them were detected by earlier versions of F-PROT, but not 
identified accurately.

Explorer.3063
Fkiller
HLLO.3853
HLLO.4870.C
HLLO.8000
HLLO.14186
Itti.99.B
Leprosy.551
Leprosy.666.J
Leprosy.666.N
Leprosy.666.O
Leprosy.666.P
Leprosy.666.Q
Leprosy.999
Leprosy.BadCommand
Leprosy.Merci
Leprosy.YH.880
Quasar.523
Raving
Rush_Hour.A
Rush_Hour.B
Rush_Hour.C
Rush_Hour.D
Rush_Hour.E
Suriv-1.Lunch
Trivial.B&B
Trivial.Diddle
Trivial.FTW.101
Trivial.FTW.192
Trivial.Lame.98
Trivial.Lame.173

The following 258 new viruses can now be removed.  Many of 
them were detected by earlier versions, but are now 
identified accurately.

_814
_935
_1106
_1203
_1320
_1376
Adin
Alphabet
Amazon.468
Amazon.479
Amazon.500
AT.160
Avalanche
Bengal.863
Better_World.G
Blava
Bobas
BootCom
Bua
Bupt.1261.B
BW.311
Cascade.1701.AD
Cascade.1701.AH
Cascade.1701.AI
CCC
Chukc.554
Chukc.838
CK.777
Clouds.588
Clouds.657
Clouds.718
Cluster.277
Croatia
Darv
Dead.979
Dead.1190
Dead.1459
Dead.1601
DK
Drag
DvD
Fax_Free.1536.Meco.D
Fax_Free.1536.New.A
Fax_Free.1536.New.B
Five_eights.609
Flash.688.E
Friday_the_13th.456
Fumble.801
Fumble.867.B
Funked.425
Funked.429
Glitch.407
Gondor
Green_Caterpillar.1575.J
Heja.623
HI.802
HI.892
HLL.4109
HLL.6176
HLL.Kasienka
HLL.Sauron
HLLC.10832
Immigrant
Insert
IVP.Angry_Samoans.593
IVP.Executor.429
IVP.Executor.460
IVP.Executor.473
IVP.Executor.507
IVP.Executor.522
IVP.Executor.583
IVP.Hot_Zone.561
IVP.Hot_Zone.815
IVP.Infesto.561
IVP.Infesto.604
IVP.Infesto.679
IVP.Infesto.697
IVP.Replico.317
IVP.Replico.324
IVP.Replico.350
IVP.Replico.352
IVP.Replico.357
IVP.Replico.390
IVP.Replico.392
IVP.Replico.422
IVP.Replico.462
IVP.Replico.478
IVP.Replico.495
Jerusalem.1808.Blank.E
Jerusalem.1808.new10
Jerusalem.1808.SuMsDos.AR
Jerusalem.Rulis
Kaczor
Kak
Kela.690
Keyb.667
Keyb.756
Keyb.873
Khiznjak
Lame.538
Liberty.2857.H
LPT-off.271
Lutil
Magda
Magdazie.1114
Marky
Marzia.P
Mephisto.654
Mephisto.1000
Mephisto.1242
Milikk
Ming.1262
Mnem.859
Morbid
Mr_Twister.453
Natas.4740
Natas.4766
New_model
Neither
No_frills.813
No_frills.815
November_17th.800.C
Npox.630
Number_of_the_Beast.AA
Number_of_the_Beast.AB
Olga
Peligro
Pendule.1059
Phalcon.Maria_K.1118
Pieck
Playgame.A
Playgame.B
Possessed.2167
Princeptor
PS-MPC.246
PS-MPC.574.G
PS-MPC.574.H
PS-MPC.582.A
PS-MPC.582.B
PS-MPC.583
PS-MPC.G2.Puppet
PS-MPC.Shrimp.358
PS-MPC.Shrimp.423
PS-MPC.Skeleton.591.A
PS-MPC.Skeleton.591.B
PS-MPC.Skeleton.591.C
PS-MPC.Skeleton.591.D
PS-MPC.Skeleton.592.A
PS-MPC.Skeleton.592.B
PS-MPC.Skeleton.592.C
PS-MPC.Skeleton.592.D
PS-MPC.Skeleton.592.E
PS-MPC.Skeleton.592.F
PS-MPC.Skeleton.592.G
PS-MPC.Skeleton.592.H
PS-MPC.Skeleton.592.I
PS-MPC.Skeleton.592.J
PS-MPC.Skeleton.592.K
PS-MPC.Skeleton.592.L
PS-MPC.Skeleton.592.M
PS-MPC.Skeleton.592.N
PS-MPC.Skeleton.592.O
PS-MPC.Skeleton.592.P
PS-MPC.Skeleton.592.Q
PS-MPC.Skeleton.593.A
PS-MPC.Skeleton.593.B
PS-MPC.Skeleton.593.C
PS-MPC.Skeleton.593.D
PS-MPC.Skeleton.593.E
PS-MPC.Skeleton.593.F
PS-MPC.Skeleton.596.A
PS-MPC.Skeleton.596.B
PS-MPC.Skeleton.596.C
PS-MPC.Skeleton.596.D
PS-MPC.Skeleton.597.A
PS-MPC.Skeleton.597.B
PS-MPC.Skeleton.597.C
PS-MPC.Skeleton.597.D
PS-MPC.Skeleton.597.E
PS-MPC.Skeleton.597.F
PS-MPC.Skeleton.597.G
PS-MPC.Skeleton.597.H
PS-MPC.Skeleton.597.I
PS-MPC.Skeleton.597.J
PS-MPC.Skeleton.597.K
PS-MPC.Skeleton.597.L
PS-MPC.Skeleton.597.M
PS-MPC.Skeleton.597.N
PS-MPC.Skeleton.597.O
PS-MPC.Skeleton.597.P
PS-MPC.Skeleton.598.A
PS-MPC.Skeleton.598.B
PS-MPC.Skeleton.598.C
PS-MPC.Skeleton.598.D
PS-MPC.Skeleton.598.E
PS-MPC.Skeleton.598.F
PS-MPC.Toys.762
Rex
Rosario
Sarampo
Select.1112
Select.1258
SillyC.106
SillyC.113
SillyC.126
SillyC.140
SillyC.155
SillyC.207.B
SillyC.292
SillyCER.263
SillyCER.266
SillyCR.122
SillyCR.132
SillyCR.178
Small_comp.85
Small_comp.87
Sofia.432
Sofia.528
Sphinx
Storm.1153.B
Svirus
Synergy
Tankar
Tigre
Timid.303.B
Tokyo.1258
Topa.2476
Trance
Trident.1313
Uneasy.658
UVR
Variable_Worm
Vbasic.H
Vbasic.I
VCL.380
VCL.417
VCL.Dad
VCL.Dummy
VCL.Fillo
Vcode.2262
VE.504
Vienna.574
Vienna.923
Virnn.1023
Virnn.1100
Viros
Volk.B
Volk.C
Waria
Wanderer.400.B
Wanderer.484
Witcode.1728
Xora
XTC
Yankee_Doodle.1223
Yesmile.4320
Yesmile.5504
Zor

The following 84 new viruses are now detected and identified 
but can not yet be removed.

Alien.1976
Antipode
Ass
Attitude.723
Backform.2345
Backform.2381
Bad_Boy.1000.C
Bad_Boy.1041
Bad_Boy.1075
Bad_Boy.1135
Bandersnatch
Blueshark
Civil_Defense.A
Civil_Defense.B
Civil_Defense.C
Civil_Defense.D
Delwin.1199
DigDeath.958
DigDeath.963
Exe252
Exeheader.324
Exeheader.440
Father_Mac.306
Father_Mac.797
Father_Mac.838
Frida
Godzilla
Goomba
Halka.720
Hamburger
HWF
Jerusalem.CVEX.5120.B
Jerusalem.CVEX.5120.C
Jerusalem.CVEX.5120.D
Jerusalem.CVEX.5120.E
Jerusalem.CVEX.5120.F
Jerusalem.CVEX.5120.G
Jerusalem.CVEX.5120.H
Jerusalem.CVEX.5120.I
Jerusalem.CVEX.5120.J
June_12th,2695
Lame.435
MacGyver.3160
MacGyver.4112
MacGyver.4480
MacGyver.4643
MacGyver.4645
Mantis.1258
Marauder.855
Marbas
Mike.252
Mike.256
Mnem.918
Monarch
Mz1
Mzboot
Keko.1964
Keko.1990
Keko.2690
Mephisto.615
Mephisto.815
Mephisto.914
Mephisto.928
Mephisto.937
Mephisto.938
Norge
November_17th.1061
NRLG.776
NRLG.992
NRLG.1030
NRLG.1038
Olexy
Oops
Riot.Carpe_Diem.462
Riot.Carpe_Diem.1033
ShineAway
SillyCR.86
Socks
Stalker.310
Stalker.320
Uvst
Vlad.651
Vlad.692
Xuxa.1096

The following 9 new viruses are now detected, but not 
identified. F-PROT will just report the virus family name 
with a (?), or report the virus as "New or modified 
variant", as it is not yet able to determine which variant 
it is dealing with. Disinfection of these viruses is not yet 
possible.

DR&ET
Dream
GT-spoof
K-hate
Rajaat.871
Maverick.A
Maverick.B
Maverick.C
Unfo

The following 6 viruses which were identified by earlier 
versions can now be removed.

Clone
McGyver.2803.A
McGyver.2803.B
Necropolis.A
Necropolis.B
Necropolis.C

The following viruses have been renamed:

Pollution.*	->>	 Riot.Pollution.*
Carpe_Diem.*	->>	 Riot.Carpe_Diem.*

------------------------------------------------------------------------------
F-PROT Professional 2.18 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi

This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.18 is mentioned.
Copyright (c) 1995 Data Fellows Ltd.
