F-PROT Professional 2.19 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi

This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.19 is mentioned.
Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------

Contents 4/95
=============

Is the Increase of Viruses Slowing Down?
Correction
Viruses and Windows NT
Viruses and Windows 95
The Global Virus Situation
        Buptboot
        Crazyboot
        Tai-Pan.438.B
        Vienna.Bua
        Zarm
        Byway
News in Short
        Michelangelo.A on Driver Diskettes
        PKZIP-Trojans on the Move
Common Questions and Answers
Changes in F-PROT Professional version 2.19


Is the Increase of Viruses Slowing Down?
----------------------------------------

For almost ten years, people have been predicting the imminent 
demise and disappearance of DOS. At the end of the eighties, 
OS/2 was supposed to replace DOS in two or three years, maximum. 
In the nineties, Windows inherited the DOS-killer mantle. 
Nowadays, the nomination has passed to Windows 95, Windows NT 
and OS/2 Warp.

When estimating the life-span of DOS, one must consider the 
existing computer equipment and new sales separately. In the new 
sales department, DOS will undoubtedly lose ground quite 
rapidly. However, when it comes to existing equipment, it is 
unlikely that DOS will go anywhere in the next 5-10 years. 
Consider, for instance, that many companies are still using 
equipment and software obtained during the first half of the 
eighties, over ten years ago. To balance that, there are, of 
course, fields of business - and whole countries, for that 
matter - where getting the latest hardware is all the rage.

The switch into new operating systems moves along many different 
channels. In Germany, OS/2 Warp has proved distinctly more 
popular than in the rest of Europe. In Japan, companies clearly 
favor Windows NT. At this point, it is hard to say anything 
about Windows 95 - Microsoft predicts that 20% of Windows users 
will switch to 95 during the first six months after the 
publication.

People who write viruses do it on quite ordinary microcomputers. 
They buy their computers from the same shops as those users who 
walk the straight and narrow, and design their viruses to 
function under the same operating systems they themselves use. 
It is, therefore, easy to predict a rapid increase of non-DOS 
viruses in the future. At the moment, there are only a handful 
of Windows and OS/2 viruses.

New operating systems make it possible to create viruses that 
function in completely novel ways. It is, therefore, fortunate 
that the new development environments and tools - not to mention 
the operating systems themselves - are so much more complex than 
their counterparts in DOS that the work of a virus writer 
becomes quite difficult. Because of this, it can be hoped that 
the increase in the number of new viruses will slow down as the 
new operating systems gradually take over the market.

F-PROT Professional will keep up with the new operating systems. 
The Windows 95, Windows NT and OS/2 Warp versions of F-PROT 
Professional are currently undergoing their last tests, and 
working fine. They will become globally available inside the 
next couple of weeks.

Correction
----------

In the F-PROT 2.18 Update Bulletin, we mistakenly told you about 
an F-PROT review published by the Slovenian version of the
international Monitor Magazine. To set matters straight, we wish 
to clarify that Monitor Magazine is independent, not part of any 
international magazine having the same name. Furthermore, 
Monitor has not published a comparative review of different 
anti-virus products - the review in the April issue discussed 
only F-PROT Gatekeeper.

Viruses and Windows NT
----------------------

Most of the DOS file viruses are able to function quite normally 
also under Windows NT. The viruses can load themselves into 
memory in DOS windows and infect the files the user has write 
rights to. The viruses cannot spread outside the DOS windows in 
which they have been started, so a user may have both clean and 
infected DOS windows open at the same time.

Windows NT supports a multitude of various user levels and 
rights. These serve to curb file viruses' spreading quite 
efficiently, but in a normal environment it is impossible to 
prevent it altogether - a user usually has write rights to his 
or her home directory and to some shared directories.

Windows NT prevents direct disk operations. This makes it 
impossible for multipartite viruses to infect hard disk boot 
sectors, and at the same time it prevents many multipartite 
viruses from operating at all.

Current file viruses can be disinfected in Windows NT by opening 
a DOS windows and then removing them as in DOS.

If a computer is booted from a diskette infected by a boot 
sector virus, the virus usually manages to infect either the 
hard disk's Main Boot Record or the boot sector of a disk 
partition. Some viruses which check the hard disk type - among 
them the Finnish_Sprayer virus - won't infect an NT disk at all.

Most viruses, however, do not check the disk type before 
infecting it. In such cases, the differences between DOS and 
Windows NT usually lead to Windows NT crashing when the computer 
is booted from the infected hard disk. If this happens, the 
computer should be booted from a clean DOS boot diskette and 
disinfected from DOS - it is good idea to retain a clean DOS 
boot diskette even if the computer is mainly used with Windows 
NT.

After the computer has booted, infections in the Main Boot 
Record can be removed normally either with F-PROT for DOS or 
with the command FDISK/MBR (assuming that the virus has not 
altered the partition table in any way). If the virus is of a 
type that infects the boot sectors of disk partitions - such as 
Form - the disinfection may prove difficult.

If the hard disk contains a DOS partition and the virus has 
infected its boot sector, the disinfection can normally be 
executed with the DOS version of an anti-virus program. The DOS 
command SYS C: should not be used in disinfection - it creates a 
new boot sector and system files, but these are different from 
the ones used by Windows NT.

If the virus has infected the boot sector of a partition using 
the NTFS file system, it must be disinfected manually. A disk 
editor, such as Norton Disk Editor, may prove a valuable aid in 
the process. With such an editor, it is possible to write a 
clean boot sector over the infected one.

The virus may have relocated the original, clean boot sector to 
some other part of the hard disk. Even if the virus has not 
bothered to store the original boot sector, a copy of it may be 
found in the middle of the NTFS partition; Windows NT makes such 
a copy when it formats the partition for its own use. However, 
this apparently does not hold true for all environments, so it 
is best to play it safe and copy the boot sector on a diskette. 
The boot sector of an NTFS partition is located on the first 
sector of the first track - in the same place where DOS, also, 
stores its boot sector.

When the boot sector has been disinfected in one way or another, 
the computer can again be booted from the hard disk. NT should 
function normally, provided the virus has not damaged the files 
on the hard disk.

All in all, Windows NT provides relatively good protection 
against file viruses, as long as users are given write rights 
only to the files and directories where such rights can be 
considered necessary. When it comes to boot sector viruses, the 
situation is not so good. The disinfection of boot sector 
viruses can in some cases become quite complicated, and 
therefore it is a good idea to prevent diskette boots directly 
from the computers' BIOS, when and if that is possible.

Viruses and Windows 95
----------------------
The soon-to-be-published Microsoft Windows 95 introduces new 
characteristics to the field of anti-virus activities. Although 
there have been rumors that the virus threat will be eliminated 
when Windows 95 comes along, these are, for the most part, 
insubstantial. In fact, almost all current viruses will be able 
to function with Windows 95.

Boot sector viruses will be able to infect both hard disk Main 
Boot Records and the boot sectors of disk partitions quite 
normally. However, the viruses will not be able to spread to 
diskettes normally after the initial infection.

When Windows 95 is started, it usually loads a 32-bit disk 
access system. If, on the other hand, the computer has been 
infected by a boot sector virus, Windows 95 is shunted to using 
16-bit disk access system. In spite of this, some parts of the 
32-bit access systems are loaded, and this prevents boot sector 
viruses from spreading to diskettes. This does not mean that the 
viruses can be safely left on the disk, however, because they 
are still able to activate and cause damage. The infection 
should be removed when it is detected. It should be noted that 
if the user has set the 16-bit disk access on from the Windows 
95 Control Panel, the viruses will be able to spread to 
diskettes quite normally.

Boot sector viruses that use DOS interrupts to infect diskettes 
will not be able function under Windows 95 - the operating 
system's kernel takes command over all DOS interrupts, thus 
preventing viruses from using them.

Although Microsoft's own anti-virus program will not be supplied 
with Windows 95, Windows 95 is capable of detecting a boot 
sector infection by itself. Check the lower half of the 
Performance page in Control Panel's System program - it may 
contain a warning about a MS-DOS -compatible disk access state 
and a possible virus infection. Since this warning is not 
repeated anywhere else, it is easy for a user to overlook.

File viruses, on the other hand, are able to function under 
Windows 95 almost as well as under DOS itself. The main 
difference is that the viruses are only able to spread 
themselves inside DOS windows opened from Windows 95. This holds 
true only for the present viruses, however - it is likely that 
we will soon see viruses written expressly for Windows 95, 
capable of exploiting its characteristics. Since Windows 95 is 
technically quite different from earlier versions of Windows, 
only few currently known Windows viruses will be able to 
function under it.

Disinfection of Viruses

During installation, Windows 95 asks whether the user wants to 
create an utility diskette from which the computer can be booted 
afterwards. It is recommendable to take the program up on its 
offer, for without such an utility diskette it may prove 
difficult to disinfect certain boot sector viruses - especially 
if no anti-virus program is immediately available at the time.

Disinfection of Boot Sector Viruses

In principle, boot sector viruses are disinfected in Windows 95 
in quite the same way as in DOS. First, the computer must be 
booted from a clean diskette - this can be done with either the 
Windows 95 utility diskette created during installation, or a 
normal DOS boot diskette. After this, the virus can be 
disinfected by using an anti-virus program.

If the computer is booted from the Windows 95 utility diskette, 
the disinfection procedure may in some cases be interrupted  by 
a warning about direct disk access. This warning can usually be 
disabled by using Windows 95's own LOCK command, but it may 
sometimes prove necessary to boot the computer from a DOS boot 
diskette. After a DOS boot, the infection can be disinfected 
normally with F-PROT for DOS. As can be seen, it is worthwhile 
to hang onto an old DOS boot diskette even after switching to 
Windows 95.

If no anti-virus program is immediately available, it is 
possible to attempt disinfection by using the operating system's 
own functions. This can be done with the command FDISK /MBR, 
which can be used both after a DOS- and a Windows 95 diskette 
boot. However, if the computer's hard disks cannot be accessed 
normally after a diskette boot, one should not attempt a 
FDISK/MBR disinfection. In such cases, the infecting virus has 
probably encrypted the hard disk's partition table - there are 
viruses that do this, among them the Stoned.Empire.Monkey 
viruses.

Viruses that have infected the boot sector of a disk partition 
can be removed manually by using the Windows 95 utility 
diskette. After the diskette boot, the infection can be removed 
by simply giving the SYS C: command - this will cause the boot 
sector and system files to be rewritten on the hard disk. If the 
computer has been booted from a DOS boot diskette, the SYS C: 
command should not be used, because it will create a boot sector 
different from the boot sectors used by Windows 95.

Disinfection of File Viruses

First, the computer should be booted from a clean diskette just 
to be on the safe side. Windows 95 utility diskettes and DOS 
boot diskettes are both suitable for booting. After that, the 
viruses are disinfected just like in DOS.



The Global Virus Situation
--------------------------

The following viruses have been reported to be widespread in 
different parts of the world:

Buptboot
--------
Buptboot is a boot sector virus, functionally typical of its 
kind, which infects the Main Boot Records of hard disks and boot 
sectors of diskettes. The virus contains the text "Welcome to 
BUPT 9146,Beijing!", which is why it is also known as Welcomeb.

The only peculiarity in this virus is that it does not store the 
contents of the original boot sector anywhere.

F-PROT is able to detect and remove the Buptboot virus.

Crazyboot
---------
Crazyboot is also a boot sector virus, probably of Russian 
origin. Because of programming errors, Crazyboot corrupts some 
of the diskettes it infects. Every now and then the virus 
displays the following message:

Don't PLAY with the PC !
Otherwise you will get in `DEEP,DEEP' trouble !...
Crazy Boot Ver. 1.0

When Crazyboot infects a hard disk, it removes the disk's 
partition information from its correct place in the Main Boot 
Record. Because of this, one should not attempt to remove a 
Crazyboot infection with the FDISK /MBR command.

F-PROT is able to detect the Crazyboot virus. Due to the 
above-mentioned relocation of partition information, special 
steps must be taken to remove the virus; in case of an 
infection, contact your local F-PROT distributor or F-PROT 
Support for further instructions.

Tai-Pan.438.B
-------------
Tai-Pan, originally a Swedish virus, has quickly managed to 
spread itself all over the world. It is now one of the most 
globally common file viruses.

There are many different versions of Tai-Pan - two of these have 
been described in earlier update bulletins (issues 2.14 and 
2.17). The latest discovered variant of Tai-Pan does not much 
differ from the original Tai-Pan.438; the changes it contains 
have apparently been added only in order to bypass some anti-
virus program. The new variant has been found at least in Sweden 
and Finland.

F-PROT is able to detect and remove the Tai-Pan.438.B virus.

Vienna.Bua
----------
The Vienna.Bua virus is also known by various other names, such 
as Big Caibua, Bua, Butthead and Vienna.2279.

During May 1995, this virus managed to spread through some BBS 
systems and ftp servers. The virus activates in the 5th of May, 
at which time displays a graphic phallus symbol on the screen. 
Later on, the virus tries to do damage by formatting the hard 
disk's zero track, removing the first file in a directory, 
creating subdirecto-ries with obscene names etc.

Vienna.Bua contains the following text strings, hidden under a 
layer of encryption:

RABID is Actually NAMBLA.
Go figure
High Evolutionary Sucks BIG CAIBUA!
You bastardize code, I bastardize it again!  Fuck You!
Difference is you cocksucker, I can actually program in 
assembler.
Read about it in VSUM!
btw, Patty, Howabouts ya lick my BIG CAIBUA?
Oh, And John, Just in case you think I forgot your sorry ass.
The next one is for you!!!  Muhahahahahahahahahaha!!!!
O.J. IS GUILTY!!
Tempest, Live for yourself.
You do not know what love is yet.
wait, it will come.
No worries.

F-PROT is able to detect and remove the Vienna.Bua virus.

Zarm
----
Reported by Herve Carette, 
DataRescue sprl, Belgium

Zarm is a memory-resident self-encrypt-ing COM and EXE infector. 
It was found in France during May 1995.

Zarm is a stealth virus that intercepts interrupt 21h's 
functions 11h, 12h, 31h, 3Dh, 4Eh, 4Fh, 4Ch, and 6Ch to mask its 
presence in an infected system. The virus hooks int 3 to its own 
decryption routine. This routine then decrypts a second 
decryptor on the stack.

Once the virus has installed itself in memory, it uses also int 
1Dh - normally a pointer to some video information - as a 
gateway for calling the original int 21h. A new int 1Ch (timer) 
handler is installed. It plays with the display controller, 
effectively shaking the picture on a standard VGA display.

In addition to its other qualities, Zarm is also a retro-virus: 
it is able to deactivate VSAFE, VDEFEND and VWATCH.

The virus contains the following text:

ZARMA-VIR by T. Power *** Claudia Schiffer Lives !!!..

Because of this text, Zarm is also known as T_Power.Zarma.

Byway
-----
In the summer of 1995 a new virus using cluster techniques was 
found and named as Byway. It uses similar methods with spreading 
as the DIR-II virus family. When the user executes an infected 
program in a clean machine, the virus creates a hidden file to 
the root directory on drive C. The file is 2048 bytes long and 
its name is CHKLISTx.MS. The "x" in the name of the virus is 
ASCII character 255. Microsoft Anti-Virus uses almost the same 
name for its checksum file, apparently the virus author wanted 
to make the user believe that the new file is the MSAV's file. 

Byway reserves 3216 bytes of memory for itself. When it infects 
a file, it changes FAT to point to the virus' code instead of 
the beginning of the file. When user runs an infected program, 
the virus executes its own file and only after that starts the 
program user originally wanted to run.

F-PROT detects the Byway virus.

News in Short
-------------

Michelangelo.A on Driver Diskettes
----------------------------------
The dangerous Michelangelo virus has been found on Emulex DCP-
286 driver diskettes. These diskettes are in worldwide 
circulation. Luckily enough, the infected diskettes were all of 
the old 5.25" type - all 3.5" driver diskettes checked out 
clean. Emulex Inc has informed its distributors of the matter 
and will supply new diskettes on request.

PKZIP-Trojans on the Move
-------------------------
Not just one, but a couple of new Trojan Horses claiming to be 
the latest versions of the PKZIP program have been discovered 
recently. Actually, the latest version of PKZIP is still 2.04g.

Common Questions and Answers
----------------------------

If you have questions about information security or virus 
prevention, contact your local F-PROT distributor. You can also 
contact Data Fellows directly in the number 350-0-478 444.

Written questions can be mailed to:

Data Fellows Ltd
F-PROT Support
Pivntaite 8
FIN-02210 ESPOO
FINLAND.

Questions can also be sent by electronic mail to:
Internet: F-PROT@DataFellows.com 
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi

After I installed the F-PROT Gatekeeper software, my computer 
took to crashing every time Windows is started. The crash takes 
place in the middle of Gatekeeper's memory check - nothing will 
happen after 62% of memory has been checked. My computer is an 
ordinary 486 microcomputer with an S3 display adapter. How can I 
fix this problem?

        The problem is caused by the display adapter and its
        drivers. Certain display adapters and their drivers
        reserve a part of the computer's memory exclusively to
        themselves, preventing other programs from even reading
        the area. The consequence is that the computer will hang
        when the area is read; F-PROT for Windows will also hang
        during the memory check in a similar situation.

        The problem can be solved by preventing Gatekeeper and
        F-PROT from checking the memory are in question. A way to
        do this has been described in the chapter 2.2.6 of F-PROT
        Gatekeeper's manual. Another way is to use the following
        table:

        Segment Percentage

        00      0%
        01      6%
        02      13%
        03      18%
        04      25%
        05      31%
        06      37%
        07      43%
        08      50%
        09      56%
        0a      62%
        0b      68%
        0c      75%
        0d      81%
        0e      87%
        0f      93%

        F-PROT Gatekeeper, like F-PROT Professional for Windows,
        uses the F-PROTW.INI configuration file located in the
        computer's Windows directory. By adding the line
        AreaStatusMemorySegment=1 under the header [MemoryScan]
        in this file, both programs can be instructed to leave a
        certain memory segment unchecked. In this case, the
        computer hangs when F-PROT Gatekeeper has checked 62% of
        memory. Therefore, the problem can be solved by adding
        the following lines to the F-PROTW.INI file:

        [MemoryScan]
        AreaStatus0a=1

        F-PROTW.INI can hold multiple AreaStatus statements.

I noticed a virus infection in my hard disk's Main Boot Record, 
and disinfected it immediately by using F-PROT. However, when I 
restarted my computer, the infection appeared again. Why?

        Apparently, you did not boot the computer from a clean
        diskette before attempting disinfection. A clean diskette
        boot is crucial when dealing with boot sector viruses,
        for, if the computer is booted from the infected hard
        disk, the virus manages to load itself into memory and
        may infect the Main Boot Record again straight after it
        has been disinfected. This is one of the reasons why a
        computer should always be booted from a clean diskette
        before any disinfection attempt.

        When a boot diskette is created, it is important to make
        sure that the computer is, indeed, clear of viruses. If
        the computer happens to contain a virus, the diskette
        will very probably be infected immediately when it is
        inserted into the diskette drive - it will be worse than
        useless. Make sure that the computer is clean by checking
        the hard disk with F-PROT.

        A boot diskette is created with the FORMAT /S command.
        The /S parameter instructs the Format program to copy the
        system files to the formatted diskette. After formatting,
        it is also necessary to copy all the needed drivers to
        the diskette - for instance, SCSI hard disk drivers,
        keyboard drivers, network drivers and drivers needed by
        possible disk compression programs. It is also worthwhile
        to equip the diskette with DOS's own Format, Fdisk and
        Sys programs.

        After the necessary drivers have been copied, the start
        files AUTOEXEC.BAT and CONFIG.SYS should be created on
        the diskette. The easiest way to do that is to copy the
        start files from the hard disk and edit them to be
        suitable for a diskette boot - the statements in these
        files must point to the programs on the diskette,
        otherwise an infected program on the hard disk may be
        executed during the boot-up.

        After the boot diskette has been created, it should
        always be kept write-protected, to ensure that viruses
        will not get the chance to infect it at any time.

        Then, when and if a virus infection is detected in the
        computer, the computer must be booted from the clean boot
        diskette before any disinfection attempt. After the boot,
        F-PROT should also be executed from diskette - the
        disinfection can then be performed quite normally.

        The F-PROT diskette should be kept in the drive for as
        long as the disinfection takes. F-PROT may have to load
        virus search strings from the database on the diskette
        during the disinfection operation.

        After the infection on the hard disk has been taken care
        of, all diskettes used in the computer should also be
        checked. If the computer has been infected with a boot
        sector virus, the infection has very probably spread to
        all non-write protected diskettes used in the computer.
        The best way to take care of the checking operation is to
        copy F-PROT to the hard disk, execute it from there and
        use it to check the diskettes.

Changes in F-PROT Professional version 2.19
-------------------------------------------

Changes in F-PROT for DOS
-------------------------
The following false alarms have been fixed:
-------------------------------------------
3FD.EXE
Possibly a new variant of Grog

FLOS.EXE
Possibly a new variant of Trivial

LOCKSYSS.COM
Possibly a new variant of AstraSYS

OPENING.SYS
Possibly a new variant of Taz

PENTEST.COM
Possibly a new variant of Quiet

SWMP.EXE
Fish_6 (Virstop)

TRAPBIG.COM
Possibly a new variant of Three_Tunes

TRAPINT.COM
Possibly a new variant of Three_Tunes

Minor Improvements and Changes
------------------------------
Since the symbol "=" caused problems in BAT file arguments, we 
now allow the command line parameter 
/REPORT=filename to be written also in the form 
/REPORT:filename.

Changes in F-PROT for Windows
-----------------------------
F-PROT Gatekeeper settings buttons in the Protection Preferences 
dialog were disabled if the "Show Virus Names" checkbox was left 
unchecked. This has been corrected.

When a boot sector disinfection attempt was made on a write-
protected diskette, F-PROT for Windows added an error message to 
the report and the operation failed.  Now it shows a message box 
with the text "Error: Write-protected diskette in drive A:", and 
gives the user the chance to remove the write protection and 
retry the operation. F-PROT for DOS works the same way.

In reports, longer virus descriptions used to be shown on single 
continuous lines where "|" symbols stood for supposed line 
separators.  Now such descriptions are shown properly on 
multiple lines.

New Viruses Detected by F-PROT
------------------------------
The following 18 viruses are now identified, but can not be 
removed as they overwrite or corrupt infected files. Some of 
them were detected by earlier versions of F-PROT, but not 
identified accurately.

Burger.398
Burma.756
Dual_GTM.1436
Dual_GTM.1446
Dual_GTM.1528
Dual_GTM.1643
HLLO.7227
HLLO.41714
Itti.162
Kode_4_over.131
Leprosy.loard
Sandra.1356
Trivial.50.A
Trivial.50.B
Trivial.84
Trivial.100
Trivial.127
VCL.Mindless.423.H

The following 89 new viruses can now be removed.  Many of them 
were detected by earlier versions, but are now identified 
accurately.

_385
_419
_998
_3128
A-OD
Ambulance.795
Anticad.2900.ABT.C
AntiCMOS.C
Apparition
Avalanche.2818
Beda.883
Beda.1301
Cascade.1701.AJ
Cyberloard
Dark_Avenger.2000.Dieyoung.C
Datafire
Die.666
EAF.656
Equals.1448
Equus
Father_Mac.269.B
Future
Gidra.505
Ginger.2351
Hafenstrasse.1640
HLL.4629
HLL.Mercury
HLLC.8902
Holiday.3000
IMI.1536.G
IQ
Jerusalem.1808.EVg
Jerusalem.Fu_Manchu.E
Jerusalem.Pipi.1552.B
Jolter
Judge
Khiznjak.306
Khiznjak.711
Kode_4.285
Larry.497
Lockjaw.518
Lokinator.971
Lost_Geek.734
MMIR.393
Marian.700
Mirage.1322
Mirea.737
Moonlight
MZV
Nchc
Nightfall.4480
Nightfall.4518
Nightfall.4519
Npox.1487
Npox.1726
OOP
Override.1280
Polifemo.736
PS-MPC.Skeleton.556
PS-MPC.Skeleton.590
Ranger
Riot.Carpe_Diem.1354
Seagull
Shirley.E
SillyC.122
SillyC.190.B
SillyC.281
SillyCR.403
SillyCR.710
Sol.545
Sol.557
Sofia_Term.1369
SVC.1689.G
Svin
Swas
Tai-Pan.438.B
Tabulero.B
Tea
That
Trakia.1320
Vampiro.A
Vampiro.B
Vampiro.C
Vienna.767
VLAD.653
VLAD.655
VLAD.2042
X-Fungus.1483

The following 31 new viruses are now detected and identified but 
can not yet be removed.

Antigus
Australian_Parasite.254
BW.708
Caustic
Cowabunga
Dementia
Earle
Father_Mac.306.B
G_World
Green
Ha!.1224.B
Hello.365
JVW.893
Mickie
NRLG.713
NRLG.750
NRLG.752
NRLG.872
Radiation
Ratboy.513
Ratboy.545
Ratboy.671
RTL
Sign
Slovakia_II
Tiawan
TT
Uniq.308
Vice.1197
VLAD.696
Zarm

The following 2 new viruses are now detected, but not 
identified. F-PROT will just report the family name with a (?) 
or report the virus as a "New or modified variant", as it is not 
yet able to determine which variant it is dealing with. 
Disinfection of these viruses is not yet possible.

Byway
Manzon

The following 7 viruses which were identified by earlier 
versions can now be removed.

5lo
Die_Hard
Dream
Jerusalem.Zerotime.Australian.A
Jerusalem.Zerotime.Australian.B
Jerusalem.Zerotime.Australian.C
Sayha


The following viruses have been renamed:

_1376	->	Quicky
Media	->	Markt
Stanco	->	HLL.Stanco
Voodoo	->	HLL.Voodoo
------------------------------------------------------------------------------
F-PROT Professional 2.19 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi

This material can be freely quoted in Europe, Africa and Asia when
the source, F-PROT Professional Update Bulletin 2.19 is mentioned.
Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------
