
F-PROT Professional 2.20 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.20 is mentioned. Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------

Contents 5/95
=============

Vesselin Bontchev to join F-PROT Development
Macro Viruses	
The Global Virus Situation
	Peter_II	
	Die_Hard	
	Finnish.378 	
	Quicky	
	A New Macintosh Virus	
News in Short
        F-PROT Gatekeeper Praised by PC Plus
        New Features in Data Fellows Ltd's Web Server
Questions and Answers 	
Changes in Version 2.20


Vesselin Bontchev  to join F-PROT Development
---------------------------------------------

We're happy to tell you that one of the worlds most respected virus
researcher, research associate Vesselin Bontchev from the Virus Test 
Center in Hamburg, has started working full-time with F-PROT. 
Vesselin has moved from Germany to Iceland, and started working at 
Frisk Software International in September.

Vesselin Bontchev is originally a Bulgarian. He graduated from the 
Sofia Technical University in 1985, with an MSc in Computer Science. 
After graduating, he spent a year working at the university's 
Laboratory for Microprocessors and Microcomputers. After that, he 
worked for five years at the Institute of Industrial Cybernetics and 
Robotics in the Bulgarian Academy of Science, building expert 
systems.

Bontchev became interested in computer viruses in 1988. Two years 
later, he became the Director of the Computer Virology Laboratory in 
the Bulgarian Academy of Science. He has just finished his PhD thesis 
(about viruses, what else) at the Virus Test Center (VTC) in Hamburg.

Vesselin is very well known for the excellent technical papers he has 
written, as well as for the work he has done in testing different 
anti-virus programs. VTC tests are one of the most respected tests in 
the industry.

We're especially happy about starting to work with Vesselin because 
he is respected by all parties in the anti-virus industry - and that 
he chose to start working with F-PROT.

Macro Viruses
-------------

Macro viruses are a new kind of a threat to computer systems. This 
newly emergent enemy attacks computer users from a blind side, 
infecting document files instead of programs. Not to worry, though - 
new features in F-PROT make it able to detect macro viruses as well 
as ordinary ones.

Macro Viruses: a New Kind of Enemy
----------------------------------
Macro viruses are not a new concept - they were predicted as early as
the late eighties. At that time, the first studies about the 
possibility of writing viruses with the macro languages of certain 
applications were made.

However, macro viruses are not just a theory any more. Currently, 
there are three known macro viruses. They have all been written with 
WordBasic, the powerful macro language of Microsoft Word. These 
viruses spread through Word documents - Word's advanced template 
system makes it an opportune environment for viral mischief. This is 
problematic, because people exchange document a lot more than 
executables or floppy disks. Macro viruses are also very easy to 
create or modify.

Although other word processors like WordPerfect and Ami Pro do 
support reading Word documents, they can not be infected by these 
viruses. It is not impossible to write similar viruses for these 
systems, however.

WordMacro.DMV
-------------
WordMacro.DMV is probably the first WinWord macro virus to have been
written. It is test virus, written by a person called Joel McNamara 
to study the behavior of macro viruses. As such, it is no threat - it 
announces its presence in the system, and keeps the user informed of 
its actions.

Mr. McNamara wrote WordMacro.DMV for over a year ago, in fall 1994 - 
at the same time, he published a detailed study about macro viruses. 
He kept his test virus under wraps until a real macro virus, 
WordMacro.Concept, was recently discovered. At that time, he decided 
to make WordMacro.DMV known to the public. We oppose to such 
behaviour; although it can be argued that spreading such information 
will educate the public, we can also except to see new variants of 
the DMV virus, as well as totally new viruses inspired by the 
techniques used in this virus. McNamara also published a skeleton for 
a virus to infect Microsoft Excel spreadsheet files.

F-PROT is able to the detect the WordMacro.DMV macro virus.

WordMacro.Concept
-----------------
WordMacro.Concept - also known as Word Prank Macro or WW6Macro - is a
real macro virus which has been written with the Microsoft Word v6.x 
macro language. It has been reported in several countries, and seems 
to have no trouble propagating in the wild.

WordMacro.Concept consists of several Word macros. Since Word macros 
are carried with Word documents themselves, the virus is able to 
spread through document files. This is a quite ominous development - 
so far, people have only had to worry about infections in their 
program files. The situation is made worse by the fact that 
WordMacro.Concept is also able to function with Microsoft Word for 
Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 
and Windows NT environments. It is, truly, the first functional 
multi-environment virus, although it can be argued that the effective 
operating system of this virus is Microsoft Word, not Windows or 
MacOS. 

The virus gets executed every time an infected document is opened. It 
tries to infect Word's global document template, NORMAL.DOT (which is 
also capable of holding macros). If it finds either the macro 
"PayLoad" or "FileSaveAs" already on the template, it assumes that 
the template is already infected and ceases its functioning.

If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, 
it starts copies the viral macros to the template and displays a 
small dialog box on the screen. The box contains the number "1" and 
an "OK" button, and its title bar identifies it as a Word dialog box. 
This effect seems to have been meant to act as a generation counter, 
but it does not work as intended. This dialog is only shown during 
the initial infection of NORMAL.DOT.

WordMacro.Concept displays the above dialog during inital infection

After the virus has managed to infect the global template, it infects 
all documents that are created with the "Save As" command. It is then 
able to spread to other systems on these documents - when a user 
opens an infected document on a clean system, the virus will infect 
the global document template.

The virus consists of the following macros:

	AAAZAO
	AAAZFS
	AutoOpen
	FileSaveAs
	PayLoad

Picture of the Tools/Macro menu in an infected copy of Word

Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and 
some users may already have attached these macros to their documents 
and templates. In this context, "PayLoad" sounds very ominous. It 
contains the text:

Sub MAIN
    REM That's enough to prove my point
End Sub

However, the "PayLoad" macro is not executed at any time.

You can detect the presence of the WordMacro.Concept macro virus in 
your system by simply selecting the command Macro from Word's Tools 
menu. If the macro list contains a macro named "AAAZFS", your system 
is infected.

You could prevent the virus from infecting your system by creating a 
macro named "PayLoad" that doesn't have to do anything. The virus 
will then consider your system already infected, and will not try to 
infect the global template NORMAL.DOT. This is only a temporary 
solution, though - somebody may modify the viruse's "AutoOpen" macro 
to infect the system regardless of whether NORMAL.DOT contains the 
macros "FileSaveAs" or "PayLoad".

There is also a anti-macro virus package called WVFIX available. This
package will detect if your copy of Word is infected, and will clean it
if needed. It can also modify your Word settings so that this specific
macro virus will be unable to infect it. WVFIX is available on the
F-PROT for DOS diskette.

Concept is quite widespread. It has been found from several CD-ROMs, 
including one sent out by Microsoft.

F-PROT is able to the detect the WordMacro.Concept macro virus.

WordMacro.Nuclear
-----------------
WordMacro.Nuclear is the latest discovered macro virus. Like
WordMacro.DMV and WordMacro.Concept, it spreads through Microsoft 
Word documents. The new virus was first spotted on a FTP site in 
Internet, in a publicly accessible area which has in the past been a 
notorious distribution site for viral code. Apparently, the viruse's 
distributor has some sense of irony; the virus was attached to a 
document which described an earlier Word macro virus, WordMacro.Con-
cept.

Whereas WordMacro.DMV is a test virus and WordMacro.Concept is only 
potentially harmful, WordMacro.Nuclear is destructive, harmful and 
generally obnoxious. It consists of a number of Word macros attached 
to documents. When an infected document is opened, the virus is 
executed and tries to infect Word's global document template, 
NORMAL.DOT.

Unlike WordMacro.Concept - which pops up a dialogue box when it 
infects NORMAL.DOT - WordMacro.Nuclear does not announce its arrival 
in the system. Instead, it lays low and infects every document 
created with the "Save As" function by attaching its own macros to 
it. The virus tries to hide its presence by switching off the "Prompt 
to save NORMAL.DOT" option (in the Options dialogue, opened from 
Tools menu) every time a document is closed. That way, the user is no 
longer asked whether changes in NORMAL.DOT should be saved, and the 
virus is that more likely to go unnoticed. Many users relied on this 
option to protect themselves against the WordMacro.Concept virus, but 
it obviouisly no longer works against Nuclear.

WordMacro.Nuclear contains several potentially destructive and 
irritating routines. The next time Word is started after initial 
infection, one of its constituent macros, "DropSuriv", looks up the 
time in the computer's clock. If the time is between 17.00 and 17.59, 
the virus tries to inject a more traditional DOS/Windows file virus 
called "Ph33r" into the system (as the viruse's author has commented 
in the viruse's code: "5PM - approx time before work is finished"). 
"Suriv" is, of course, "Virus" spelled backwards. However, due to an 
error, this routine does not work as intended in any of the popular 
operating environments.

Another of the viruse's macros, "PayLoad", tries to delete the 
computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the 
date is fifth of April. And finally, the virus adds the following two 
lines:

And finally I would like to say:

STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC

at the end of approximately every twelfth document printed or faxed 
from Word. Since the text is added at print-time only, the user is 
unlikely to notice this embarassing change. This function is handled 
by the viral macro "InsertPayload".

The virus can be detected by selecting the Macro command from the 
Tools menu and checking whether the macro list contains any curiously 
named macros. "DropSuriv" and "InsertPayload" are obvious giveaways.

F-PROT is able to the detect the WordMacro.Nuclear virus.

Protecting yourself against macro viruses
-----------------------------------------
There is a generic way to protect your Word against currently known
macro viruses. Select the command Macro from the Tools menu and 
create a new macro called "AutoExec". Write the following commands to 
the macro and save it:

Sub MAIN
	DisableAutoMacros
        MsgBox "AutoMacros are now turned off.", "Virus protection", 64
End Sub

This macro will be executed automatically when Word starts. It will 
disable the feature which Concept, DMV and Nuclear use to attack the 
system. However, there are ways to create future macro viruses that 
are able to bypass such protection.

Currently known Word macro viruses are not able to infect certain 
nationalized versions on Word. In these programs, the macro language 
commands have been translated to the national language, and therefore 
macros created with the English version of Word will not work. Since 
these viruses consists of macros, they will be unable to function.

Do note that although F-PROT for DOS and F-PROT for Windows do
detect the known macro viruses, VIRSTOP and F-PROT Gatekeeper
do not yet support the scanning of DOC files. This will be
implemented in a future version.


The Global Virus Situation
--------------------------

Peter_II
--------
Peter_II is a boot sector virus which infects diskette boot sectors
and hard disk Master Boot Records. As is normal for boot sector 
viruses, Peter_II can infect a hard disk only if the computer is 
booted from an infected diskette. After the initial Master Boot 
Record infection, Peter_II will go resident in high DOS memory every 
time the computer is booted from the hard disk.

Once Peter_II has managed to install itself into memory, it will 
infect practically all non-write protected diskettes used in the 
computer. Peter_II is also a stealth virus - if you try to examine 
the boot record in an infected computer, the virus will show you the 
original, clean record.

Peter_II activates every year on the 27th of February. When the 
computer is booted, the virus displays the following message:

        Good morning,EVERYbody,I am PETER II

        Do not turn off the power, or you will lost all of the data in
        Hardisk!!!

        WAIT for 1 MINUTES,please...

After this, the virus encrypts the whole hard disk by issuing XOR 
7878h to every byte on each sector. Having done that, the virus 
continues by displaying the following questionnaire:

        Ok. If you give the right answer to the following questions, I will
        save your HD:

        A. Who has sung the song called "I`ll be there" ?

        1.Mariah Carey  2.The Escape Club  3.The Jackson five  4.All  (1-4):

        B. What is Phil Collins ?

        1.A singer  2.A drummer  3.A producer  4.Above all(1-4):

        C. Who has the MOST TOP 10 singles in 1980`s ?

        1.Michael Jackson  2.Phil Collins (featuring Genesis) 3.Madonna
        4.Whitney Houston(1-4):

If the user gives correct answers to every question, the virus
decrypts the hard disk and displays the following message:

        CONGRATULATIONS !!! YOU successfully pass the quiz!

        AND NOW RECOVERING YOUR HARDISK ......

The user can then continue using the computer normally. However, if 
incorrect answers are given, the virus will not decrypt the hard 
disk. Instead, it will just display the following message:

        Sorry!Go to Hell.Clousy man!

In case you do not find out about the infection until the virus 
starts its mischief, the correct answers are 4, 4 and 2. Of course, 
it is better to take care of the matter beforehand; F-PROT is able to 
detect and disinfect the Peter_II virus.

Die_Hard
--------
Die_Hard is a resident fast infector which targets COM and EXE files.
It is known to be in the wild especially in India, where it was found 
in September 1994. Die_Hard has also been sighted in Singapore, 
Indonesia, USA and in many parts of Europe.

When the virus is executed, it goes resident in memory, decreasing 
the available DOS memory by 9232 bytes. Die_Hard infects all executed 
or opened COM and EXE files. The infected files grow by exactly 4000 
bytes.

Die_Hard hides beneath several layers of encryption. When the virus 
is decrypted, the following texts can be seen:

	SW DIE HARD 2
	SW Error

Since the virus does not utilize polymorphic encryption techniques, 
it is quite easy to find.

Die_Hard activates on the 3rd, 11th, 15th, or 28th of any month, 
provided the day is Tuesday and the virus has already infected at 
least 13 files. The virus will then wait until some program changes 
the screen to graphics mode. At this time the virus will display an 
animation of large `S' and `W' characters on the screen. It will also 
deny write access to files, displaying text "SW Error".

Picture of the activation routine of the Die_Hard virus

Besides infecting COM and EXE files, Die_Hard trojanizes ASM and PAS 
source files when they are accessed; in other words, the virus 
inserts source code Trojan horses in these files.

F-PROT is able to detect the Die_Hard virus.

Finnish.378
-----------
A new variant of the Finnish virus was found in August 1995, about
four years after the first version of the virus was discovered. The 
new variant was named Finnish.378, signifying the length of the virus 
in bytes. The two previously known versions are, respectively, 709 
and 357 bytes in length. They have been described in more detail in 
previous Update Bulletins.

The new virus has clearly been derived from the 357 variant. In most 
ways, it is functionally very similar to the earlier version. The 
following changes have been made, however:

- The virus beeps every time it infects a file. The beep routine
  has increased the viruse's size by 21 bytes.

- The new virus uses the code 90h instead of 93h to recognize the
  files it has already infected. The corresponding commands are NOP
  and XCHG. The recognition byte is placed so that it is the first
  command in infected files.

- The internal order of many commands has been changed: this has
  apparently been done in order to render the virus undetectable by
  some anti-virus scanners.

F-PROT is able to detect the Finnish.378 virus.

Quicky
------
Quicky is a badly programmed memory-resident virus which infects EXE
files. The infection takes place whenever a file is closed after an 
operation, so files get infected when they are executed, copied, read 
or otherwise accessed. However, if a file's read-only attribute is 
on, the virus infects it only when it is executed.

The virus contains a routine which is supposed to slowly corrupt 
information on the hard disk. Fortunately, the viruse's code is so 
bug-ridden that the routine does not function. Quicky also tries to 
attack various integrity checkers by deleting their checksum 
databases.

The Quicky virus has been found on some Prosonic/Micropilot depth-
finder machines' original utility diskettes.

F-PROT is able to detect the Quicky virus.

A New Macintosh Virus
---------------------
A new, relatively harmless Macintosh virus has been discovered. The
virus - known as HC-9507 - does not infect actual program files. 
Instead, it spreads through applications created with the HyperCard 
application generator. The viruse's victim of choice is the so-called 
homestack application, which can be found in all HyperCard 
installations. HC-9507 is not picky, however - it infects also other 
stacks when they are executed, and randomly selects and infects 
stacks on the boot disk.

The virus spreads itself as source code, inserting its own code among 
the program code in its victim stacks. HC-9507 may also give visible 
indications of its presence in the system: depending on what day of 
the week it is, it either blacks out the screen or adds the word 
"pickle" among the text written on the keyboard.

The Disinfectant anti-virus program will not be updated to deal with 
the HC-9507 virus. The threat posed by HC-9507 is considered 
relatively small, and in any case, Disinfectant is designed to check 
program files, not stacks. If you suspect an infection, you can 
easily verify the matter by checking the scripts in the homestack. 
There are also some products which can detect the virus, for instance 
the Datawatch Virex software.

With the Disinfectant anti-virus software, you can protect the 
Macintosh workstations in your organization against other Macintosh 
viruses. We will supply our F-PROT customers with Disinfectant 
without a separate charge. For more information, contact your local 
F-PROT distributor or Data Fellows LTD's F-PROT Support.

News in Short
-------------

F-PROT Gatekeeper Praised by PC Plus
------------------------------------
The British PC Plus magazine evaluated F-PROT Gatekeeper in it's
October issue and gave it a very favorable rating. The evaluators 
found Gatekeeper's speed, low memory consumption, effectiveness in 
finding polymorphic viruses and ease of use especially noteworthy. 
Gatekeeper was also praised for its ability to function seamlessly 
between DOS and Windows.

Well, we agree on all points.

New Features in Data Fellows Ltd's Web Server
---------------------------------------------
We have overhauled our popular WWW service, and it is now even more
user-friendly than before. A number of new features have been added: 
for instance, it is now possible to make free text searches among all 
virus descriptions. One search takes about 15-25 seconds, depending 
on the server's load.

Statistics about virus description accesses and visitors to the 
service are also available (during August, the description about the 
Monkey virus proved the most popular; over 400 accesses). It is 
somewhat surprising that, although the server itself is located in 
Finland, only 5% of our visitors hailed from Finland itself (and 
there is no shortage of net surfers here). A mirroring service from 
USA to our server is now under construction; we do not want European 
users to be trampled underfoot by visitors from overseas. Currently, 
our server receives about 100.000 document requests a month.

In its role as a distribution site for latest news, our WWW server 
has fulfilled all expectations. For instance, we were able to tell 
the public about the notorious Word macro viruses over a week before 
the news was published in magazines or newspapers. It pays to stay in 
touch with our WWW pages.

We have switched to a more uniform Internet address policy; all our 
services have been gathered under the domain name datafellows.com. 
However, the old datafellows.fi addresses can also be used.

You are welcome to visit our server at: http://www.datafellows.com/

The new graphics and layout of the system have been designed by Pixel 
Vision Oy.

Common Questions and Answers
----------------------------

If you have questions about information security or virus prevention, 
contact your local F-PROT distributor. You can also contact Data 
Fellows directly in the number +358-0-478 444.

Written questions can be mailed to:

Data Fellows Ltd
F-PROT Support
Pivntaite 8
FIN-02210 ESPOO
FINLAND

Questions can also be sent by electronic mail to:

Internet:F-PROT@DataFellows.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi

I would like to see what happens when 
F-PROT Gatekeeper really finds a virus. How can I arrange that?

        The correct operation of F-PROT Gatekeeper and other F-PROT
        products can be tested with a special test file. This is a dummy
        file which F- PROT treats exactly like if it were a virus. The
        file is known as EICAR Standard Anti-virus Test file (EICAR is
        the European Institute of Computer Anti-virus Research). With
        this file, the operation several other anti-virus products can
        also be tested in a similar manner.

        You can make the EICAR test file in the following manner: use a
        text editor to create a new file, and write the text:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

        to the file on a single line.

        You can give the file any name you want, as long as you save it
        with a COM extension. For example, EICAR.COM is a suitable name.
        Make sure you save the file in standard MS-DOS ASCII format.

        Now you can use this file to test what happens when F-PROT
        encounters a "real" virus.

        Naturally, the file is not a virus. When executed, EICAR.COM
        will simply display the text
        `EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' and exit.

        F-PROT's DOS-, Windows- and OS/2-versions - including VIRSTOP
        and Gatekeeper - support the EICAR test file.

I was installing Windows'95 from diskettes, but the setup failed at 
the second diskette. No matter what I did, it failed again and again. 
Finally, I began to suspect that the reason for the failure might be 
in my computer instead of on the setup diskettes, and tried various 
things to resolve the problem. Among other things, I ran an anti-
virus program, and it promptly reported that my computer was infected 
with a virus! I immediately scanned recently used diskettes and found 
the same virus on the Win95 setup floppies! Did Microsoft infect my 
machine?

        No, it's the other way around. The Win95 diskettes were clean,
        but your hard drive wasn't.

        This seems to be a very common problem among users who install
        Windows 95 from diskettes. If the computer is infected with a
        boot sector virus (almost any boot sector virus will do), the
        installation will fail and the user is left with irreparable
        setup diskettes.

        The reason for this is the non-standard format of Win95 setup
        diskettes. The diskettes contain almost 1.7MB of files instead
        of the usual 1.44MB, so they have practically no free space left
        at all. Since almost all boot sector viruses (Da'Boys is one
        exception) use up additional sectors on the diskettes they
        infect, they will permanently overwrite part of the data on
        Win95 setup diskettes - there really is no free space left for
        the virus to use.

        Such infected setup diskettes can not be repaired, as
        information is overwritten; they will have to be replaced.
        Microsoft has confirmed that they are shipping thousands of
        replacement diskettes daily for just this very reason.

        The first Windows 95 setup diskette uses the normal 1.44MB
        format. Therefore, it will usually not be corrupted by an active
        virus, although it will be infected just like the others.

        The setup diskettes are not usually write-protected by default.
        In any case, the installation program writes registration
        information on the second floppy during installation (user and
        company name etc.). For this reason, most users with a boot
        sector infection will run into the problem during the setup of
        the second diskette.

        Again, the problem is not caused by infected setup diskettes -
        but by people who have a virus and don't bother to scan their
        hard drives before starting the Win95 setup process.

I'm setting up VIRSTOP, and have been going through the different 
parameters. Is it a good idea to use the /FREEZE parameter with 
VIRSTOP?

        In most cases, the /FREEZE option is not a good idea. For
        example, imagine that you have been working on a document for an
        hour. Finally you are satisfied, and try to save the document on
        a diskette - which happens to be infected by a virus. Tough
        luck; VIRSTOP will report the infection and freeze the computer
        - you won't be able to save the text at all! On the other hand,
        if you do not use /FREEZE, you'll just get the message; you can
        then save the document on another diskette. The /FREEZE
        parameter has it's uses in environments such as schools where
        the administration might not otherwise get the message about an
        infection, but in normal use it is not recommended.

I missed one F-PROT update. Can I update version 2.18 directly to 
2.20, or do I have to update it to version 2.19 first?

        You can skip versions freely. Every  F-PROT update diskette
        contains all the parts necessary for F-PROT's operation.

Changes in F-PROT Professional 2.20
-----------------------------------

F-PROT 2.19 had a false alarm on some Japanese NEC computers, the 
program gave an alarm about the Hallow virus during memory scan. This 
has been corrected.

A New Installation Program
--------------------------
A new installation program, SETUP.EXE, is shipped with F-PROT for
Windows. The new program functions in the same way in all Windows 
environments (3.1x, NT, 95) and in OS/2. The program's appearance is 
also uniform in all environments. The F-PROT files on the 
installation diskette have been packed in a new, more efficient way; 
this has made it possible to put both F-PROT Professional for Windows 
and F-PROT Gatekeeper on the same diskette. Only one file, SIGN.DEF, 
did not fit in. This file is located on the F-PROT Professional for 
DOS installation diskette. During installation, the installation 
program will ask you to insert the  F-PROT Professional for DOS 
diskette in the computer.

Changes in F-PROT for DOS
-------------------------
F-PROT Professional for DOS now scans document files (DOC, DOT) by
default. This enables it to detect known macro viruses. The program 
itself, however, is not yet able to disinfect such viruses; you can 
use the WVFIX package provided on the F-PROT Professional for DOS 
installation diskette for disinfection. If you are certain you do not 
want to check document files, you can override this with the /NODOC 
command line parameter or deselect the setting from the Scan menu.

Changes and Additions to AUTOINST
---------------------------------
If the "PreferencesFrom=" entry was missing, configuration files were
not copied from the directory specified in the "InstallRemote=" entry. 
This has been corrected.

Program Manager group creation has been implemented for 
Autoinst/Windows (Autow31). There is more information about new 
settings in the file SETUP.TXT on the  F-PROT Professional for DOS 
diskette.

Autow31 will wait for the memory scan to terminate before copying 
installed files: this makes it possible to put Autoinst in Program 
Manager's Startup group with Gatekeeper.

Autoinst has been changed so that it recognizes different Windows 
platforms (Windows 3.1x, Windows 95, Windows NT). The program can now 
be configured to make installations on specific platforms only.

The DOS version of Autoinst now uses the WINDIR environment variable 
(when available) for locating the Windows directory. If the WINDIR 
variable has been set, this will make it easier to run Autoinst in a 
DOS session under Windows.

Changes in F-PROT for Windows
-----------------------------
The program can now detect also macro viruses. A checkbox called
"Document Macro Viruses" has been added to the "Look for:" group in 
the task settings dialog. When this option is turned on, F-PROT for 
Windows will search for known macro viruses from files with DOC and 
DOT extensions, even if the task is set to scan executables only. If 
files with other extensions need to be scanned for macro viruses, the 
appropriate extensions must be added to the extensions list in 
Scanning preferences. Another way is to set a task to scan all files. 
However, the "Document Macro Viruses" option must be turned on in 
such cases also; otherwise 
F-PROT for Windows will not look for macro viruses. The option is 
turned on by default; tasks created before the 2.20 update will have 
this setting turned on as well. Note that F-PROT for Windows is as 
yet unable to disinfect macro viruses; the WVFIX package on the F-
PROT for DOS installation diskette can be used for the purpose.

Boot sector (but not MBR) scanning has been implemented for Japanese 
NEC PCs; disinfection is not available yet.

The "Create Distribution Diskette..." command has been replaced with 
the command "Distribute F-PROT Installations...". The new command 
makes it possible for the administrator to:

(a) Create modified copies of the installation diskette. This makes 
installations with preset configurations possible (in this respect, 
the new command acts like an enhanced version of the "Create 
Distribution Diskette..." command). The "Distribute F-PROT 
Installations..." command also supports the new installation 
program.

(b) Copy the entire F-PROT for Windows setup to an installation 
directory, from which users can install the program by using 
Autoinst.

If an attempt to read an empty diskette drive was made, Gatekeeper 
used to show a Retry/Cancel message box. This has been corrected.

Gatekeeper's memory usage mechanism has been changed to prevent 
system crashes. The following DLLs are now memory-locked, so they 
cannot be paged out to virtual memory: SSLDR.DLL, SCAN_S.DLL, F-
PROTWI.DLL and FPW386.DLL.

Gatekeeper (more precisely, the file A-PROT.EXE) will refuse to load 
in Windows 95 and Windows NT environments. The program will also show 
an appropriate error message.

Minor Improvements and Changes
------------------------------
If F-Agent fails to execute F-PROTW.EXE, the program will show an
error message that explains the cause of the problem (earlier 
versions used to display only an error code).

When the program receives or sends an update, it displays a window 
which shows the progress of copying files.

Occasionally, F-Agent left F-PROTW.CFG decrypted after reading it. 
This has been corrected.

In Windows NT, the texts in reports and tasklist headers were too 
small (a 6-pt font was used). The font has now been enlarged.

If Windows was set to use large fonts (in the display driver's 
settings), the text on Gatekeeper's splash screen was too large to 
fit into the window. This has been corrected.

Gatekeeper's memory scanner now shows an hourglass cursor while the 
program executes the non-yielding part of the code.

F-PROTW.EXE displays a descriptive error message if it fails to 
launch FPWM.DLL.  The earlier versions of the program used to show 
only an error code.

When the semaphore file (TMP.~NF) is created at the communications 
directory, the user's and workstation's names (in that order) are 
written to the file. If the semaphore file is not removed for some 
reason, the administrator can obtain the information from the file 
itself, and determine which worksta-tion caused the problem.

New Viruses Detected by F-PROT
------------------------------
The following 17 new viruses can now be removed. Many of them were
detected by earlier versions, but are now identified accurately.

Ache
Barrotes.1176
Barrotes.840 
Bit_Addict.512.B
Cascade.1701.AK
Danish_tiny.163.D
Faca
Finnish.378
Hates.166
HLL.Commo
IVP.Gwynned
Jackal.3120
Jerusalem.2224
Keypress.1280
Korea_Stranger
Major
Vivian

The following 10 new viruses are now detected and identified but can 
not yet be removed.

Anston.1960
Apocalipse
Bit_Addict.512.A
KY
Newboot_1
RPS2
_1121
WordMacro.Concept
WordMacro.DMV
WordMacro.Nuclear

Word.Macro viruses can be removed with WVFIX package on the F-PROT 
Professional for DOS diskette.

------------------------------------------------------------------------------
F-PROT Professional 2.20 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.20 is mentioned. Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------
