F-PROT Professional 2.21 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.21 is mentioned. Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------

Contents 6/95
=============

Change in climate
Virus Writer Sentenced to Prison in UK
The Global Virus Situation
        Little_Red.B
        Stoned.Angelina
        WordMacro/Colors
News in Short
        The Happy Birthday Hardware Trojan
Common Questions and Answers
Virus Activation Routines
Changes in F-PROT version 2.21


Change in climate
-----------------

In recent times, the attitudes towards viruses and virus 
writers seem to have toughened worldwide. 

People have apparently recognized viruses for what they are: 
an information security threat, not just harmless pranks. We 
here at Data Fellows approve of this trend; it makes our job 
that much easier.

The weather has indeed turned cloudy for virus writers and 
virus groups. A short time ago, a virus writer in UK 
experienced the consequences of this shift.

Virus Writer Sentenced to Prison in UK
--------------------------------------

Christopher Pile, an unemployed 26-year-old from Efford, 
Plymouth in UK, gained notoriety under the pseudonym Black 
Baron by creating the viruses Pathogen, Queeg and Smeg. 
These viruses were available on computer bulletin boards and 
systems connected to Internet.

Unlike too many virus writers, Pile was caught. At his trial 
on 26th of May 1995, Pile pleaded guilty to eleven charges 
arising from his creation and release of these viruses. Ten 
counts related to instances where organizations had suffered 
unauthorized modification of their computer data by one of 
these viruses. The eleventh charge relates to inciting 
others to create computer viruses and hence cause 
unauthorized modifications. Although Pile's trial was in 
May, the sentencing was delayed until November to allow both 
defense and prosecution counsel to argue the seriousness of 
these crimes.

Christopher Pile was sentenced to 18 months of imprisonment. 
This makes him the first person in the United Kingdom to be 
convicted of writing and distributing computer viruses, and 
the first person in the world to be convicted of inciting 
others to create computer viruses. Of course, precedents for 
punishing virus writers exist in the UK; in October 1992, 
three Cornell University students were each sentenced to 
several hundred hours community service for creating and 
disseminating a computer virus.

Unauthorized modification of information in a computer 
system is an offense under section 3 of the United Kingdom's 
Computer Misuse Act 1990. The maximum punishment under this 
section is five years imprisonment or an unlimited fine or 
both.

The Global Virus Situation
--------------------------

Little_Red.B
------------
The Little_Red.B virus infects COM and EXE files every time
they are opened or executed. The virus is also able to 
infect programs in a directory when the DIR command is used 
on the directory. Infected files grow by 1465 bytes.

Little_Red was quite a common virus in the USA during the 
end of 1994. The virus activates on the 26th of December and 
the 9th of September and plays one of two Chinese melodies. 
The activation dates are the birth and death dates of Mao 
Tse Tung, which is why the virus is also known as Mao.

The Little_Red virus is known to hide on some Proview 
monitor utility diskettes (Power Management EPA Energy Star 
& VESA DPMS Compliant Version 2.02).

F-PROT is able to detect and disinfect the Little_Red virus.

Stoned.Angelina
---------------
In November 1995, this Polish variant of the Stoned virus
was discovered on some brand-new, straight-out-of-the-
factory Seagate 5850 (850MB) IDE hard disks. Discoveries 
were made in at least the Nordic countries.

The virus contains the text:

Greetings for ANGELINA !!!/by Garfield/Zielona Gora

Zielona Gora is a city in Poland.

Stoned.Angelina is a stealth virus. It is able to hide its 
own code on the hard disk while it remains active in the 
computer's memory.

WordMacro/Colors
----------------
One new Microsoft Word macro virus has appeared since the
discovery of the first three macro viruses (for more 
information, see Update Bulletin 2.20). The new virus is 
known as WordMacro/Colors. This macro virus was sent to a 
usenet newsgroup on the 14th of October, 1995. The virus is 
also known by the name Rainbow. 

WordMacro/Colors infects Word documents in a similar manner 
as the previous Word macro viruses. However, the viruse's 
operation does not depend solely on the auto-execute macros. 
Thus, the virus is able to execute even if automatic macros 
are turned off. WordMacro/Colors contains the following 
macros:

        AutoClose
        AutoExec
        AutoOpen
        FileExit
        FileNew
        FileSave
        FileSaveAs
        ToolsMacro
        macros

All the viral macros are encrypted with the standard Word 
execute-only feature.

Once an infected document has been opened, the virus will 
execute when the user:

        o  Creates a new file
        o  Closes the infected file
        o  Saves the file (autosave does this automatically after the
           infected document has been open for some time)
        o  Lists macros with the Tools/Macro command

You will naturally wish to verify that your computer has not 
been infected by the WordMacro/Colors virus. However, do not 
use the Tools/Macro command to do so - if the virus is 
indeed present, you will only succeed in executing it. 
Instead, use the File/Templates/Organizer/Macros command to 
detect and delete the offending macros. Keep also in mind 
that some future macro virus will probably subvert this 
command as well.

The virus maintains a generation counter in WIN.INI, where a 
line "countersu =" in the [windows] part is added to during 
the execution of the viral macros. After every 300rd 
increments the virus will modify the system's color 
settings; the colors of different Windows objects will be 
changed to random colors after the next boot-up. This 
activation routine does not work in Microsoft Word for 
Macintosh.

It is interesting to note that the viruse`s AutoExec macro 
is empty. It has probably been included only in order to 
overwrite an existing AutoExec macro - which might contain 
some anti-virus routines. WordMacro/Colors also re-enables 
the automatic execution of automacros if it has been 
disabled, and turns off the `prompt to save changes to 
NORMAL.DOT' feature; both measures have been used in 
countering macro viruses.

WordMacro/Colors seems to be carefully written; it has even 
a built-in debug mode. The virus has probably been written 
in Portugal.

F-PROT Professional 2.21 detects the WordMacro/Colors virus.

News in Short
-------------

The Happy Birthday Hardware Trojan
----------------------------------
November the 13th surprises have become something of a
tradition. This year, a large number of users encountered 
one again.

There seems to be a large set of trojanized AMI BIOS chips 
going around. These chips halt the machine during the boot-
up on the 13th of November, and play `Happy Birthday' from 
the PC speaker until you press a key. Do note that this is 
not a virus - the affliction will not spread anywhere from a 
trojanized machine.

If you have this problem, contact your hardware vendor for a 
BIOS replacement. 

Common Questions and Answers
----------------------------

If you have questions about information security or virus 
prevention, contact your local F-PROT distributor. You can 
also contact Data Fellows directly at the number 
358-0-478 444.

Written questions can be mailed to:

Data Fellows Ltd
F-PROT Support
Pivntaite 8
02210 ESPOO
FINLAND

Questions can also be sent by electronic mail to:

Internet:
F-PROT-support@DataFellows.com
or F-PROT-sales@DataFellows.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi

I am interested in Internet and Web surfing. However, I am 
afraid of catching a virus from the net. Do the viruses in 
Internet pose a real danger?

        There is a problem with viruses in Internet.
        However, at the moment other information security
        problems present a much greater dilemma than
        viruses.

        In public, well-known ftp and www servers there are
        virtually no viruses, since the files in them are
        checked for infections before they are placed in
        distribution. However, Internet contains also plenty
        of shady, obscure servers where one may find
        anything at all. There is no shortage of servers
        specializing in pure virus distribution, either.
        Those who search for viruses will have no trouble
        finding them.

        There are also other ways to distribute viruses via
        Internet: files attached to e-mail, the chat
        function IRC and its file-exchange features, the
        different newsgroups. The greatest danger lays
        probably in the alt.binaries newsgroups - they serve
        as relay stations for all kinds of programs, most of
        which are not checked for infections. To make
        matters worse, many virus writers use these
        newsgroups as a distribution route for their viruses
        - they simply infect an innocuous-looking file
        package with their latest invention and send it to a
        newsgroup.

        For instance, this kind of an incident took place in
        24.07.1994, when a game called SEXXY was mailed to
        the alt.binaries.pictures.erotica newsgroup. The
        virus writer who sent the game had deliberately
        infected it with the new Kaos4 virus. During the
        next five days, reports of the virus arrived from
        all over the world. There were also many who never
        reported the virus - too embarrassed to admit that
        they had caught the infection from a pornographic
        newsgroup.

        Netsurfers would be well advised to protect their
        computers with the F-PROT Gatekeeper background
        protection program, which automatically examines all
        files that are transferred to the computer. That
        way, one does not have to check the files for
        viruses separately. Of course, common sense during
        Internet adventures doesn't exactly hurt, either.

I installed Windows 95 on my computer. Soon after that, I 
came to notice that Windows writes on my non-write-protected 
diskettes even if I only browse the diskettes' directory 
listings. Why is that? May it cause harm?

        Windows 95 does indeed act in this peculiar manner.
        The actual reason it does so is not known.
        Microsoft's technical documentation states that, for
        the purposes of detecting disk changes, Windows 95
        writes on diskettes' boot sectors when the diskettes
        are used, but in reality Windows 95 also writes on
        the diskettes' root directories.

        Windows 95 seems to make a note of all the EXE files
        it has not previously seen. These notes are stored
        in an unused area in directory information, and they
        take up two bytes per. The bytes are apparently
        time-stamped checksums of the file's directory
        information.

        If Win95 has previously encountered a similar EXE
        file on the hard disk, on a diskette, or in the
        network, it won't make a note of the file. Windows
        does not examine the file's contents - instead, it
        seems to maintain a database about EXE files'
        directory information. Win95 does not make notes
        about COM files, nor does it try to write on
        write-protected diskettes. The writing in
        directories seems most probably connected to Windows
        95' icon cache function.

        In any case, Windows 95 does write on
        non-write-protected diskettes during normal read
        procedures. This may hamper the functioning of
        certain copy-protection programs and nonstandard
        diskettes.

Virus Activation Routines
-------------------------

The following article on virus activation routines was 
written by Mikko Hyppnen, Data Fellows LTD's F-PROT 
Technical Support Manager. We will publish the article in 
two parts - the second will appear in the next Update 
Bulletin. The text has previously been published for the 
Eicar Conference `95, where Mr. Hyppnen presented it in its 
entirety.

Introduction

The general public's idea of a computer virus is usually 
something like "It's a program that destroys data". Strictly 
speaking, this is not true, for a virus doesn't have to 
destroy anything in order to be a virus. In fact, most of 
the known viruses do not format hard drives or overwrite 
files - or do anything at all besides spreading.

All anti-virus support persons know that a lot of the people 
calling support ask "Your program said I have this virus. 
What does it do?", and the typical answer is: "Nothing. It 
just replicates". 

People often find this surprising, because the destructive 
or spectacular viruses - naturally - get more publicity than 
the boring ones which have nothing special about them. 
Still, roughly half of the known viruses have no activation 
routines at all. Perhaps the authors of these viruses wanted 
to make their viruses smaller by omitting such routines, or 
perhaps they reasoned that any activation at all will just 
result in the virus being discovered earlier. Or perhaps 
they just didn't have the imagination to think up an 
activation routine.

Common Viruses and Activation Routines

A quick look at the most common viruses worldwide reveals 
that most of them have no visible activation features at 
all:

o	AntiCMOS.A - has an activation routine, which is never 
        executed
o	AntiEXE - has an activation routine, which is practically 
        never executed
o	DIR_II.A - no activation routine
o	Form.A - has an activation routine, which is practically 
        never executed
o	Tai-Pan.438 - no activation routine
o	Junkie - no activation routine
o	Stoned.Empire.Monkey.B - no activation routine
o	Stoned.Standard.A - has an activation routine, which is 
        executed very seldom
o	Stoned.No_INT.A - no activation routine
o	Stealth_Boot.B - no activation routine
o	WordMacro/Concept - no activation routine

These viruses alone are currently responsible for probably 
two thirds of all the virus infections worldwide. However, 
among the most common viruses there are also viruses with 
activation features:

o	Kampana.A - overwrites part of the hard drive after 400 
        boots
o	Green_Caterpillar.1575 - draws a caterpillar on the screen 
        after 60 days
o	Michelangelo - overwrites part of the hard drive on every 
        6th of March
o	Cascade.1701.A - drops letters to the bottom of the screen
o	V-Sign - draws a large V with ASCII graphics after every 
        64 boots
o	Tequila - draws a fractal by random

Classification

There are no formal classifications rules for the viruses' 
different activation routines. However, we can divide the 
routines of known viruses in the following groups:

o	Data destruction
o	Sounds, tunes, speech
o	Animations
o	Messages
o	Interactive activations
o	Fake hardware failures
o	Practical jokes
o	Denial of service

Data Destruction

Destructive activation routines can be further divided into 
immediate and gradual.

Michelangelo, Kampana and Natas are examples of immediately 
destructive viruses - they simply overwrite part of the hard 
drive with a low-level BIOS function. Other viruses with 
immediately destructive routines delete or overwrite files 
instead of overwriting physical sectors.

Gradual destruction is done by viruses such as Ripper or 
Nomenklatura, which slowly corrupt the data on the hard 
drive. This is also known as data-diddling. Such corruption 
is likely to go unnoticed until the corrupted data has been 
backed up several times. This makes data recovery 
considerably more difficult, and in most cases significant 
amounts of data will be lost for good.

Thankfully, destructive activation routines quite often fail 
to work due to programming errors. It seems that the virus 
authors are reluctant to test these routines on their own 
machines.

It is also worth noticing that there are very few 
destructive viruses on the Macintosh side. This is possibly 
a result of the different user cultures of PC and Mac users.

Sounds, tunes, speech

There are several viruses which play tunes through the PC 
speaker upon activation. Probably the most common examples 
are the different Yankee_Doodle variants which activate by 
playing the Yankee Doodle tune at different times of day. 
Other viruses just produce beeps and zaps occasionally. 
There are also some viruses which try to speak - one example 
is the Dreamer virus, which tries to say "Hitler!" through 
the PC speaker. Finally, there are some viruses which try to 
utilize a sound card if the infected PC contains one.

Animations

Viruses which activate with an animation can be further 
divided into text-mode and graphical animation viruses. 
Examples of text-mode animation viruses are the 
Cascade.1701.A virus, which drops the characters on the 
screen to the bottom of the screen, and the Walker virus, 
which produces a walking man animation on the screen. 
Another example is the Vienna.Bua AKA Big Caibua virus, 
which attracted media attention with its activation routine: 
it displayed a text-mode animation of an ejaculating penis 
on the screen while deleting data on the hard drive.

Graphical activation routines are somewhat rarer. However, 
they can be found in viruses like Den_Zuk, which displays a 
logo on the screen, and the HH&H virus, which shows quite an 
interesting 3D animation of a bouncing ball built out of 
small dots.

Messages

Viruses which display messages on-screen include 
Stoned.Standard.A, which occasionally displays "Your PC is 
now Stoned!" if the machine is booted from a diskette. 
Another common virus with a message to display is the 
Parity_Boot.B virus, which activates by displaying "PARITY 
CHECK".

A more interesting display is produced by the Rescue virus, 
which shows a screen full of nonsense messages.

Interactive Activations

Some viruses stop the PC and demand that the user do 
something. For example, the Joshi virus stops the machine on 
January 5th and allows the computer to continue functioning 
normally only after the user types "Happy Birthday Joshi". 
The Casino virus forces the user to gamble in a Jackpot 
game, the stakes being the contents of the hard drive.

Some viruses demand somewhat more effort from the user. The 
YAM.Math virus will occasionally stop the machine when a 
program is run, and display simple addition or subtraction 
questions. Execution of the program is denied unless the 
user gives the correct answer. 

Another similar virus called Peter_II displays the following 
message:

        Good morning,EVERYbody,I am PETER II

        Do not turn off the power, or you will lost all of the data
        in Hardisk!!!

        WAIT for 1 MINUTES,please...

After this, the virus encrypts the whole hard drive. Having 
done that, it continues by displaying the following 
questionnaire:

        Ok.If you give the right answer to the following questions,I
        will save your HD:

        A. Who has sung the song called "I`ll be there" ?

        1.Mariah Carey  2.The Escape Club  3.The Jackson five  4.All
        (1-4):

        B. What is Phil Collins ?

        1.A singer  2.A drummer  3.A producer  4.Above all(1-4):

        C. Who has the MOST TOP 10 singles in 1980`s ?

        1.Michael Jackson  2.Phil Collins (featuring Genesis)
        3.Madonna  4.Whitney Houston(1-4):

If the user gives correct answers to all questions, the
virus decrypts the hard disk and displays the following
message:

        CONGRATULATIONS !!! YOU successfully pass the quiz!

        AND NOW RECOVERING YOUR HARDISK ......

The user can then continue to use the computer normally. 
However, if incorrect answers are given, the virus will not 
decrypt the hard disk. Instead, it will just display the 
following message:

	Sorry!Go to Hell.Clousy man!

Correct answers to the questions are left as an exercise to 
the reader.

Finally, some viruses invite the user to play a game on the 
PC. An example of this is the Playgame virus, which displays 
a simple race game.

Fake Hardware Failures

Some viruses try to simulate a hardware failure. For 
example, the Azusa virus disables the serial and parallel 
ports of the machine, and Parity_Boot makes it appear as if 
the computer has faulty memory chips. 

In the worst case, the user is fooled into replacing 
components of his system before he realizes that there is 
nothing physically wrong with the machine.

Practical Jokes

Several viruses play practical jokes on the user. The 
Jerusalem.Fu_Manchu virus monitors what the user types, and 
inserts comments when keywords such as `Thatcher', `Reagan' 
or `Waldheim' are entered. 

The Armagedon virus from Greece checks whether a modem is 
connected to the machine, and tries to call out to the local 
time service when the time is between 5am and 6am. The 
Fone.688 tries to pull a similar prank but with one 
difference - it calls to X-rated 1-900 phone services in the 
USA.

The Haifa virus inserts two text lines in the middle of DOC 
files when they are accessed:

        OOPS!  Hope I didn't ruin anything!!!
        Well, nobody reads those stupied DOCS anyway!

Similarly, the WordMacro/Nuclear virus adds comments against 
French nuclear testing in Pacific to the end of documents 
when they are printed or faxed from Microsoft Word.

Denial of Service

Some viruses just try to make the machine unusable. Viruses 
which overwrite hard drives are somewhat obvious about it, 
but good backups provide a fast way to recover from the 
damage. On the other hand, there are also viruses like 
Monica, which turns the BIOS boot-up password function on 
(if the BIOS supports this), and sets the password to 
`monica'. As there is no way for the user to guess the 
password, the machine is rendered effectively unusable until 
the CMOS battery is disconnected. In the future we will 
probably see Flash BIOS -aware viruses, which will cause 
even more difficult problems.

The remaining part of the article will be published in the 
next Update Bulletin. It describes viral trigger mechanisms, 
tells where to get information about viruses, and lays out 
some future prospects.

Changes in F-PROT version 2.21
------------------------------

Changes in F-PROT for DOS
-------------------------
The Antibase virus was previously detected only in COM
files. Now it can also be detected in EXE files.

Although the Ginger.2774 virus could previously be detected 
in boot sectors, the program could not identify it 
accurately. This has been corrected.

Formerly, the PH33R virus could only be detected in DOS 
programs. Now, it can also be detected in Windows programs.

Minor Improvements and Changes

Previously, if someone created a file containing a short 
byte string which happened to be one of the search strings 
used by F-PROT, the program reported that the file had been 
infected by "a new or a modified variant". Nowadays, the 
program checks whether the file is large enough to contain 
the virus in the first place. If the file is too short, 
F-PROT does not report anything.

F-PROT can now identify files destroyed by the Exebug virus.

Changes in F-PROT for Windows
-----------------------------
The memory test has been changed to avoid problems with
buggy flat model display drivers.

Communications directory polling mechanism has been changed 
to reduce sharing violations and other network conflicts, 
especially in NT networks.

It is now possible to poll the network communication 
directory at a different rate from polling the local 
directory. F-Agent's polling interval specified in the 
Network preferences now determines the polling rate for the 
communications directory only. Value of 90 minutes is the 
default. The local tasks poll rate is hardcoded to 6 
minutes.

Sometimes an "Error -xxx loading scan_s.dll" message was 
shown without real reason occasionally on startup; this bug 
has been fixed.

Environment variable name is now allowed in user name at 
workstation preferences: if you have variable USER holding 
the name of the user, you can enter #USER# to Workstation 
name field.

F-PROT Gatekeeper Scans for document macro viruses by 
default now; feature can be disabled by a setting in F-
PROTW.INI.

Less conventional memory (below 1MB) will be reserved by 
Gatekeeper when it is loaded.

It is now possible to configure the position of Gatekeeper's 
memory scan progress bar by a setting in F-PROTW.INI in your 
Windows directory, for example:

        [MemoryScan]
        StatusWindowPos=LowerRight

Choices are UpperLeft, UpperRight, LowerLeft and LowerRight.

The dialog "Distribute Installations by Autoinst" now has an 
Options button, which brings out a dialog for setting some 
basic options: whether to install FPW or Gatekeeper or both, 
and whether there will be a local, remote, or standalone 
installation. The AUTOINST.INI created will then contain 
proper settings for the selected installation type.

Changes in the F-ARC Program

It is now possible to disable F-ARC's boot sector check. 
This is done by adding the following lines to the file 
F-ARC.INI:

        [F-ARC]
        bootscan=0


The following 29 viruses are now identified, but can not be 
removed as they overwrite or corrupt infected files.  Some 
of them were detected by earlier versions of F-PROT, but not 
identified accurately.

_548
Bane
Burgar.560.BB
Darth_Vader.411
Itti.99.C
Leprosy.534
Leprosy.666.R
Leprosy.792
Linda
MSK.272.B
MSK.272.C
MSK.284.B
Orce.67
Orce.71
Quasar.422
SillyOR.83
Springs
Terra
Trelew
Trivial.26.D
Trivial.29.F
Trivial.40.H
Trivial.42.I
VCL.341
VCL.355
VCL.407
VCL.427
VCL.645
VCL.Mindless.423.I

The following 183 new viruses can now be removed.  Many of 
them were detected by earlier versions, but are now 
identified accurately.

_205
_351
_553
_612
_658
_724
_759
_1314
_1972
Ahav
Alex.818
Anthrax.B
Armagedon.1065
Armagedon.1066
Asahi.1045
Asahi.1061
Australian_Parasite.231
Australian_Parasite.279.B
Avalon
Badsectors.3627
Barrotes.1463
Beda.1530
Bengal.1170
Black_Jec.231.B
BootExe.453.A
BootExe.453.B
BootExe.453.C
Cascade.1701.AL
Cascade.1701.AM
Cascade.1701.AN
Cascade.1701.AO
Cascade.1701.AP
Catherine
CED
Chomik
Conjurer.181
Conjurer.265
Conjurer.270
Conjurer.277
Conjurer.353
Conjurer.550
Continua.B
Cor
Coyote
CPW.1457
Creeper.482
Dagger
Danish_Tiny.263.B
Danish_Tiny.312
Dark_Avenger.2000.GoGo
Dark_Revenge
Darth_Vader.344.E
Dex
Diablo
Diamond.1024.D
Drunk.527
EM
Fis
Flame.B
Ginger.2620
Gippo.Bumpy.B
Gynx
H8
Hates.190
Heja.511.B
Heja.511.C
Helloween.1376.B
Helloween.1376.C
Helloween.1376.D
Helloween.1376.E
Helloween.1376.F
Hellspawn.1075
HLL.10217
HLLC.12573
Ibqqz
IVP.652
Jerusalem.1024
Jerusalem.1234
Jerusalem.1624
Jerusalem.1747.B
Jerusalem.1808.Frere.K
Jerusalem.1808.sUMsDos.AS
Jerusalem.1808.sUMsDos.AT
Jerusalem.1808.sUMsDos.AU
Jerusalem.Sunday.P
Katvir
Keeling
Kode_4.399.B
Kode_4.412
Kolumna.1100
Leda
Leech.1008
Little_Brother.276
Malaise.D
Mario
MDS.331
Mephisto.510
Minnie
MR
Murphy.HIV.D
Murphy.HIV.E
Natas.4740
No_Frills.1358
NotStoned
November_17th.768.E
Ntmy
Opal
Open.1569
Open.1581
Overboot
Peligro.1208
PH33R
Phi
Pihenj
PS-MPC.306
PS-MPC.603.D
PS-MPC.Skeleton.598.G
Pure.439
Quell
Quick
Reverse.C
Riihi.258
Riot.Carpe_Diem.1305
Riot.Carpe_Diem.1415
RMC
Rocket
Rodolf.4096.B
Salamander
Scotch
Seventh_son.334
SillyC.101
SillyC.109
SillyC.162
SillyC.184
SillyC.254.A
SillyC.254.B
SillyCR.125.B
SillyCR.3152
SillyER.168
Stoned.Dinamo.B
Stoned.Dinamo.C
Suriv_1.941
Suriv_1.1000.B
Swiss_boot.B
Tai-Pan.438.C
Tankar.212
Teh
Tib
Timid.245
Timid.289
Timid.302.B
Titanium
Undershove
VCL.229
VCL.331
VCL.339
VCL.343.A
VCL.343.B
VCL.395
VCL.401
VCL.432
VCL.453
VCL.485
VCL.513
VCL.517
VCL.570
VCL.708
VCL.851.B
VCL.909
VCL.Spam
VCL.VCC.343
VCL.VCC.353
Vienna.648.AG
Vienna.648.AH
Vienna.Iraqui_Warrior.C
Vienna.W-13.600
Virdem.1336.German.C
Won't_Last
WSI
WZ.436.A
WZ.465.B
Xiv
YB.8588

The following 65 new viruses are now detected and identified 
but can not yet be removed.

_732
_2158
Air_Raid.330
Annihilator.208
Annihilator.272.B
Annihilator.276
Annihilator.308
Annihilator.314
Annihilator.361
Annihilator.394
Annihilator.453
Annihilator.510
Annihilator.548
Attitude.823
Caos
Conjurer.300
Conjurer.312
Conjurer.377
Conjurer.408
Conjurer.433
Conjurer.506
Conjurer.510
Conjurer.586
Conjurer.886
Crazy_Frog
Dan.1092
Dan.1871
Digdeath.1062
Digdeath.1153
Explorer.3037
Grace
Int13.B
IVP.632
IVP.674
IVP.703
IVP.1017
IVP.Insomnio
Lost_Friend.881
Lost_Friend.882
Lucifer
Marbas.1303
M01
NRLG.575
NRLG.587
NRLG.624
NRLG.655
NRLG.727
NRLG.982
No_of_the_beast.AC
Psychosis.991
Qtiny.162
Quish
Red_Zar.461
Red_Zar.467
Rider.575
Riot.Carpe_Diem.1012
Spec
St_R
Thirty_First
Tigre.1800.B
Vampiro.1623
VCL.VCC.367
VCL.VCC.438
VCL.VCC.571
WordMacro/Colors

The following 5 new viruses are now detected, but not 
identified. F-PROT will just report the family name with a 
(?) or report the virus as "New or modified variant", as it 
is not yet able to determine which variant it is dealing 
with.  Disinfection of these viruses is not yet possible.

Avispa.C
Avispa.D
Avispa.E
Avispa.F
FinnPoly

The following 2 viruses which were identified by earlier 
versions can now be removed.

Boot-437
LV

The following viruses have been renamed:

Espejo     	->  Fifteen_Years
Vienna.IWG  	->  Vienna.Iraqui_Warrior.B
------------------------------------------------------------------------------
F-PROT Professional 2.21 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.21 is mentioned. Copyright (c) 1995 Data Fellows Ltd.
------------------------------------------------------------------------------
