------------------------------------------------------------
F-PROT PROFESSIONAL UPDATE BULLETIN 3.01
------------------------------------------------------------
Data Fellows
PL 24, FIN-02231 Espoo, Finland

http://www.DataFellows.com/
Anti-Virus-Sales@DataFellows.com
Anti-Virus-Support@DataFellows.com

tel +358 9 859 900
fax +358 9 8599 0599

This material can be freely quoted, when the source, F-PROT Professional 
Bulletin 3.01, is mentioned.

Copyright  1997 Data Fellows Ltd.


------------------------------------------------------------
DATA FELLOWS ANNOUNCES BREAKTHROUGH WITH F-SECURE ANTI-VIRUS

Data Fellows made three significant announcements in the Virus Bulletin 
conference on the 2nd of October in San Francisco. An exclusive strategic 
alliance with the leading anti-virus technology company AVP will greatly 
increase Data Fellows product development resources and shorten time-to-
market for new products. 

At the same time Data Fellows announced two new product groups. The 
F-Secure Anti-Virus product family is the first to use two top quality 
scanning engines within the same product, extending the product's 
detection rate to theoretical limits. Another industry breakthrough, 
F-Secure Anti-Virus Macro Control is the first software to detect and 
eliminate all possible existing or new macro viruses completely, using a 
revolutionary new concept.


What does this mean to you, our valued F-PROT Professional customer?

In a nutshell, F-PROT development continues exactly as before, but with 
the benefit of our new architecture. 

You, as an existing F-PROT Professional customer, also have the unique 
option to upgrade to the dual engine F-Secure Anti-Virus product using 
both the F-PROT and the AVP scanning engines. 

As the user interface and all configuration settings remain identical to 
the current F-PROT, and the F-Secure Anti-Virus installs with the total 
transparency of a normal F-PROT update, there is no downside to upgrading 
to F-Secure Anti-Virus.

The F-Secure Anti-Virus products will all ship before the end of the 
year. Please contact your local Data Fellows Anti-Virus distributor for 
further information. Please also visit our website for more details on 
the F-Secure Anti-Virus and F-Secure Macro Control products:

http://www.DataFellows.com/solutions/


Strategic alliance extends detection rate to theoretical limits

Data Fellows has formed an exclusive strategic alliance with another 
superior anti-virus technology team: the AVP development team led by 
Eugene Kaspersky. Together these companies combine the best minds in the 
anti-virus world, the foundation of the revolutionary new F-Secure Anti-
Virus CounterSign(tm) Technology from Data Fellows. 


F-Secure Anti-Virus - the world's first anti-virus product to use 
multiple scanning engines 

Data Fellows' popular F-PROT Professional for Windows can be upgraded to 
a multi-layered virus protection system performing multiple simultaneous 
scans with multiple scanning engines, including on-demand and real-time 
scans, thanks to the ground-breaking CounterSign technology invented by 
Data Fellows. This new CounterSign technology allows F-Secure Anti-Virus 
to be the first line of anti-virus software to combine multiple virus 
scanning engines into a single framework by using both the F-PROT and AVP 
anti-virus engines simultaneously. 

As operating systems evolve and networks grow more complex, a 
comprehensive strategy has become necessary to combat the threat of 
viruses. Using CounterSign technology, F-Secure Anti-Virus brings anti-
virus products together to work within a common framework. The idea is 
that what one virus scanner misses, another will find.

Data Fellows understands that organizations have invested substantially 
in anti-virus protection. The F-Secure Anti-Virus installs automatically 
on top of an existing F-PROT installation and uses all existing settings. 
Installations are easy to automate even in the largest networks. Future 
versions of F-Secure Anti-Virus will allow users to combine installed 
anti-virus products with the F-Secure Anti-Virus framework that is the 
basis of this new, revolutionary CounterSign technology. In addition, 
F-Secure Anti-Virus will use an advanced heuristic analysis to detect 
unknown viruses, virtually eliminating the risk of false alarms. To 
manage the framework's central point, F-Secure Anti-Virus offers a wealth 
of network management and distribution features. These include:

- Installing desktop versions of F-Secure Anti-Virus for multiple 
  platforms from a single workstation automatically.

- Sending updates to users with a single mouse click.

- Receiving reports from workstations when a virus is found.

- Receiving copies of infected or suspected files from workstations 
  automatically.

Data Fellows is offering related products under the F-Secure Anti-Virus 
umbrella. One program, F-Secure Anti-Virus for Firewalls, scans and 
removes viruses before they have any chance to enter a network. This 
product is OPSEC compliant with seamless integration achieved via CVP 
(Content Vectoring Protocol). Coupled with F-Secure Network Management, 
it is the ideal solution for Internet-borne viruses. Another program, F-
Secure Anti-Virus E-Mail Gateway, delivers e-mail anti-virus protection 
to stop viruses at the gateway. And finally, F-Secure Anti-Virus Macro 
Control checks for certified and approved macros within organizations.


F-Secure Macro Control finally solves the macro virus problem

While traditionally anti-virus products have scanned documents for macros 
by identifying only viral code, F-Secure Macro Control radically changes 
the rules. As the number of macro viruses keeps growing, it is far easier 
to track trusted macros. A typical organization has a finite number of 
macros which relate to their business. These are easy to certify, as the 
persons responsible for writing macros for in-house work would be able to 
identify approved corporate macros easily. These macros are not likely to 
change once they are deployed throughout the organization. Instead of 
detecting viruses, F-Secure Anti-Virus Macro Control works on a simple 
concept. If a macro is present in a document, then it must be certified. 
This idea then eliminates the possibility of new macros and macro viruses 
entering into an organization. It works much like a corporate security 
system, which only allows those employees into the company who carry a 
security badge.

Let's examine how F-Secure Anti-Virus Macro Control works. 

- A virus enters the users system through the corporate e-mail system 

- It is then checked by the real-time protection module of F-Secure Anti-
  Virus Macro Control 

- If a macro is found, it is checked against a series of database entries 

- First, it is checked against the infected database. If a match is 
  found, the user is warned about an infected document and will offer to 
  disinfect it. 

- Then it is checked against the "certified" database 

- Finally it is checked against the known or "approved" database. This 
  database contains vendor specific and trusted macros 

- If a match is found in one of the two known "safe" macro databases, the 
  user is allowed to open the document with all macros intact. No messages 
  will be shown to the user. 

- If no matches are found, the user is only allowed to open the document 
  after removing the unknown macros. 

At Data Fellows, we have built our organization on solving problems 
around data security around the world. With these new product launches we 
can do it better than ever before. 


------------------------------------------------------------
DATA FELLOWS LTD IS MOVING

Our company grew out of its present Helsinki area facilities, which is 
why we will be moving to new offices on the 20th of October. 


New Mailing Address

PL 24
FIN-02231 Espoo
Finland


New Point-of-Visit Address

Pyyntitie 7
FIN-02230 Espoo
Finland


New Telephone Switchboard

+358 9 859 900


New Fax Number

+358 9 8599 0599


New Number for F-PROT Technical Support

+358 9 8599 0544


New Fax Number for F-PROT Technical Support

+ 358 9 8599 0744


------------------------------------------------------------
THE GLOBAL VIRUS SITUATION


Crew.2480

The Crew.2480 virus was first discovered in 1988. It had apparently been 
created already in 1987, which would make it one of the first file 
viruses: the very first PC virus, Brain, was discovered only a year 
earlier.

Crew has managed to spread quite far. Its heyday was at the beginning of 
the 90s.

In spite of the fact that the Crew virus is already going on its tenth 
year, it is still going strong. This was proven when a report of a 
Crew.2480.A infection was received from Finland this spring.

It is hard to imagine that any program written in 1987 could still be 
functional and not completely obsolete. However, this simple computer 
virus has managed to remain functional, and apparently even retained a 
degree of effectiveness.

Crew.2480 is simple COM file infector. When an infected program is 
executed, the virus will sometimes display the following message on the 
screen:

This program is cracked by 
Notice this: TS ain't smart at all. 
Distribution since 11-06-1987 (or 06-11-1987) 
Press any key 

There are several variants of this virus, and the message varies 
depending on the variant. In addition to the message, the text 'European 
Cracking Crew', implemented with character graphics, is also displayed on 
the screen.

Note that this virus has nothing to do with the "Join The Crew" hoax 
message.


Spanska.4250

Spanska.4250 (also known as Elvira or SpanskaII) is a complex and 
difficult PC virus which has spread over Internet in binary postings 
addressed to several newsgroups during September 1997. These postings 
have been addressed at least to the groups alt.sex, alt.binaries.pictures 
and alt.cracks.

There are hundreds of thousands people following these newsgroups. 
Infections have been reported in USA, Australia, Asia, Africa and Europe. 

Spanska.4250 is a stealth virus which infects COM and EXE files. While 
the virus is resident, the changes in file sizes are not visible to the 
end user. Spanska.4250 is a DOS virus, but it is also able to spread in 
DOS boxes under Windows 3.x and Windows 95.

The virus is polymorphic, but its polymorphic engine is limited. However, 
the virus makes up for this by using several tricks in its decryptor to 
avoid detection by most (but not all) of the heuristic analyzers. The 
main virus body has an anti-heuristic structure as well.

Spanska.4250 does not infect files which start with the letters: 

   TB  	(TBSCAN)
   VI  	(VIRUSAFE)
   AV  	(AVAST, AVP)
   NA  	(NAV)
   VS  	(VSHIELD)
   FI  	(FINDVIRU)
   F-  	(F-PROT)
   FV  	(FINDVIRU)
   IV  	(INVIRCIBLE)
   DR  	(DRWEB)
   SC  	(SCAN)
   GU  	(GUARD)
   CO  	(COMMAND.COM)

The virus disables its stealth routine when a file starting with one of 
the following letter combinations is executed:

   PK  	(PKZIP)
   AR  	(ARJ)
   RA  	(RAR)
   LH  	(LHA)
   BA  	(BACKUP)

Spanska does not infect the file COMMAND.COM or any other COM file which 
is either smaller than 500 bytes or bigger than 56000 bytes. When 
executed, Spanska.4250 immediately infects the \WINDOWS\WIN.COM file. 

If an infected file is executed when the minutes value is 30, and the 
value in the seconds field is equal to or less than 16, Spanska.4250 
activates. Upon activation, the virus displays a moving message, similar 
to the text at the beginning of the movie 'Star Wars'. 

The message may have one of the following three contents:

ELVIRA !
 Black and White Girl
 from Paris
 You make me feel alive.
ELVIRA !
 Pars. Reviens. Respire.
 Puis repars.
 J'aime ton mouvement.
ELVIRA !
 Bruja con ojos verdes
 eres un grito de vida,
 un canto de libertad.

The first version of the Spanska virus, Spanska.1120, was discussed in 
more detail in F-PROT Update Bulletin 2.16.

Spanska is a good example of a virus which would never have been able to 
go 'wild', had it not been spread deliberately over Internet.


Baboon

Baboon is a boot sector virus which contains certain special functions.

Baboon infects the boot sectors of diskettes and MBRs (Master Boot 
Records) of hard disks. 

Baboon does not save the original boot sector or MBR anywhere. The virus 
searches for the active boot sector in the MBR data area, reads the 
active boot sector and gives control to it. This way it can retain the 
general functionality of the MBR code. 

When a PC is booted from an infected diskette, the virus will likewise 
read the active boot sector on the hard drive and give control to it. No 
error messages like "non-system disk" will be displayed, and the PC will 
proceed to boot directly from the hard disk. 

Baboon activates both randomly and on the 11th of September. At this 
time, it overwrites the MBR of the hard drive and the first 9 sectors of 
the active partition. As a result, the PC will not boot.

Baboon was reported to be in the wild in September 1997, but the virus 
does not seem to be especially common. When the virus activates, it also 
overwrites its own code, thus limiting its own spreading.


Cabanas

The Cabanas virus is designed for 32-bit Windows systems. It can function 
in Windows 3.x extended with Win32s, Windows 95, Windows NT Server and 
Windows NT Workstation. It is, therefore, the second known virus which 
can spread in Windows NT environments and infect the 32-bit NT program 
files (the first such virus was Jacky, which was discovered during the 
summer of 1997).

When a file infected by the Cabanas virus is executed, the virus hunts up 
a couple of EXE files and infects them. After this, it tries to go 
resident in memory. However, in the Windows NT environment this is 
possible only if the user has administrator privileges. If the virus 
manages to slip into memory, it will infect all EXE files that are 
executed in the computer. Cabanas incorporates also certain stealth 
characteristics; the changes in the sizes of infected files will not be 
visible as long as the virus remains in memory.

In spite of Cabanas' wide variety of functionalities, the virus is only 
3500 bytes in size. However, Cabanas does not function very well - among 
other things, it prevents an infected computer from being booted. 
Therefore, Cabanas cannot really spread very far, even in theory. The 
virus does not attempt to do anything else besides spreading.

The author of the Cabanas virus is apparently the same person who created 
the common WordMacro/CAP macro virus. The author's real name and 
whereabouts remain unknown.

The Cabanas virus hasn't been discovered in the wild, nor is that likely 
to happen as long as the virus remains in its present form. The only 
known copies of the virus are test samples spread by its author.


The Situation with Word Macro Viruses

The number of Word macro viruses continues to grow - at the time this was 
written, it was fast approaching 1500. However, F-PROT is updated daily 
against new macro viruses, and it can detect practically all known 
viruses at any given time. New update files can be downloaded at your 
convenience from Data Fellows' WWW server. The address is

http://www.DataFellows.com/gallery/

The update file MACRO.DEF contains routines for detecting and 
disinfecting macro viruses. The file is updated approximately once a day. 
While you are visiting our server, you can also download the free GETMAC 
system, which can be used to automate daily updates to all the computers 
in even a large organization.


WordMacro/Pesan

WordMacro/Pesan.A is a simple Word Macro virus. It activates every five 
minutes and displays one of the following messages: 

MicroSoft Warning!!! 
You are about Formatting Hardisk, Are you sure? 
FORMAT WARNING !!! 
You have just activate the format.exe trigger, 
all command will FORMAT your hardisk 
SYSTEM DAMAGE WARNING !!! 
System detected 'Bandung.d_t' VIRUS, all system will be 
Damage Permanently !!! May God Have Mercy On you ....!!! 
Otherwise Pesan.A only spreads itself. The virus does not destroy any 
data.

WordMacro/Pesan.B is a later variant which contains a destructive 
activation routine. The virus does not display any messages, but it 
attempts to delete the following files:

c:\dos\chkdsk.exe 
c:\dos\format.com 
c:\dos\defrag.exe 
c:\dos\scandisk.exe 
c:\msdos\chkdsk.exe 
c:\msdos\format.com 
c:\msdos\defrag.exe 
c:\msdos\scandisk.exe 

After deleting a file, Pesan.B creates a similarly named BAT file. When 
this batch file is executed, it runs the DELTREE command and deletes all 
files from drive C:.

The activation routine fails if the hard disk's directory tree does not 
contain either a 'C:\DOS' or a 'C:\MSDOS' directory (most Windows 95 and 
NT systems do not have such directories).


WordMacro/Demon

The WordMacro/Demon.A virus consists of three macros. The virus does not 
contain any destructive activation routines, but it may cause some 
incompatibility problems. The virus stores some of its own settings in 
WIN.INI. 

The virus contains a routine with which the author of the virus can 
easily check whether a machine is infected or not. If the words "Dark 
Master calling" are written in Word, and they are selected with the 
mouse, the virus will show the following message on the screen:

The WordMacro/Demon macro virus was reported in the wild during the 
summer of 1997.


Hoaxes

In recent months, we have seen especially many messages about the old 
Penpal Greetings and Join the Crew hoax alarms. This time around, there 
have been attempts to give the hoaxes credibility by claiming that the 
alarms have been sent by IBM, Microsoft or some other such party.

If these message chains are followed back, it can be seen that a warning 
has, indeed, passed through Microsoft or a comparable company. However, 
it should also be noted the warning hasn't been sent by the company's 
security division, but by the janitor's holiday stand-in or some other 
such notable personage. Irrespective of that, the sender's e-mail address 
reads name@microsoft.com, and this is often enough to give an old hoax 
completely new gravity.

To sum it up: Penpal Greetings and Join the Crew are not viruses, but 
widely spread hoaxes. Do not spread them further. Note also that the Join 
the Crew hoax has nothing to do with the Crew virus.


------------------------------------------------------------
COMMON QUESTIONS AND ANSWERS

If you have questions about information security or virus prevention, 
contact your local F-PROT distributor. You may also contact Data Fellows 
directly at the number + 358 9 859 900.

Written questions can be mailed to:

Data Fellows Ltd.
Anti-Virus Support
PL 24
FIN-02231 Espoo 
Finland

Questions may be sent by electronic mail to:

Anti-Virus-Support@DataFellows.com

Q: What is the difference between F-PROT's Windows NT Workstation and 
Windows NT Server versions?

First of all, the Server version has been optimized for server usage and 
is better suited for the heavy use NT Servers are often subject to.

An important difference can be found in the background protection driver, 
F-PROT Gatekeeper. The Gatekeeper part of the Workstation version will 
only scan files that are accessed locally (i.e. by the user who is 
holding the machine's keyboard).

The Gatekeeper in the Server version will do this and it will also scan 
files that are accessed from other machines - for example, by users who 
have mounted a server disk in their own machine.


Q: Can I install the NT Workstation version of F-PROT in an NT Server? 
Or, on the other hand, can I install the NT Server version in an NT 
Workstation?

Both installations are possible. Do notice, though, that the programs 
have separate licenses, and that the NT Server version is considerably 
more expensive.

If you install the Workstation version in a Server, bear in mind that it 
will not prevent users from copying viruses to the server. Also notice 
that the Server version does not guarantee that the local hard drives of 
the workstations are clean - it only protects the server. You'll need to 
install F-PROT to workstations as well.


Q: I just received the latest F-PROT update but it was on CD and I don't 
have a CD drive! What should I do? 

Fill in the card that was included in the shipment and mail it to us. In 
the future, we will send you updates either on diskettes or via Internet.


------------------------------------------------------------
CHANGES IN F-PROT PROFESSIONAL VERSION 3.01


Changes in F-PROT for DOS

There are no changes except the new viruses that have been added.


Changes in F-PROT for Windows

The MACRO.DEF creation date is now shown on scan reports.

The RTF extension has been added to the scanning extensions for document 
files; this will be added automatically to existing installations.

F-PROT's code has been changed in a number of places to prevent toolbar 
corruption.

Accented characters (non-English versions) are now displayed in the virus 
help dialog even when the source texts were taken from program resources 
instead of from the virus help file. 

The "Show task settings on lower pane" setting can be enabled without a 
general protection fault in the 32-bit version of F-PROT 3.0 and with 
right menu types in the 16-bit version.

It is now possible to exit F-PROT or start a new scan. When a Scan Folder 
or Scan File task is started from the Program Manager or Explorer, and 
then cancelled by clicking Cancel in the directory/file selection dialog, 
F-PROT does not remain hidden but active. 

The disinfection of files whose owner was not the user causes no problems 
when scanning files on Unix mounted drives. 

F-PROT does not cause any GPF in a Windows language DLL (LANGSPA.DLL, 
LANGSCA.DLL). 

Localized versions (e.g. Finnish) do not cause a GPF when certain Dead 
babe-infected files are scanned.

Office97 documents (Word or Excel) do not cause any "Stack Overflow" 
error. 

The TimeLock feature is temporarily disabled in the normal shipping 
version because of configuration files in write-protected directories.


Changes in F-PROT for Windows NT

A bug that caused a general protection fault (GPF) during the F-PROT 
Gatekeeper installation has been corrected.

If no setting is present for the extensions of executable or document 
files (for the Scanning preferences) in the file F-PROTW.CFG, F-PROT will 
use the proper default settings, making it possible for users of F-PROT 
for NT to upgrade since version 2.25 or earlier (i.e. using the Update 
installation method of Setup) without losing the detection of macro 
viruses by NT Gatekeeper. 

The settings of a task (such as "Scan A:") can be modified even when 
there is not a diskette in the target drive, without an error message 
being given, stating that the drive is not ready. 

Because of lacking common controls in NT 3.50 (they were introduced first 
in 3.51), F-PROT didn't start at all in NT 3.50. Instead, an 
"ImagaList_ReplaceIcon" error in COMCTL32.DLL was reported. This has been 
corrected. The present version of F-PROT starts with the old-style task 
list under 3.50. When F-Agent (95 and NT) is started, it executes the 
programs specified in FPW- PREF.INI ExecuteX entries. 

The main program (95 and NT) will now pass the version number of the 
scanning engine to the splash DLL. 

The number of scanned boot sectors is now shown in reports (95 and NT). 


Changes in F-PROT for Windows 3.x

The scan engine version letter is now properly displayed in F-PROT 
Gatekeeper splash screen. 


Changes in F-PROT for Windows 95

The boot sector reading routine now supports 3-mode (1.25MB) diskette 
drives used in Japan.

The Finnish language On-line Help is now functional. 

When a scheduled task started by F-Agent found a virus, it displays the 
scan progress dialog at the end of scan (and the report window also, if 
the user clicked the Report button). 

After the progress dialog or report window is closed, the main F-PROT 
window is opened at its previous position instead of being minimized to 
the task bar.

F-PROT Gatekeeper now scans files whose names contain double byte 
characters (DBCS). 

The start-up splash screen display has been corrected.

When scanning inside archives, F-PROT will pass the file extensions to 
the scanner. If the task setting is to scan executables and document 
files only, FPWM 3.0 will scan executables and document files only, even 
inside archives.

When F-Agent (95 and NT) is started, it executes the programs specified 
in FPW- PREF.INI ExecuteX entries. 

The main program (95 and NT) will now pass the version number of the 
scanning engine to the splash DLL. 

The number of scanned boot sectors is now shown in reports (95 and NT). 


Changes in AutoInstaller

Autow32 will prompt the user to restart NT if F-PROT Gatekeeper has been 
updated. The prompt can be disabled by setting the [Gatekeeper] 
NoRebootMessageAfterNTGKUpdate= setting to a non-zero value.

A generic program group creation feature has been added, making it 
possible to create a program icon (shortcut) to any program, not only 
F-PROT.


------------------------------------------------------------
NEW VIRUSES DETECTED BY F-PROT

This version adds detection and disinfection of 325 new file and boot 
viruses and 300 new macro viruses.

(end of document)
