
F-PROT Professional 2.11 Update Bulletin
========================================

This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.11 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd.

-------------------------------------------------------------------------------

CONTENTS 1/94
-------------
 F-PROT Professional for Windows
 New Viruses
 The Olympic virus hits the news
 Nice-virus making rounds on driver diskettes
 Ripper
 JSB
 More Windows-viruses: Cyber Riot
 The First OS/2 Virus
 Immortal Riot: Yet Another Virus Gang
 Phalcon/Skism Infiltrates Internet
 The Form Virus and Other Boot Sector Viruses
 Common Question and Answers
 Changes in F-PROT 2.11


F-PROT Professional for Windows
-------------------------------

The Windows version of F-PROT Professional is ready. It combines the
anti-viral features of F-PROT for DOS with the opportunities provided
by the Windows environment.

Centralized Management
----------------------
F-PROT Professional for Windows can be used equally well in single-
user machines or in a network. In a network, the programs on
individual workstations form a system which can be administered from
any workstation by a single person. With the Windows version you can
transfer scanning tasks, updates, mail and reports through the
network. Infected files can also be transferred securely to the
administrator for closer examination.

New Concepts and Capabilities
-----------------------------
We have striven to make F-PROT for Windows as easy to use and as
efficient as possible. To that end, we have introduced new concepts
and capabilities into the program.

Scans are now arranged into tasks. Simply put, tasks are stored sets
of scan parameters. It is no longer necessary to define scan settings
over and over again, they can be launched with the click of a single
button. Tasks can be created, deleted and modified at will.

The program incorporates such capabilities as background scanning,
scheduling and automatic reporting over the network, to name a few. It
is also possible to set scans to be executed when the computer is
idle.

Benefits and Drawbacks
---------------------- 
The Windows environment has both benefits and drawbacks for antiviral
measures. The Windows architecture makes background executions, task
scheduling and central version management possible. And since the
available memory in the Windows environment is enormous compared to
the basic DOS memory, memory-resident protection mechanisms can be
designed to be much more thorough. Thanks to the graphical user
interface, the programs are also easier to use.

On the other hand, such benefits are balanced by certain weaknesses.
In the Windows environment, security is always compromised to some
degree. This flaw is inherent, resulting from the comparably large
number of programs needed to run in order to start Windows. Since any
one of those programs may be infected, a virus may well get loose
before a Windows antivirus program can be started. To reduce the risk,
a background scanning program, such as VIRSTOP, should be active at
all times.

Under normal conditions, F-PROT Professional for Windows works well
enough on its own. However, if you have a reason to suspect a virus
infection, we recommend booting your computer from a clean diskette
and checking the hard disk with F-PROT for DOS.

You Can't Stop Progress
-----------------------
The development of the Windows version will continue ceaselessly.
The following functions that are present in the DOS-version of the
product are not yet included in the Windows version:

Scanning inside compressed files

        The program does not yet know the full range of compression 
        formats that the DOS version does. Unknown types of compressed 
        files will only be checked for external infections.

Finding polymorphic viruses

        F-PROT for Windows does not find all polymorphic viruses that 
        the DOS version recognizes. This will be corrected in the next 
        version. However, the most common polymorphic viruses (like MtE 
        viruses) are found.

Heuristic analysis

        The Heuristic Analysis scanning method is not functional yet. 
        Not to worry, though; Quick Scan and Secure Scan can handle any 
        situation except an attack by a completely new virus. Such 
        occurrences are quite rare. Most viruses are modifications of 
        old ones.

User-defined search strings

        You cannot yet define your own virus search strings. The 
        program's own search string database contains the search strings 
        of all known viruses, though. In the case of an emergency, you 
        can get an updated database from your local F-PROT distributor.

Active protection

        In the near future a special Windows-based background protector 
        will be included with F-PROT Professional for Windows. This 
        mechanism will protect computers against known viruses by using 
        our Secure Scan technology - this is something that cannot be 
        done in the DOS environment due to memory restrictions.

Virus Descriptions

        Virus descriptions are not yet included with the Windows version 
        of F-PROT. The descriptions will be implemented as easy-to-use 
        help files in the next updates.
        
The functions mentioned above are described in the User's and Administrator's 
Guides. The instructions thereof are valid for the next update.


New Viruses
-----------

The Olympic virus hits the news
-------------------------------
VCL.Olympic -virus received a lot of publicity in the beginning of 
February. This was caused by the Olympic-theme activation routine of the 
virus, and the suspicions that the virus had infected the computer 
systems of the 1994 Winter Olympics in Lillehammer. In later checks this 
virus was not found in Lillehammer systems.

VCL.Olympic is written by a Swedish virus writing group Immortal Riot. 
This group is discussed more closely in another story in this Update 
Bulletin.

The VCL.Olympic is a normal COM file infector.  The method used by the
virus to search for the next file to be infected is not very
efficient, though. Once the virus has infected a large number of the
files on the hard disk, it might take half a minute for the virus to
find a new victim file. Such a slowdown is likely to make the virus
easier to spot.

The virus activates by random after the 12th of February - the 1994
Winter Olympics start on this date. At the time of activation, the
virus draws the Olympic circles to the screen and displays some
comments the Games. After this, it overwrites the first 256 sectors of
the first hard disk in system. The virus also disables Ctrl-C and Ctrl-
Break during the destruction routine. Finally, the machine is hanged.
When an infected file is executed, the virus first decrypts its code.
Then it starts to recursively search for suitable victim files,
starting from the root directory of the current drive.

When the virus finds a file to infect, it first checks it's size to
make sure the added virus code will not grow the file over the size
limit of COM files, 64KB. Then it inspects the first bytes of the
candidate file to see if it already contains a similar jump construct
that the virus is about to insert to the beginning of file. If such
structure is found, the virus considers the file to be already
infected and starts to search for another victim.

The virus does not check for the `MZ' or `ZM' markers to distinguish
EXE files. This means that the virus will corrupt EXE files that have
been renamed to have a COM extension. When such a corrupted file is
executed after infection, the virus will be able to spread further,
but is unable to transfer control back to the original program. In
most cases the machine will just crash.

The actual infection process consists of storing the original first
three bytes of the file to the end of the file and replacing them with
a jump to a decryption routine, which the virus also appends to the
end of the file. An encrypted version of the virus code is also stored
to the end of the file, before the decryption routine. The virus uses
a single pseudo-random variable key based on the infection time to
encrypt it's code.

VCL.Olympic is able to infect files which have the DOS read-only
attribute turned on. It will also restore the date and time stamps of
the infected files. However, infected files grow in size by 1440
bytes, and this is visible in the directory listing. The virus has no
directory-stealth routines, since it does not stay resident.

VCL.Olympic has a one-in-ten chance to activate if the date is equal
to or greater than the 12th of February. The current year is not
tested, so the virus will activate in the future as well. If the virus
does not activate, it will return the control back to the original
program.

A lot of the code resembles the viruses generated by the VCL virus
generator, up to the point of the standard VCL-like note; a short
message in the end of the virus, which is not displayed at all. In
this virus, the note text reads: "Olympic Aid(s) `94 (c) The
Penetrate". This virus is probably based on VCL-created code, and has
just been modified to avoid detection by some of the most popular
scanners.

F-PROT Professional 2.11 detects and disinfects VCL.Olympic.

Nice-virus making rounds on driver diskettes
--------------------------------------------
The Nice virus was found for the first time in Hong Kong in January,
1994. Two weeks later a minor variant of this virus was found in
completely different part of the world, in the most northern part of
the Scandinavian Lapland. This variant was named Nice.B, and it had
arrived to Lapland with a set of video driver diskettes provided with
new video cards.

Data Fellows Ltd. located the manufacturer of the video cards in
question in Hong Kong. However, the original diskettes were found to
be clean. Obviously the virus had infected the driver diskettes on the
way from Hong Kong to Lapland. So far, this infection case seems to be
of global scale.

The Nice virus will first infect three COM and EXE files in the
current directory. After that, it will do the same in C:\DOS
directory. Nice will not infect files that have the read-only
attribute set.

Nice overwrites the 277 bytes of the victim files with its own code.
This means that the infected files are irreparably damaged, and the
only way to fix them is to reinstall or to restore from backups.

After finishing its infection routine, the virus will display the text
"Bad Command or file name", and finish its execution. The virus
probably does this in order to conceal its presence a little bit, as
the user might just think the he made a mistake while typing the
programs name.

The size of the infected files will change only if the original length
is smaller than 277 bytes. The timestamp of the infected files will be
updated to infection time - this makes it easier to spot the infected
files.

The virus does not stay resident in memory and is very simple in
operation. It does not encrypt its code and does not contain any
activation mechanism.

The only way to disinfect the files is to replace them with clean
originals.

F-PROT Professional 2.11 detects all known members of the Nice virus family.

Ripper
------
The Ripper virus was first discovered in Norway, in November 1993.
Since then, it has also been found in USA and Canada.

Ripper is a boot sector virus. It infects the boot records of
diskettes and the Master Boot Records of hard disks. The virus can
infect a hard disk only when someone tries to boot a computer from an
infected diskette. Once the hard disk has been infected, the infection
will spread to all non-protected diskettes used in the computer.

The virus's code is two sectors long. On a hard disk, the virus
reserves the root directory's last two sectors for its own use. It
moves the original boot record to the last sector, and stores a part
of its own code on the one before that.

Unlike many other boot sector viruses, Ripper encrypts its code. It
uses a variable key to do that, which is even more unusual. Ripper is
also a stealth virus, hiding its presence in the computer while it is
active in memory.

The virus subverts disk writes by swapping two words in the write
buffer. The virus picks the writes randomly, corrupting approximately
one write in a thousand. This kind of damage is insidious and hard to
spot - both the hard disk and the backups may be corrupted before
anyone notices the virus.

Ripper's code contains two encrypted text strings: "FUCK 'EM UP" and
"(C)1992 Jack Ripper".

F-PROT Professional 2.11 detects and disinfects the Ripper virus.

JSB
---
The JSB or J.S.Bach virus was found in northern Europe during the last
week of 1993. The virus was reported by a computer vendor, who
suspected his merchandise had already been infected when he received
it from the computers' importer. However, this suspicion could not be
proven true.

The vendor sent a sample of suspicious files to Data Fellows at the
end of December, 1993 - at this stage, the vendor did not think he was
dealing with a real infection. When F-PROT's Heuristic Analysis
reported a probable infection in the sample files, he thought he had
received a false alarm. However, a closer examination revealed the
files to be infected by a new, previously unknown virus.

JSB infects only program files with the extension COM, increasing the
size of infected files by 498 bytes. The virus infects only files in
its current directory - this means that the virus can cross between
directories only if an infected program is executed from another
directory by giving its full path name.

To demonstrate the point, let us suppose that a program is executed
from AUTOEXEC.BAT with a command like C:\DOS\MODE.COM. Since
AUTOEXEC.BAT is located in the root directory, the virus will be able
to infect files in the root directory.

Since the virus does not perform any checks on the victim file's
internal structure, it will also infect files that are structurally
EXEs, but which have been renamed COMs. Such files are damaged by the
infection, and they cannot be executed normally afterwards.

When the virus is searching for a victim file to infect, it makes the
following checks on the likely candidates:
  
o   The file may not be already infected. The virus marks infected
    files by placing characters `JSB' at the beginning of the file
    (in the third offset 3 from the file's beginning)
    
o   The file must be larger than 15 bytes

o   The file must be smaller than 64513 bytes - the virus checks this
    in order to keep the size of infected files smaller than the
    upper size limit of COM files, which is 64 KB
    
When a suitable victim file turns up, the virus infects it by changing
the file's first 16 bytes and appending the actual virus code. The
infection will spread further the next time the program is executed.

Since the virus does not stay resident in memory, it will only spread
when infected files are executed. Infected files can be transferred
from one computer to another via any channel that allows the exchange
of executable programs. Such channels include floppy disks, networks
and modem connections.

J.S. Bach -virus can also infect files that have been protected with
DOS Hidden or Read-Only attributes. The virus does not update the date
or time stamps of the files. The virus contains the text `J.S. Bach by
TXQ', but does not display it.

When the virus is executed, it checks the current date. If the year is
1993, and the day is above 20th of any month, the virus activates. If
the year is not 1993 - the situation applying currently and in the
future - the virus activates on all days of the year.

When the virus activates, it installs a tiny routine to be resident in
memory. This routine will then assume control over all disk
activities.

The disk-controlling routine is installed in low DOS memory, and it
overwrites a part of the interrupt vector table. Since the routine
does not consume any DOS memory, it cannot be seen with the usual
memory mapping utilities. The BIOS disk interrupt INT 13h will be
redirected to this routine. Every time INT 13h is called, the virus
will increment a counter. One of every 200 disk access requests is
redirected to point to the first physical drive (typically floppy
drive A:) instead of the original disk. This causes the floppy drive
A: to spin occasionally when the virus is active.

The damage caused by this routine cannot be easily estimated. A likely
result is that a large amount of data on the hard disk gets corrupted.
The corruption starts when, for example, a program or DOS itself tries
to read the allocation or directory information, and the virus
redirects the read request to the floppy drive instead of the hard
disk. Later on, information that is based on this wrong data is
written on the hard disk, causing random corruption. This kind of
damage is quite fatal, since one cannot determine which data is
correct and which has been corrupted. If the virus manages to stay
unnoticed for long enough, backups will also be corrupted.

Although the structure of the virus is simple, the routines
incorporated in it are quite destructive. The virus itself can be
easily found and removed.

F-PROT Professional 2.11 detects and disinfects the JSB virus.


News In Short
-------------

More Windows-viruses: Cyber Riot
--------------------------------
Cyber Riot is the first truly advanced Windows virus. Until now,
Windows viruses have been cumbersome, slow to spread, and technically
quite rudimentary. Cyber Riot, however, is a real threat in Windows
environment.

What makes the new virus so remarkable is that it is able to use the
Windows dynamic-linking structure and pass control smoothly to the
programs it has infected when its own execution has run through.
Previous Windows viruses have been unable to do this. Cyber Riot also
stays resident in the background when Windows is active.

Cyber Riot spreads through Windows applications. When an infected
application is run, the virus strives to strike at the Windows kernel
file. Once the kernel file is infected, the virus starts together with
Windows and infects every Windows application that is run on the
computer.

The virus activates on certain dates, displaying message boxes. After
the user clicks OK to remove the box, the virus overwrites a part of
the hard disk.

Cyber Riot infects only Windows applications and the Windows kernel
file. The virus is unable to spread under DOS. However, since many
people use only Windows in their computers, this handicap does not
necessarily slow the virus's spread to any great degree.

The First OS/2 Virus
--------------------
For a long time, people have been wondering when the first OS/2 virus
will appear. Experts and laymen alike have speculated about its
potential for destruction.

Well, now it has finally happened. The first OS/2 virus has been
found. However, the virus was neither discovered in the wild, nor does
it live up to its fierce, if premature, reputation. The virus's source
code was published in the latest issue of 40Hex, the electronic
magazine distributed by the virus group Phalcon/Skism.

The virus is a simple EXE file infector. It only infects files in its
current directory. The virus can cross directory boundaries only if an
infected program is executed from some other directory. It does not
remain resident in memory.

Despite its shortcomings, the virus is a pioneer. It is completely
functional under OS/2, and able to handle the HPFS (High Performance
File System). Even if this specimen does not seem very threatening,
that is no reason to let your guard down; other, more dangerous
viruses will surely follow it.

Immortal Riot: Yet Another Virus Gang
-------------------------------------
Swedish soil seems to provide fertile ground for raising virus groups.
We remember Beta Boys, Demoralized Youth and the Funky Pack of Cyber
Punks. Now a new group, Immortal Riot, has entered the scene.

As of latest knowledge, Immortal Riot consists of four members, all of
who have some experience in writing viruses. Thus far, the group has
published and distributed about thirty viruses. Most of these viruses
are new variants of existing strains.

The viruses the group has made or modified are not examples of
technical brilliance. The opposite, in fact. Some of them crash the
computer or do something else that clearly manifests their presence to
even the uninitiated. Others are just plain crude.

The group publishes its own electronic magazine, the Insane Riot,
which contains articles by the group members themselves and their
associates, source codes of viruses, and various back-patting and -
stabbing to other members of the virus community.

Phalcon/Skism Infiltrates Internet
----------------------------------
Phalcon/Skism is acting up again. The international virus group has
opened its own area in Internet's discussion forum, IRC. IRC is a real-
time system where participants see the comments and arguments written
by other chatters instantaneously, regardless of the talkers' physical
location in the world.

Anybody can open up a new discussion area in IRC. The areas are
temporary and will stay open as long as they have users. It is also
possible to create "robots" which keep areas open indefinitely.
Phalcon/Skism has installed such a robot in its own, virus-oriented
discussion area. The group's robot is also able to send files to
whoever requests them.

The new area is both a distribution site and a discussion forum. Since
it is public, anyone can join a discussion about latest virus-writing
techniques or just pick up some viruses. By all accounts, traffic in
the area seems lively.

The site is used for distributing viruses, viral source codes and the
40Hex magazine. The magazine is Phalcon/Skism's own publication,
containing tips about virus writing, the source codes of viruses and
articles by distinguished virus writers. 40Hex has been discussed at
length in previous Update Bulletins.

Since Phalcon/Skism changes the domain where their robot is coming
from every now and then, it has proven to be difficult to make a stop
to the action. Site administrators have been informed of the matter,
but so far the group has been allowed to continue its activities.


The Form Virus and Other Boot Sector Viruses
--------------------------------------------

Form was first discovered in Zrich, Switzerland, in February 1990.
The virus remained rare for quite a long time, but in 1992 the
incidents involving Form began to increase rapidly, and at the moment
Form is the predominantly most common virus in most parts of the
world. In Great Britain, for example, one out of three virus incidents
involve Form.

To spread so quickly, the virus has probably been carried on some
original diskettes. It is likely that some preformatted diskettes have
also spread the infection somewhere along the line. Two versions of
the virus, Form.A and Form.B, have been known for some time. These two
are not functionally different from each other. They were recently
joined by a new variant, named Form II, which was discovered in a
university in Britain.

Since Form is a boot sector virus, capable of contaminating a computer
only if it is booted from an infected diskette, it cannot spread over
a network or a modem connection. When a computer is turned on, it
first tries to execute a program from the boot sector of the diskette
in drive A. If the drive is empty, the computer boots from the hard
disk.

By using Setup, most of the current computers can be set to boot
directly from the hard disk. This practice is highly recommendable.
However, while the direct hard disk boot makes a computer practically
invulnerable to boot sector viruses, it does nothing to protect it
against viruses of other kinds.

Boot sector viruses and different operating systems
---------------------------------------------------
Since the startup process of PC computers is handled by their own
internal BIOS, it is independent of the operating system. This makes
it possible for boot sector viruses to infect computers that do not
use DOS at all. Most of them do so indiscriminately, with no regard to
the computer's operating system. If the operating system is not DOS,
though, the viruses are usually unable to function normally.

When viruses infect a hard disk that does not contain DOS at all, they
find themselves suddenly in the middle of an unfamiliar environment.
The consequences are dependent on the virus in question: the virus may
just get stuck in the boot sector and be unable to spread further, it
may render the hard disk inaccessible, or crash the computer during
next startup.

Operating systems such as OS/2, Windows NT or the various versions of
Unix, do not offer the interrupt services the viruses need in order to
spread themselves. However, this does not prevent the virus code from
being executed every time the computer is started. For example, the
fact that the Michelangelo virus is unable to spread itself further in
an unfamiliar system does not prevent it from overwriting the hard
disk every sixth of March.

Non-System Disk
---------------
All formatted diskettes have a short program in their boot sectors.
The boot sector program contains information about the diskette's
type. When a computer is booted from a diskette, this program attempts
to execute DOS system files at the beginning of the diskette. If it
does not find the files, it displays the following message:

        Non-System disk or disk error
        Replace and strike any key when ready
        
The wording of the message varies between different DOS versions. If
the diskette has been contaminated by a boot sector virus, the virus
has already infected the hard disk by this time.

Since all diskettes contain the boot sector program, empty ones may
carry an infection as well as system diskettes. A common way for the
infection to spread is that a user forgets a contaminated diskette in
drive A when he turns the computer off. If the diskette is still in
the drive when the computer is turned back on, the virus infects the
hard disk.

The Functioning of the Form Virus
---------------------------------
When a computer is booted from an infected diskette, the viral code in
the diskette's boot sector is executed. The virus first allocates two
kilobytes of memory in the upper part of RAM memory for itself and
loads the last two kilobytes of its code from the diskette. Having
done so, it infects the hard disk's boot sector. On the diskette, the
second part of the viral code is stored on what is supposed to be a
bad sector area. When the virus infects a diskette, it creates such an
area for the express purpose of hiding its code. If Form encounters an
error while reading the second part of its code, it usually jams the
computer. Such errors may result if, for example, the virus does not
wait long enough for the diskette drive's motor to start.

When Form infects a hard disk, it reads the partition table and boot
record and checks whether it has already infected that particular hard
disk. If the hard disk is uninfected and its sector size is the normal
512 bytes, the virus stores the second part of its code and the
original boot record at the end of the physical hard disk, usually on
the last two sectors. Having done that, Form writes the first part of
its code on the hard disk's boot sector. Once the hard disk has been
infected, the virus activates every time the computer is booted.

Form checks the boot sector offsets 136-137 to ascertain the purity of
diskettes and hard disks. If it encounters the hexadecimal numbers FE
and 01, it concludes that the diskette or hard disk is already
contaminated and does not re-infect it. Otherwise the virus copies its
code to the boot sector.

While in memory, Form monitors read operations to diskettes in drives
A and B. When the zero track is read, the virus checks whether the
diskette has already been infected . If the diskette is clean, Form
tries to infect it, but allows the reading of an already contaminated
one to proceed normally. Form infects diskettes having the sector size
of 512 bytes - that is to say, all standard diskettes. In some cases
Form fails to infect a diskette properly, and this may cause problems
when the virus is being removed.

When the virus infects a diskette, it first marks two sectors as bad
and then copies the original boot record and the second part of its
code on this area. After this, Form writes the first part of its code
on the diskette's boot sector and allows the diskette read to proceed
normally. The virus has been named after the following message, found
inside the viral code on the bad sector area: "The FORM-Virus sends
greetings to everyone who's reading this text. FORM doesn't destroy
data! Don't panic! Fuckings go to Corinne."

Although Form is in no way extraordinary or unusual, it is still one
of the most common viruses.

Activation
----------
After the virus has loaded itself into memory, it checks the date in
the computer's clock. On the 18th day of any month, the virus may
cause the computer to beep whenever a key is pressed. Some sources
claim that Form causes the beeping on 24th, but this is due to a
misunderstanding that has its roots in the difference between
hexadecimal and decimal numbering systems (18h = 24d).

The DOS KEYB keyboard driver prevents Form from beeping, because it
uses the same interrupt as the virus, the interrupt 9h, and crowds it
out. So in most systems the virus goes completely unnoticed, because
there is no visible or audible activation routine.

Disinfection
------------
F-PROT can reliably disinfect the virus. If the virus has been unable
to infect a diskette properly, however, it cannot be removed by any
anti-virus program, since the boot sector it has deleted no longer
exists anywhere. The boot record can be restored by using DOS's SYS
command, which creates a new boot record on diskettes and hard disks.

If the command is used with DOS versions older than 5.0, it copies the
operating system on the diskette, also, so the diskette must have
enough free space to contain the hidden system files. An alternative
way to restore the boot record is to use some utility program which
overwrites the contents of the boot sector with a generic boot record
substitute - the program FIXBOOT, supplied with F-PROT Professional,
is able to do this.

If a large number of diskettes has been contaminated, the easiest way
to disinfect them is to copy the files elsewhere by using the commands
COPY or XCOPY and format the diskettes. If the operating system in use
is DOS 5.0 or 6.0, the parameter /U must be given to the FORMAT
command, because otherwise the viral code may be restored if the
UNFORMAT command is used. The DISKCOPY command cannot be used to copy
the files on the infected diskettes elsewhere, for it copies
everything on a diskette, including the virus.

The disinfection operation starts by booting the computer from a clean
diskette, because the computer's memory must be clean before the virus
can be removed. Form reinfects disks immediately after they have been
cleaned if it is allowed to remain in memory.

When Form and other boot sector viruses are being removed, special
attention must be paid to the cleaning of diskettes. Since boot sector
viruses usually infect all diskettes that are not write-protected,
they can contaminate a great number of diskettes in a short time.

Consequently, a computer runs a risk of being infected every time
somebody forgets to remove such a diskette from its drive. All
diskettes used in a contaminated computer must be checked for viruses
in order to prevent the virus from reinfecting the system.

In order to avoid new infections, the memory-resident part of F-PROT,
VIRSTOP, should be used at all times with the /BOOT parameter on.
Whenever diskettes are used in the computer while this parameter is
on, VIRSTOP checks them for boot sector viruses and gives a warning if
it finds any.

Companies might find it worthwhile to use a solution called the PC
Health Station, in which one or more computers are converted to
monitor for viruses. If all diskettes coming from outside the company
are checked in a Health Station, viruses will find it hard to infect
the organization's system.


Common Question and Answers
---------------------------

If you have questions about data security or antivirus issues, please
contact your local F-PROT distributor. You can also contact Data
Fellows Ltd. directly, in the number 358-0-692 3622. Written questions
can be mailed to: Data Fellows Ltd, F-PROT Support, Wavulinintie 10,
00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet
is: F-PROT@DF.elma.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet,
A=mailnet C=fi.

Why can't I scan diskettes in drive A if I have executed F-PROT from a
diskette in the same drive?
        
        The program's virus search string database and language files 
        are too large to be loaded into memory, because we want to keep 
        F-PROT's memory requirements to minimum. Since F-PROT needs 
        these files during scanning, it must have continuous access to 
        the disk where they are stored. The recommended course of action 
        is to execute F-PROT from the diskette, ensure that the 
        computer's hard disk is clean, and then install F-PROT on the 
        hard disk.

        If you do not have the inclination or the disk space to do that, 
        you can by-pass the memory limitation by creating a virtual RAM 
        disk and installing the program on it.


I use a keyboard driver to provide national characters for my special
keyboard. However, when this utility, KEYB102.COM, is loaded,
VIRSTOP's /WARM function does not work at all.

        If VIRSTOP is started with the /WARM parameter, it monitors the 
        keyboard to see whether the keys Ctrl-Alt-Del are pressed. When 
        that happens, it checks the diskette in drive A.

        There are some keyboard drivers which reserve the keyboard 
        interrupt all to themselves. When they are loaded into memory, 
        they push out all other programs using the interrupt. KEYB102 is 
        one of those. The functioning of some programs, like VIRSTOP or 
        SMARTDRV, becomes impaired if the driver is loaded into memory 
        after them. The KEYB.COM driver provided with MS-DOS does not 
        produce this problem.
        
        The problem can be solved by changing the order in which the 
        programs are loaded into memory. If you load KEYB102 first, it 
        cannot prevent the other programs from using the keyboard 
        interrupt.


How can I create a clean boot diskette?

        Check your computer with F-PROT before you do anything else. 
        That way, it is more certain boot diskette really is clean.
        
        You can create a basic DOS boot diskette by formatting a 
        diskette with the command FORMAT/S. The /S parameter causes the 
        operating system to copy system files to the diskette.
        
        However , that is not always enough. If you use drivers that 
        have to be loaded into memory before the computer can be used 
        normally (SCSI hard disk drivers, national keyboard drivers, 
        network drivers, disk compression drivers and what have you), 
        the commands that load the drivers must be added to the boot 
        diskette's CONFIG.SYS and AUTOEXEC.BAT files.
        
        Consult the manuals of the corresponding applications to find 
        out the needed drivers and commands. The driver programs 
        themselves must also be copied to the boot diskette, and all 
        references to them in the CONFIG.SYS and AUTOEXEC.BAT files must 
        point to the copies stored on the diskette - otherwise you might 
        be executing infected files from the hard disk during the 
        booting.
        
        An additional note: due to a bug in DOS, any file the COMSPEC 
        environment variable points to will be copied to the diskette 
        and renamed COMMAND.COM when the FORMAT /S command is used. This 
        will cause problems only if you are using a third-party command 
        interpreter instead of the usual COMMAND.COM.

When I was installing DOS 6.2 on my computer, I received the warning
"Boot sector write, possible virus. Continue Y/N?". What caused the
warning? Is my computer infected?

        All the newer AMI BIOSes give this warning when something tries 
        to make changes to the hard disk's boot sector. The warning is 
        justified, too, since it is able to prevent boot sector viruses 
        from infecting the computer.
        
        However, the DOS 6.2 installation program must make some 
        legitimate changes in the boot sector. You can either ignore the 
        warning when you are installing the program, or turn it off for 
        the duration. The warning can be switched off in the computer's 
        Setup. Remember to turn it back on when you have completed the 
        installation.


Changes in F-PROT 2.11
----------------------

A CMOS check has been added to F-PROT - if the SETUP information
claims that the computer does not have drive A, F-PROT aborts its
execution and requests further instructions. This is done in order to
by-pass the methods used by viruses like ExeBug. Such viruses prevent
the machine from being booted from a clean diskette by modifying the
SETUP information. If the computer really does not have drive A,
F-PROT can be started with the /NOFLOPPY parameter.

F-PROT's virus naming system now adheres to CARO's naming standards.
When, for example, F-PROT used to report an infection caused by the
Sunday.A variant of the Jerusalem virus as Jerusalem (Sunday.A), it
now reports it as Jerusalem.Sunday.A. Blanks in viruses' names have
been replaced with underscores.

If F-PROT is started from a diskette, it prevents other diskettes from
being scanned in the same drive. The program needs to be in continuous
touch with the diskette it was started from, because it requires
access to its database during scanning.

The maximum number of user-defined search strings has been raised to 20.

VIRSTOP now checks the boot sectors of floppy disks as default. In
earlier versions, this option had to be turned on separately. You can
toggle this setting checking with the /BOOT and /NOBOOT parameters.

A new file, VIRLIST.LIS, has been added to the MATERIAL-directory on
the update diskette. This file contains the names of all the viruses
detected by F-PROT - including also viruses that are not yet described
in the virus help section of the program.

A generic boot sector disinfector, FIXBOOT, has been added to the
update diskette's MATERIAL-directory. This program overwrites the
contents of boot sectors with a generic boot record substitute.
FIXBOOT can be used for repairing boot records damaged by boot sector
viruses, even when F-PROT refuses to disinfect the diskette. This
happens if the original boot sector cannot be found.

If earlier versions of F-PROT were started with the /HARD parameter,
they couldn't recognize all partitions of the hard disk if the
computer was using a Seagate disk manager or a similar product from
OnTrack. The problem has now been corrected, although it was mainly
caused by disk managers that were more or less incompatible with DOS.

When a self-modifying program called ALREADY.COM was scanned with
Heuristic Analysis, F-PROT used to report it as having been infected
by an unknown virus. This was a false alarm, and it has now been
corrected.

If F-PROT finds a file which seems to be destroyed by the
Vienna.Reboot virus (this virus inserts a reset-jump to the beginning
of some programs), it will not report anything if the file is named
REBOOT.COM or RESET.COM (in these files, the reset-command is
legitimate).


New viruses detected by F-PROT 2.11
-----------------------------------
The following 43 viruses are now identified, but can not be removed as
they overwrite or destroy infected files. Some of them were detected
by earlier versions of F-PROT, but only reported as "New or modified
variant of..."

Adams.Wednesday        HLLO.3008               Milan.WWT.125.C 
Burger.512             HLLO.3521               Rythem.808.A    
Burger.560.M           HLLO.3800               Rythem.808.B    
Burger.560.X           HLLO.4096               Rythem.814      
Burger.560.Y           HLLO.4340               Rythem.907      
Burger.560.AG          HLLO.4372               Rythem.1992     
Burger.560.AI          HLLO.4778               Tack.460        
Burger.560.AJ          HLLO.Harakiri.B         Trivial.29.B    
Burma.442.B            Leprosy.570             Trivial.30.G    
Burma.563              Leprosy.664.A           Trivial.33      
Deicide.665            Leprosy.664.B           Trivial.39.B    
Grog.512               Leprosy.AoD.I           Trivial.45.E    
Grog.1146              Leprosy.5370.A          VCL.347         
Grog.1207              Leprosy.5370.B          VCL.409         
                                               VCL.Mindless    

F-PROT can detect and remove the following 385 new viruses. Earlier
versions of the program could detect many of these viruses. Now they
are also identified accurately.

_229                              Murphy.Swami.D                   
_343                              Murphy.Tormentor.E               
_377                              NGV.1680.A                       
_397                              NGV.Cousin                       
_495                              NGV.Gomes                        
_512                              NGV.Lurch                        
_977                              NGV.Morticia                     
_948                              NGV.Pugsley                      
_1099                             NGV.Thing                        
_1364                             NGV.Uncle                        
_1588                             Nice.A                           
_2000                             Nice.B                           
Agena                             Nina.D                           
Akuku.889.C                       Noon Beep.1666                   
Arriba.B                          November 17th.706                
Ash.441                           Npox.963.B                       
Ash.451                           Npox.1708                        
Ash.737                           Nympho.845                       
Ash.1604                          Old Yankee.Enigma.B              
AT.140.B                          Old Yankee.Enigma.C              
Australian Parasite.338           Omud                             
Australian Parasite.369           Paola.538                        
Australian Parasite.377           Paola.1110                       
BA                                Paturuzu                         
Baobab.2304                       PeaceMan                         
Barrotes.1310.B                   Phalcon.894                      
Barrotes.1310.C                   Phalcon.Maria K                  
Barrotes.1310.D                   Phoenix.800.C                    
Barrotes.1310.E                   Phx.823                          
Better World.B                    Piaf                             
Better World.C                    Piter.B                          
Bloody Warrior                    Piter.C                          
Breaking                          Pixel.251                        
Bupt.1220.B                       Pixel.AVV                        
Capicua                           Poor Man                         
Carioca.B                         Protect.1323                     
Cascade.1699                      Prudents.B                       
Cascade.1701.I                    Prudents.C                       
Cascade.1701.Jojo.F               PS-MPC.G2.341                    
Cascade.1701.M                    PS-MPC.344                       
Cascade.1702                      PS-MPC.346                       
Cascade.1704.Q                    PS-MPC.348                       
Cascade.1704.R                    PS-MPC.352                       
Casino.B                          PS-MPC.361                       
Casino.C                          PS-MPC.G2.425                    
Chaos.G                           PS-MPC.G2.429                    
Chaos Year.1837                   PS-MPC.432                       
Chrome                            PS-MPC.565                       
Clonewar.228                      PS-MPC.569                       
Clonewar.246                      PS-MPC.572                       
Clonewar.261                      PS-MPC.573.A                     
Commando.421                      PS-MPC.573.B                     
Commando.498                      PS-MPC.574.B                     
Crew.2480.C                       PS-MPC.577.A                     
Crew.2480.E                       PS-MPC.577.B                     
Crew.2480.F                       PS-MPC.578.B                     
Cybercide.1307                    PS-MPC.578.C                     
Danish Tiny.308                   PS-MPC.589                       
Danish Tiny.311                   PS-MPC.G2.598                    
Danish Tiny.476                   PS-MPC.600                       
Dark Avenger.1800.J               PS-MPC.603                       
Dark Avenger.1800.K               PS-MPC.605                       
Dark Avenger.1800.Singapore       PS-MPC.606                       
DataCrime II.1514.D               PS-MPC.607                       
Dead.1362                         PS-MPC.611.A                     
Deicide II.595                    PS-MPC.611.B                     
Deicide II.2404                   PS-MPC.927                       
Deicide II.2569                   PS-MPC.AntiPrint                 
Demented                          PS-MPC.Deranged.490              
Democracy                         PS-MPC.Generix                   
Diamond.485                       PS-MPC.Seven Percent Skeleton.626
Diamond.568                       PS-MPC.Swansong.1521             
Diamond.584                       PS-MPC.Viraxe                    
Diamond.609                       PS-MPC.Z10.763                   
Diamond.614                       Quadratic.981                    
Diamond.978                       Quadratic.1285                   
Dlsu                              Quit-1992.B                      
Dnr.331                           Rage.486                         
Dur.397                           Red Diavolyata.830.D             
Egg.833                           Riihi                            
Egg.1000                          Satyricon.348                    
Eight Tunes.B                     Sentinel.4636                    
Espacio                           Seventh Son.426                  
Exunt                             Seventh Son.428                  
F-You.417.B                       Seventh Son.473                  
F-soft                            Shark.1027                       
Faerie.349                        Shark.1283                       
Family                            Skew.458                         
Feelbad                           Slash                            
Fifo                              Spring.640                       
Finnish Sprayer                   Stardot.682                      
Fission                           Stardot.979                      
Flash.688.C                       Stoned.Standard.Collor           
Flip.2153.E                       Storm.1217                       
Flip.2365                         Suriv 1.April 1st.D              
Freew.718.B                       Suriv 2.C                        
Friday the 13th.417               Suriv 2.D                        
Frodo.4096.I                      Suriv 2.E                        
Gergana.182.B                     Suriv 2.F                        
Gippo.Earthquake                  Suriv 2.G                        
Golgi.385                         Suriv 2.H                        
Green Caterpillar.1575.F          Svc.1689.D                       
Green Caterpillar.1989            Svc.1689.E                       
Grog.495                          Swedish Boys.Headache.441        
Grog.547                          Syslock.Syslock.E                
Grog.765                          Tajfun                           
Grog.903                          Taurus                           
Grog.1013                         Tenbytes.1451.B                  
Gusano                            Tenbytes.1451.C                  
Happy New Year.1560               Tenbytes.1554.B                  
Happy New Year.1600.B             Tenbytes.1554.C)                 
Happy New Year.1600.C             Thirteen Minutes.B               
Happy New Year.1614               Tic.93.B                         
Helloween.1684                    Tolbuhin.626                     
Hey You.B                         Tolbuhin.992.B                   
HLL.3678                          Tolbuhin.1004.B                  
HLL.5602.A                        Traveler Jack.980.B              
HLL.5602.B                        Trickster                        
HLL.5938                          Troi.B                           
HLLC.Christmas                    Trojector.1561                   
HLLC.Globe.7705                   Turn.557                         
Holiday                           Twister.451                      
Hymn.Hymb.B                       Twister.863                      
Hymn.Hymb.C                       Twister.1015                     
I-Revenge                         Twister.1767                     
Icelandic.642.B                   USSR-707.C                       
Icelandic.642.C                   Vacsina.TP-25.B                  
Icelandic.656.B                   Variable Worm.B                  
Icelandic.848.B                   Vbasic.F                         
Icelandic.1618.D                  VCL.380                          
Icelandic.1618.E                  VCL.433                          
Infector.608                      VCL.445                          
Infector.676                      VCL.573                          
Infector.692                      VCL.610                          
Infector.695                      VCL.Azrl549                      
Infector.752                      VCL.Azrl606                      
Infector.962                      VCL.Annoyer                      
Internal.1459                     VCL.Dragon                       
Ionkin.218                        VCL.Divide.554                   
Ionkin.300                        VCL.Eddie                        
IVP.Angry Samoans                 VCL.Elena                        
IVP.Ozzy                          VCL.GGATTN                       
IVP.Panic                         VCL.Olympic                      
IVP.Tim                           VCL.Mexican                      
Japanese Christmas.600.F          VCL.Red Team                     
Jerusalem.1808.suMsdos.AK         VCL.Succubus                     
Jerusalem.1808.suMsdos.AL         VCL.Teknitov                     
Jerusalem.1808.suMsdos.AM         Vcomm.633                        
Jerusalem.2132                    VCS.Sleeper                      
Jerusalem.AntiCad.3012.E          VCS.Standard.Dr-No               
Jerusalem.GP1.1533                VCS.Standard.Parity              
Jerusalem.Mummy.2.1.B             VCS.Standard.Vdv                 
Jerusalem.1808.Sk9                VE                               
Jerusalem.Suriv 3.B               Victor.B                         
JSB                               Vienna.353.B                     
Junior.224                        Vienna.435.B                     
Just                              Vienna.539                       
Justice                           Vienna.573                       
Kbflag                            Vienna.582.B                     
Keeper.Acid                       Vienna.583.C                     
Keeper.Enemy                      Vienna.637.C                     
Keypress.1232.J                   Vienna.637.D                     
Kode 4.282                        Vienna.645.C                     
Kode 4.287)                       Vienna.645.D                     
Krusha                            Vienna.648 * 10                  
Leapfrog.B                        Vienna.662                       
Liberty.2857.E                    Vienna.670                       
Liberty.2857.F                    Vienna.833                       
Little Girl.949                   Vienna.GhostBalls.C              
Lokinator                         Vienna.Gipsy                     
Lyceum.958                        Vienna.It.457                    
Lyceum.1086                       Vienna.NTKC.B                    
Magnitogorsk.2560.D               Vienna.W-13.534.K                
Marzia.B                          Virdem.1336.German.B             
Marzia.C                          VS                               
Massacre                          Warzaw                           
MG.5.B                            Wordswap.1085.B                  
Mgtu.273.D                        Wvar                             
Mich                              Yankee Doodle.TP.44.D            
Michelangelo.F                    YB.466                           
Ming.491                          YB.647                           
Ming.1017                         YB.2277                          
Mithrandir.450                    Youth.580                        
Mithrandir.694                    Zamoy                            
MMIR.Extasy                       Zero Bug.B                       
MMIR.Ravage                       Zherkov.1023.B                   
Murphy.Amilia.B                   Zombie                           
Murphy.Swami.B                    Zulu                             
Murphy.Swami.C                    ZX-X                             

The following 27 new viruses can now be detected but not yet removed.

_1491                 Grog.1372          Pojer.1941     
_1784                 Grog.2075          Pojer.1949     
_1987                 HLL.3677           PS-MPC.783     
_2403                 Ignorant           PS-MPC.1706    
AtomAnt               Jerusalem.986      Sentinel.5115  
Beer.2984             Julia.1000         Tamanna        
Beer.3399             LZR                Velvet.1400    
Commonwealth          Monika         
Creator               Pcbb.1800.A    
Dual GTM              Pcbb.1800.B                       

F-PROT's earlier versions could detect the following viruses. Now they
can also be removed.

Arusiek                  PS-MPC.ARCV.6         PS-MPC.Page.696 
Little Red               PS-MPC.ARCV.7         PS-MPC.Schrunch 
Marzia.A                 PS-MPC.Eclypse        PS-MPC.Walkabout
PS-MPC.ARCV.3.A          PS-MPC.Kersplat       PS-MPC.Z10.70   
PS-MPC.ARCV.5            PS-MPC.Mimic          Sentinel.5402   

------------------------------------------------------------------------------
     This material can be freely quoted, if the source is given as:
  Source: F-PROT version bulletin 2.11. Copyright (c) 1994 Data Fellows Ltd.
                                     -
               F-PROT Professional 2.11 Update Bulletin
------------------------------------------------------------------------------
This file may not be placed to be available for download in a system which 
allows users to access live computer viruses, source codes for viruses, or 
instructions for generating a new virus.                        Thank you.
