
F-PROT Professional 2.16 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi

This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.16 Update Bulletin; Copyright (c) 1995 Data Fellows Ltd.

------------------------------------------------------------------------------

Contents 1/95
=============

F-PROT Gatekeeper Closes the Gaps in Virus Protection
Data Fellows Acquires the Status of a Microsoft Solution 
Provider
The Global Virus Situation
        Mange-Tout.1099 on New Diskettes
        Sampo
        HDKiller in Spain
        Neuroquila in Germany
        The Good Times Incident in Internet
News in Short
RETROVIRUSES - How Viruses Fight Back, part 2
F-PROT Support Informs: Common Questions and Answers
Changes in Version 2.16


F-PROT Gatekeeper Closes the Gaps in Virus Protection
-----------------------------------------------------

Data Fellows has published a new kind of an anti-virus 
program. F-PROT Gatekeeper is the first active anti-virus 
program which is also capable of detecting polymorphic and 
self-encrypting viruses.

F-PROT Gatekeeper functions in the background in Windows 
environment, and it finds the viruses in all copied or 
executed programs both in Windows and in DOS boxes run under 
Windows.

Before the end of January, we will publish a free, time-
limited pre-release version of F-PROT Gatekeeper. This pre-
release version will be distributed via Internet among other 
distribution channels.

The purpose of the free distribution is to persuade as many 
people as possible to try out the new technology we have 
developed. The program is time-limited, however, and updates 
will not be available

After the pre-release phase, F-PROT Gatekeeper will become a 
part of the F-PROT Professional for Windows package. The 
product will be distributed to our customers as a part of 
the program update.

Why Gatekeeper?

What are the makings of a good virus protection? The 
following things can be found at the top of our customers' 
wish list: secure, does not interfere with work, does not 
require anti-virus expertise from the end user, easy to 
install and maintain.

It is easy to understand the requirement for automation and 
transparency for the end user. For the end user and the 
organization, it is not profitable to use good work time in 
anti-virus operations. If all end users have to learn the 
use of an anti-virus program, the collective work effort 
diverted from more profitable uses will become significant.

A good anti-virus system should require the end user's 
active participation only when a virus is actually found.

The security requirement is divided into two parts. To begin 
with, an anti-virus program should be able to find a 
sufficient number of viruses, with emphasis on the viruses 
that are actually circulating in the wild. Secondly, the 
efficiency of an anti-virus program is enhanced if the 
protection works actively.

Active virus protection means a program which checks all 
opened programs and stops them from being executed or copied 
if it finds a virus. Active virus protection is usually 
provided with a DOS TSR software.

The final wish concerned the ease of installation and 
maintenance. F-PROT Gatekeeper can be installed centrally to 
all the workstations in a network. The program can likewise 
be updated from a single workstation.

To facilitate the administrator's work, F-PROT Gatekeeper 
can be configured to automatically send the administrator a 
message when it finds a virus in some of the network's 
workstations. The administrator will always have access to 
an up-to-date log of all the detected virus incidents in the 
network.

DOS TSR Programs Cannot Detect All Viruses

The most important reason behind the development of F-PROT 
Gatekeeper are the difficulties in maintaining the detection 
capability of TSR-type anti-virus programs. These 
difficulties are mainly caused by memory requirements.

Current anti-virus TSRs cannot find polymorphic viruses. It 
was the increase of polymorphic viruses which two years ago 
persuaded us to stop licensing VIRSTOP (the TSR component of 
F-PROT) separately.

The increasing number of polymorphic viruses continues to 
undermine the security of TSR-type protection. This risk can 
be decreased by checking hard disks at regular intervals 
with scheduled virus checks, executed by the separately run 
component of the anti-virus software.

For example, such viruses as Tremor, different Mutation 
Engine viruses and SMEG escape the notice of even the best 
anti-virus TSRs. This makes F-PROT Gatekeeper the first 
active anti-virus program capable of detecting practically 
all viruses.

Data Fellows Acquires the Status of a Microsoft Solution Provider
-----------------------------------------------------------------
Data Fellows Ltd. and Microsoft Ltd. have signed the 
Solution Provider -agreement. 


The Global Virus Situation
--------------------------

Mange-Tout.1099 on New Diskettes
--------------------------------
Data Fellows Ltd. has received several reports of infected 
preformatted diskettes in the Nordic countries. Since the 
beginning of this year, several vendors have been found to 
have sold preformatted 3.5" diskettes which contained a file 
called DE.EXE. Since DE.EXE is actually a simple, German 
diskette formatting program, the file's existence on the 
diskettes is apparently due to a human error on the diskette 
factory. Unfortunately, on some of the diskettes this 
program has been infected by a virus called Mange-Tout.1099.

We have seen preformatted diskettes infected with boot 
sector viruses in the past, but the fact that Mange-
Tout.1099 is a file virus makes the matter more serious; 
users seldom boot their computers from empty diskettes, but 
they may well find a file on a supposedly empty diskette 
intriguing, and run it just to find out what it does.

The Mange-Tout virus was first found in Hong Kong at spring 
1994. Soon after that, the virus was also discovered in 
China. The first European incident took place in August 
1994, when a couple of VGA driver diskettes infected by 
Mange-Tout were discovered in Norway. The diskettes had been 
imported to Norway from Hong Kong, and the virus is believed 
to have spread elsewhere in Europe at the same time as well.

Mange-Tout keeps itself encrypted all the time, even when it 
is resident in memory. When the virus is started, it 
decrypts itself by calling a complexly protected decryption 
routine. While in memory, Mange-Tout calls this routine when 
certain interrupt calls take place. The virus also contains 
traps for debug programs, and this makes it quite difficult 
to examine.

When Mange-Tout is resident in memory, it hijacks the 
interrupts 08h, 09h and 21h (clock, keyboard and DOS). It 
infects COM and EXE files which grow by 1099 bytes. The 
virus activates when a computer's keyboard has been left 
untouched for one hour. It tries to erase the computer's 
CMOS memory and main boot record, but fails more often than 
not and only manages to crash the computer.

The words Mange and Tout are French; the viruse's name can 
be roughly translated as 'omnivorous'. A 1091-byte-long
variant of Mange-Tout is also known to exist.

F-PROT can detect and remove the Mange-Tout virus.

Sampo
-----
The Sampo virus, also known as '69', seem to come originally
from the Philippines. This boot sector virus was discovered 
in England and Norway in November 1994. After that, it has 
been reported in Hong Kong, Singapore, Australia, Finland 
and Belgium.

Sampo can infect a computer's hard disk only if the computer 
is booted from an infected diskette, in which case the virus 
infects the hard disk's Main Boot Record. The virus goes 
resident in memory the next time the computer is booted from 
the hard disk. Once in memory, Sampo infects all non-write 
protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock, 
keyboard and disk operations). It uses a complex activation 
mechanism, which is based on the date, time and the keys 
pressed. When the virus activates, it displays a blue box on 
the screen's upper corner. In the box, Sampo prints in cyan 
the following text :

        S A M P O, "Project X", Copyright (c)1991
        by the SAMPO X-Team, All rights reserved,
        University Of The East Manila

Sampo incorporates also one peculiarity; it carries the old 
Kampana virus with it, and sometimes spreads Kampana's code 
instead of its own.

F-PROT can detect and remove both the Sampo and Kampana 
viruses.

HDKiller in Spain
-----------------
HDKiller is a relatively simple virus which infects diskette 
boot sectors and hard disk MBRs. The virus was discovered in 
Spain in November 1994.

HDKiller, which is also known as Corua, spreads itself like 
any other boot sector virus.

If a computer is booted from an infected diskette, the virus 
redirects the boot to the hard disk and the 'Non-system
disk' error message is not shown. This makes the virus 
harder to spot than usual.

When a computer is booted from a diskette infected by the 
HDKiller virus, the virus reserves one kilobyte of memory 
for itself. However, when the computer is next booted from 
the infected hard disk, the amount of available memory stays 
normal. This is due to a programming error in the viruses 
code; the virus loads itself to the top of conventional 
memory, but does not mark this memory area as reserved. As a 
consequence, other programs may try to write to the same 
area. If this happens, the computer crashes immediately. 
Therefore, a HDKiller infection makes a computer very 
unstable.

HDKiller is a destructive virus. When it infects a hard 
disk, it stores the current date inside its own code. During 
subsequent boots, it compares the infection date to the 
system's date and activates after a month has passed. If, 
for example, the infection has occurred on 15th of January, 
the virus activates on the 14th of any month. When the virus 
activates, it overwrites some of the data on the hard disk.

HDKiller contains the following unencrypted text:

        HDKiller By Rasek.
        0UT Meilan!

HDKiller does not store the original boot sector when it 
infects a disk. Instead, the functionalities of a diskette 
boot sector and a hard disk MBR have been incorporated into 
the viruse's code. In spite of this, the HDKiller virus can 
be removed by overwriting its code because it does not move 
or encrypt the partition table.

F-PROT can detect and remove the HDKiller virus.

Neuroquila in Germany
---------------------
This complex virus infects EXE files, hard disk MBRs and 
diskette boot sectors. On hard disks, the virus encrypts the 
original MBR and moves it to a different part of the disk, 
writing its own code in its place. Since the new MBR of an 
infected hard disk does not contain partition data, the hard 
disk cannot be seen after a clean diskette boot. On 
diskettes, the virus formats an additional track on which 
its stores its code.

Neuroquila, which is also known by the names Neuro.Havoc and 
Wedding, tries to load its code to the upper memory area. If 
there is no upper memory area available, the virus enlarges 
the stack memory area (STACKS) and places its code there. 
Neuroquila uses tunneling techniques to by-pass anti-virus 
programs

Neuroquila is a polymorphic virus. It contains a complex 
polymorphic engine which is capable of creating several 
different decryption modules. The variation of the 
decryption routines is based on the system's clock. While in 
memory, the virus employs versatile stealth virus techniques 
to hide the changes it has made to the boot sectors and 
files. When infected files are examined in a clean 
environment, they can be seen to have grown by 4644-4675 
bytes.

Neuroquila is also a retrovirus. It mounts attacks against 
several anti-virus programs. If VIRSTOP> or DOSDATA.SYS (a 
QEMM utility program) are loaded from CONFIG.SYS, the virus 
prevents them from being started. Neuroquila tries to modify 
the programs TBDRIVER, TBDISK, VSAFE and -D  while they are 
in memory, and alters the partition protection created by 
the TBUTIL  program. In addition to this, the virus is able 
to by-pass the error message Windows gives of a 32-bit disk 
operation mode, a stumbling block of many other boot sector 
viruses.

After Neuroquila has resided in a computer for some months, 
it displays the message:

             AVOC by Neurobasher'93/Germany
        -GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-

Neuroquila resembles the Tremor virus in many ways, and it 
has apparently been written by the same author.

F-PROT can detect and remove the Neuroquila virus.

The Good Times Incident in Internet
-----------------------------------
A rare 'worm', known as Good Times, slithered its way
through Internet news groups and various e-mail systems 
during December 1994. Good Times was not a virus as the word 
is commonly understood; more accurately, it was an efficient 
chain letter. Instead of spreading from one computer to 
another by itself, Good Times relied on people to pass it 
along

The idea behind Good Times works somewhat like this: the 
originator puts into circulation an e-mail message which has 
the text 'Good Times' as its subject. The message itself
contains a warning of a dangerous virus called Good Times 
which spreads itself through e-mail systems and activates 
when the message in which it hides is read. The message goes 
on to explain that such a dangerous message can be 
recognized by its subject, which is, of course, 'Good
Times'. According to the warning, a 'Good Times' message
must never be read, but destroyed on the spot instead.

Many users don't realize that this warning is a hoax - no 
public e-mail system supports the execution of programs 
while the accompanying message is read. However, since the 
message is written in a very sincere tone, people copy it 
and send it along to their friends; in fact, the warning 
explicitly encourages them to do so.

Sooner or later, what goes around comes around, and a user 
who has sent the message along receives it as a warning from 
a friend's friend or more distant relation. The first thing 
the user sees is that he or she has received a message which 
has 'Good Times' as its subject. Believing himself under
attack by the terrible virus, the user destroys the message 
without reading it. The message, of course, contains only 
the original warning. After this near escape, the user 
probably sends out still more 'Good Times' warnings.

The Good Times warning spread like a wildfire for several 
weeks, until messages concerning the viruse's nonexistence 
finally took hold.

The Good Times warning-virus came in several different 
versions, one of which is shown below:

        Subject: Good Times
        Date: 12/2/94 11:59 AM

        Thought you might like to know...

        Apparently , a new computer virus has been engineered by a
        user of America Online that is unparalleled in its
        destructive capability.  Other, more well-known viruses such
        as Stoned, Airwolf, and Michaelangelo pale in comparison to
        the prospects of this newest creation by a warped mentality.

        What makes this virus so terrifying is the fact that no
        program needs to be exchanged for a new computer to be
        infected.  It can be spread through the existing e-mail
        systems of the InterNet.

        Luckily, there is one sure means of detecting what is now
        known as the "Good Times" virus.  It always travels to new
        computers the same way - in a text e-mail message with the
        subject line reading simply "Good Times". Avoiding infection
        is easy once the file has been received - not reading it.
        The act of loading the file into the mail server's ASCII
        buffer causes the "Good Times" mainline program to
        initialize and execute.

        The program is highly intelligent - it will send copies of
        itself to everyone whose e-mail address is contained in a
        received-mail file or a sent-mail file, if it can find one.
        It will then proceed to trash the computer it is running on.

        The bottom line here is - if you receive a file with the
        subject line "Good TImes", delete it immediately!  Do not
        read it!  Rest assured that whoever's name was on the
        "From:" line was surely struck by the virus.   Warn your
        friends and local system users of this newest threat to the
        InterNet!  It could save them a lot of time and money.

News in Short
-------------
Due to a mistake, we gave erroneous contact information for 
the Virus Bulletin magazine in our previous Update Bulletin. 
The magazine's correct telephone number is +44 1235 555139, 
fax +44 1235 531889.

F-PROT has again proved itself in international tests; in 
December, F-PROT was proclaimed the winner of a large anti-
virus product review published by the PC Professional 
magazine in Denmark and PC Week in Norway, and in January, 
the British magazine SECURE Computing awarded F-PROT the 
title 'Recommended'.


RETROVIRUSES - How Viruses Fight Back, part 2
---------------------------------------------

Mikko Hypponen, who works in Data Fellows Ltd's F-PROT-
support, presented the following paper in the Virus Bulletin 
'94 conference. The treatise is published in two parts. The
first part was published in F-PROT 2.15 Update Bulletin.

6. Attacks against disinfectors

A retrovirus can attack programs that try to disinfect boot 
sectors and files. The purpose of such an attack might be to 
cause the disinfector to damage the host files while 
disinfecting. If a disinfection program does not do an exact 
identification on a virus before disinfecting it, any virus 
that contains a known search string for another virus can 
cause such damage during the disinfection process.

6.1 Cleaning the clean

There even exists a virus called Mirror, which is the exact 
opposite of a stealth-virus: when Mirror is resident in 
memory, it makes all programs look like they have been 
infected by it. This can be potentially dangerous when 
disinfection is attempted, but this technique poses no 
danger if the disinfection is done in a proper way, ie. 
after a clean boot.

6.2 Complicating the recovery

The recovery process of an infected machine can be severely 
complicated if the virus denies access to the hard drive. 
Several MBR-viruses (for example, members of the Monkey 
family) do this by modifying the partition data in such a 
way that no logical DOS drives can be found when the machine 
is booted from a clean floppy. A recovery attempt done by 
overwriting the MBR code with the FDISK /MBR or a similar 
command will not return access to the hard drive. 

The ExeBug virus family uses another way to make it 
difficult to boot up an infected machine from a clean 
diskette. The virus modifies the BIOS Setup information to 
indicate that the machine does not have A: drive at all. 
Such machine will always boot up from the hard drive. Once 
the booting has started and the virus code is executed, the 
virus will check if there is a diskette in drive A:. If so, 
it will continue the booting from there. In most cases the 
user is unable to notice this, and thinks that the machine 
has been booted clean when the virus is already resident.

Yet another way to complicate the recovery process is to set 
the BIOS boot-up password on with a random password during 
an activation routine. The method of doing this is 
documented on most new BIOS brands.

Some integrity checkers are capable of performing a generic 
disinfection. This means that they try to restore the 
original file according to the information the checker has 
previously saved (typically length, checksum, first and last 
bytes). Such generic routines won't work if a virus makes 
extensive changes to the program files, for example by 
encrypting the host file during infection.

6.3 Attacking heuristic cleaners

Viruses use a different kind of an attack against heuristic 
disinfection programs. A heuristic cleaner works by loading 
the infected file to memory and emulating the program code. 
It uses a combination of disassembly, emulation and 
sometimes execution to trace the flow of the virus and to 
emulate what the virus is normally doing. When the virus 
restores the original first instructions of the host file 
and jumps back to the original entry point, the cleaner 
stops the emulation. The repaired start of the program is 
copied back to the program file on disk, and the part of the 
program that was 'executed' will be removed. [Veldman]

The inherent risk of heuristic cleaning is that if the 
cleaner tries to emulate everything, the virus may assume 
control inside the emulated environment and finally escape 
from it - after which it can propagate further or trigger a 
destructive retaliation routine. There are documented cases 
of at least one virus doing this, see below.

7. Attacks against integrity checkers

The operation of integrity checking programs varies between 
vendors but they almost always rely upon some form of a 
database which contains details of objects (typically files 
and boot sectors)  to be checked. 

7.1 Deleting the database

Several viruses have attacked integrity checkers by locating 
the integrity database and deleting it. In some cases, the 
result of deleting the database files is that the integrity 
checker will blindly assume that the original checksums have 
not been calculated yet, and proceeds to initialise the 
database without informing the user that something might be 
amiss. This was exactly the case with the Peach virus.

Peach attacked an integrity checker which worked by creating 
a checksum file,  containing checksums of all executable 
programs. Peach attacked by deleting this file. After the 
database was deleted and the checker was executed again, it 
recreated the file, calculating new checksums from the 
infected files and failing to report any changes in the 
system [VB1].

It should be noted that the Peach virus will not be 
successful against newer versions of this integrity checker, 
as the name of the checksum file has been changed in newer 
versions of the product. Similar types of attack still seem 
to be possible, though.

Even if a checksumming package did report to the user that 
the database has been deleted without approval, it would be 
difficult to find the affected files if no recent backup of 
the database exists.

7.2 Making checked unchecked

A similar attack works also against programs that do not 
store the integrity data in a separate database, but add it 
to the end of the executable files themselves. Since there 
is no info about which files have been checksummed, a virus 
can just remove the validation data without any side effects 
- and the checker will not complain that the file has 
changed.

Several generic attack methods against integrity checkers 
are discussed in length in [Bontchev].

8. Real world retroviruses

When we look at viruses that attack specific anti-virus 
products directly, we notice that they mostly seem to target 
McAfee Associate's ViruScan (SCAN.EXE), Microsoft Anti-virus 
from MS-DOS 6 (MSAV.EXE), Central Point Antivirus (CPAV.EXE) 
and the resident parts of these applications (VSHIELD and 
VSAFE). This is not surprising, as these are some of the 
most popular anti-virus products, and thus good targets for 
retroviruses.

Here are some examples of known viruses that incorporate 
retro-routines:

CPW virus family:
 	tries to delete programs called TOOLKIT, GUARD, CHKVIRUS, 
        SCAN, CLEAN, CPAV and VSAFE

 	deletes CHKLIST.CPS files created by CPAV

Cybertech:
 	deletes CHKLIST.CPS files

 	removes the validation information added by SCAN and CPAV

Firefly:
 	uninstalls VSAFE from CPAV or MSAV

 	contains a segment of nested loops to confuse F-PROT's 
        heuristic scanning

 	deletes files called IM, VIRX, PCRX, VIRSTOP, MSAV, NAV, 
        SCAN, CLEAN, TBAV, TBCSCAN, TBCLEAN, TBCHECK, TBMEM,
        TBSCANX, TBFILE, VC, and VCHECK

GoldBug:
 	by-passes VSAFE.COM and DISKMON.EXE

 	deletes or stops the execution of programs called SCAN, 
        CLEAN, NETSCAN, CPAV, MSAV, TNTAV - and deletes the
        contents of CMOS memory at the same time

 	specifically by-passes the TBAV boot-sector check

 	deletes CHKLIST.* files, by-passing CPAV and MSAV 

Lemming:
 	disables TBDriver from TBAV by patching it in memory

 	when TBScan is executed, adds the command-line parameter 
        'co', which will allow the stealth routines of the virus
        to operate

 	patches text strings inside TBScan's code to make the 
        operation of the program look like it has been started
        without the 'co' switch

Lockjaw virus family:
 	deletes F-PROT, SCAN, IM, CPAV

 	uninstalls VSAFE

MtE.Groove and MtE.Encroacher:
 	tries to delete files belonging to the following products: 
        Central Point Anti-Virus, Certus Novi, Fifth Generation
        Systems Untouchable, Norton Anti-Virus, Dr. Solomon's
        Antivirus Toolkit and VDS Virus Secure.

November_17th.890:
 	overwrites the first 256 sectors of first hard disk 
        whenever SCAN is run

Peach:
 	deletes CHKLIST.CPS files

Sandra:
 	tries to delete files belonging to CPAV, NAV, Untouchable, 
        Dr. Solomon's Antivirus Toolkit and Integrity Master

 	will not infect if FluShot is installed

Satanbug:
 	tries to remove the validation codes added by SCAN

 	guards its own are-you-there interrupt call to make it 
        difficult to detect the virus in memory with it [CM-Base]

Tequila:
 	deletes files that have validation codes added by SCAN

 	does not infect EXE-files which have the letters SC or V 
        in their names

Tremor:
 	hooks INT 13h via a VSAFE back-door

 	modifies its own memory allocation when F-PROT is executed 
        [VB2]

Varicella:
 	tries to escape and go resident during the cleaning 
        process of TBClean

9. Is there a real problem with retroviruses?

Do retroviruses pose a realistic threat to current anti-
virus products? The most popular anti-virus tool nowadays is 
a stand-alone scanner, which by itself is almost always 
helpless against any new virus. Are there any special risks 
in a virus that, in addition to being a new one, also 
specifically tries to by-pass a product? 

9.1 Dangers of optimised virus analysis systems

If a retrovirus exploits a specific flaw or the back door of 
a product, it cannot be considered a very special case, as 
the detection of a new virus requires usually an update to 
the product anyway. At the same time, it is possible to 
upgrade the product so that the attack method used by the 
virus can be circumvented or made obsolete.

The main problem in this case is whether the anti-virus 
vendor notices what the virus is trying to do. Today, when 
several new viruses are found every day, there is a limited 
time in which to analyse any single virus. Virus analysis 
systems are automated as much as possible, and a virus 
typically only gets a cursory look - which is usually enough 
to add detection, identification and disinfection. Such ana-
lysis will not reveal any special features the virus may 
contain. This also explains why there are no anti-virus 
products which can provide detailed information about each 
and every virus.

If a retrovirus is run through a standard analysis system, 
and the product is tested by running it against a sample 
that is not resident in memory, the retro-features of a 
virus may not become known until they are observed directly 
in the real world - after which the virus will certainly get 
more attention, but this might already be a bit too late. 
The virus may also start its attack behaviours only after a 
certain latency time.

9.2 Opening the door to other viruses

It should also be noted that a virus which disables an anti-
virus product in some way may also make the system 
vulnerable to other viruses, which the product might 
otherwise have handled fine.

In many cases this is the only benefit a retrovirus gains 
from unloading a resident scanner. The scanner can't be 
unloaded before it is resident. If the virus is known to the 
scanning engine, a resident scanner will not let the virus 
run. If the virus is unknown to the scanner, it can operate 
even when the scanner is resident. The case is different 
with behaviour blockers, as they are not trying to find 
known viruses.

There is very little a product can do against an attack 
which consists of deleting or replacing the program file 
itself - if the virus gets control before the anti-virus, 
the virus makes the rules.

10. How should an anti-virus product protect itself?

It is obvious that viruses can utilise a variety of tricks 
against anti-virus products. However, anti-virus programs 
can fight back just as efficiently.

10.1 Making the program difficult to locate

First of all, the anti-virus program itself should be 
renameable by the user. This alone would make it a lot 
harder for a virus to locate its enemy. Unfortunately, many 
anti-virus products refuse to run if they find that their 
program files have been renamed.

As the virus can try to locate the anti-virus program by its 
contents as well as by name, the structure or contents of 
the program file should change with each update.

The best way to make sure that no retrovirus is making its 
tricks is the old, well-known recipe: boot from a clean 
diskette and run a fresh copy of the anti-virus program from 
diskette.

10.2 Self-checks

Since many attack routines work by modifying an anti-virus 
program, it is imperative that all anti-virus programs make 
thorough checks on their own code. A cursory check against 
modifications that would result from an infection is not 
enough: if the code is not protected internally against 
patching, the integrity of the whole program code should be 
checked during start-up. 

It is not enough to ensure that the program code has not 
been changed. As demonstrated earlier in this paper, it is 
enough for a retrovirus to modify the texts or configuration 
info belonging to the application.

Even though the size of an anti-virus application probably 
changes during every update, a clever retro-virus can still 
locate the code it wants to patch by using a search string. 
This can be overcame by encrypting the application. The 
protection will be even better if the encryption method or 
key is changed with every update. Another, easier way to 
achieve the same results is to provide the executable in 
packed form, as the packing algorithm will invalidate search 
strings between different versions of the same program.

10.3 Resident security

Since it is often much easier to patch a program in memory 
rather than on disk, an anti-virus application should make 
checksum checks on its memory image to ensure that no 
unwanted changes have taken place. This is especially 
important with resident anti-virus utilities.

The communication channels to a resident part of an anti-
virus program should be carefully thought out. If the TSR 
needs to have an uninstallation routine, it should be 
implemented so that other programs will find it difficult to 
request the uninstallation without the user noticing it.

10.4 Prohibiting disassembly

It can be expected that determined virus writers will try to 
disassemble anti-virus products in order to find out what 
makes them tick. Thus, some anti-debug and armouring code to 
protect the application might be a good idea - although 
nothing will stop a dedicated cracker. 

At least three different scanners are known to have been 
analysed by crackers, up to the point of extracting all 
search strings of the program. Such attack can be harmful in 
several ways: the virus writers get to see exactly what they 
will have to change in a virus to make a new, undetectable 
variant, and well-chosen search strings are also closely 
guarded trade secrets.

Popular, easy-to-get programs are the most probable targets 
for attack routines. This makes commercial products 
theoretically more safe than shareware or freeware products.

11. Conclusions

Retroviruses are nothing new - the first ones were found in 
the late 1980's. There are several attack methods that will 
certainly be used in future viruses - and some of these can 
be quite efficient. Therefore, extreme care should be taken 
by producers of anti-virus software to avoid the possible 
pitfalls.

It's time to make sure your anti-virus product is not 
vulnerable to an attack it could avoid.

References

[CM-Base]    Virus Test Center, University of Hamburg, CM-Base
             v3.0, March 1994, Satanbug entry by Padgett Peterson

[Veldman]    Frans Veldman, Combating Viruses Heuristically,
             Proceedings, 3rd International Virus Bulletin
             Conference, September 1993, pp. 67-76

[Bontchev]   Vesselin Bontchev, Possible Virus Attacks Against
             Integrity Programs And How To Prevent Them,
             Proceedings, 2nd International Virus Bulletin
             Conference, September 1992, pp. 131-141

[VB1]        Virus Bulletin, Peach Virus Targets Central Point,
             Virus Bulletin May 1992, pp. 17-18

[VB2]        Virus Bulletin, Tremor - A Shaky Start for DOS 6?,
             Virus Bulletin March 1993, pp. 10-11

[Fellows]    Data Fellows Ltd, F-PROT Professional User Guide rev
             4.21

[Siilasmaa]  Risto Siilasmaa, Building a Corporate Security
             Strategy - Coping With Computer Viruses,
             Proceedings, Cope'IT Conference 1993


F-PROT Support Informs: Common Questions and Answers
----------------------------------------------------
If you have questions about information security or virus 
prevention, contact your local F-PROT distributor. You can 
also contact Data Fellows directly in the number 358-0-478 
444.

Written questions can be mailed to: Data Fellows Ltd., F-
PROT Support, Paivantaite 8, FIN-02210 ESPOO, FINLAND.

Questions can also be sent by electronic mail to: Internet: 
f-prot@datafellows.fi; X.400: S=F-PROT, OU1=DF, O=elma, 
P=inet, A=mailnet C=fi

Can VIRSTOP be installed in such a way that it automatically
scans diskettes which are inserted in the computer, before
any read or write operations take place? I have seen such
systems used in Macintosh computers.

        No. PC computers do not have a mechanism which tells the
        operating system that a diskette has been inserted in the
        diskette drive. The only way to construct such a system
        would be by instructing VIRSTOP to keep the diskette
        drive's motor spinning constantly, and this would place
        an undue burden on the computer's hardware.

        Although the diskettes used in a computer are not
        examined automatically when they are inserted in the
        diskette drive, this does not in itself cause a security
        risk as long as VIRSTOP is up and running. A diskette's
        boot sector is examined immediately when a disk operation
        is performed on the diskette, and the programs on a
        diskette are likewise examined automatically when they
        are used.

The Budo virus was found in our organization. Instead of
disinfecting the virus, F-PROT simply destroyed the infected
files. Why?

        Some viruses damage irreparably the files they infect. In
        some cases, this is due to programming errors in the
        viruses' code, but certain viruses actually spread by
        overwriting the contents of their host files with their
        own code. In either case, F-PROT can only delete the
        infected files. When the virus has been removed from the
        system, the deleted programs should be either
        re-installed or restored from back-up copies.

        If the F-CHECK integrity checker software has been
        installed in the computer, it may be able to restore
        partially damaged files. However, even F-CHECK is
        helpless in the face of more extensive damage. In such
        cases, it is best to restore the system from a back-up
        copy.

        F-PROT can disinfect about 80-90% of the viruses which
        can be disinfected at all.


Changes in Version 2.16
-----------------------

Changes in F-PROT for Windows
-----------------------------
F-PROT for Windows and VIRSTOP sometimes conflicted when 
scanning infected boot sectors. This has been fixed.

A warning message about possible active users is displayed 
when a new version is updated.

F-PROT for Windows now gets updated also when a scheduled 
task is activated and a new version of is available in the 
update directory.

F-PROT can now be maximized also when the memory scan is in 
progress as an icon.

One GPF problem (GPF in BC30RTL.DLL at 0001:4DAD) has been 
fixed. This error happened if Windows was unable to allocate 
DOS memory at all.

The memory scan has been rewritten.

Old versions of F-PROT for Windows logged an error message 
when they encountered directories with hidden or read-only 
attributes.

This version of F-PROT for Windows has more descriptive 
messages for communication errors.

If a user attempts to close F-PROT without aborting a scan 
in progress, an error message is displayed.

If a virus is detected during the memory scan, its name is 
now shown in the warning message. The name used to be shown 
only in the title bar, a place where it wasn't obviously 
visible.

Changes in F-PROT for DOS
-------------------------
VIRSTOP 2.15 was found to be incompatible with a program 
called PC-CONFIG. This has been fixed.

VIRSTOP 2.15 flagged the boot sectors of diskettes protected 
with the RINGFENCE and DISKLOCK products as infected. This 
has been corrected.

Changes Common to F-PROT for DOS, Windows and OS/2
--------------------------------------------------
All COM files infected with the Jerusalem.Pipi.1536 and KMIT 
viruses were incorrectly reported as being first generation 
samples. These are compiled virus programs, not program 
files which have been contaminated through infection.

The Bengal virus was only found in COM files, not EXEs. This 
has been fixed.

F-PROT 2.15 missed a very small number of files infected by 
One_Half.3544 and Neuroquila. The program should now be able 
detect all occurrences of these viruses.

The reporting of boot sector viruses has been changed 
slightly. F-PROT now reports "  (?)" instead of " - unknown" 
when it detects a boot sector virus for which it has no 
identification information.

The following false alarms have been fixed:
-------------------------------------------
the file NUAGE!.COM from the Assembly'94 demo-collection was
reported as "Possibly a new variant of Reklama".

VIRSTOP reported the file SPEED.COM as having been infected by
the Phalcon virus.

New Viruses Detected by F-PROT 2.16
-----------------------------------
The following 10 viruses are now identified, but can not be 
removed as they overwrite or destroy infected files. Some of 
them were detected by earlier versions of F-PROT, but only 
reported as "New or modified variant of...".

Abraxas.1518                           Maaike.164.B
Burger.542                             Milan.Demon.270
Burger.560.AV                          Leprosy,Skism.808.D
Cavaco                                 Leprosy.Skism.1992.C
Dev_X                                  VCL.423.Mindless.B

F-PROT can detect and remove the following 218 new viruses. 
Earlier versions of F-PROT could detect many of these 
viruses. Now they are also identified accurately.

_132.127                               Kode4.281
_307.329                               Lemming.2144
_468                                   Leningrad_II.1499
_500                                   Leningrad_II.2000.B
_500_2                                 Little_Red.B
_656                                   Lockjaw.499
_872                                   Loook
_1395                                  Lurid
_1536.B                                Mag.239
_2828                                  Mag.254.A
Acid.674                               Mag.254.B
Arusiek.691                            Marzia.O
Arusiek.692                            MMIR.411
Australian_Parasite.Middle.491         MMIR.423
Australian_Parasite.Middle.1041        Mne.1173
Australian_Parasite.Middle.1169        Moonlite.366
Baba.356                               Msu
Barrotes.1194                          November_17th.522
Beer.2473                              Nygus.278
Beer.2620 and                          Peasant
Beer.3307                              Phx.1289
BigX.610                               Phx.1295
Bobo.427                               Pixel.124
Bootexe.394                            Pixel.200
Bootexe.443                            Pixel.852.B
BW.525                                 Pixel.1577
BW.556                                 Pixel.1686
BW.756                                 Pose.1155
Caca                                   Pose.1164
Carzy.B                                PS-MPC.338.D
Cascade.1701.Y                         PS-MPC.520
Cascade.1701.Z                         PS-MPC.565.E
Cascade.1701.Yap.C                     PS-MPC.565.F
Cascade.1701.AA                        PS-MPC.569.B
Cascade.1701.AB                        PS-MPC.565.G
Cascade.1704.Z                         PS-MPC.565.H
Chaos.1181.J                           PS-MPC.569.E
Chaos.1181.K                           PS-MPC.570.E
CLME.1528                              PS-MPC.570.F
Clonewar.923.B                         PS-MPC.570.G
Clonewar.923.C                         PS-MPC.573.J
Clonewar.923.E                         PS-MPC.573.K
Clonewar.923.F                         PS-MPC.578.I
Clonewar.923.G                         PS-MPC.578.J
Clonewar.923.H                         PS-MPC.578.K
Collor                                 PS-MPC.578.L
Danish_Tiny.163.C                      PS-MPC.578.M
Dark_Avenger.1800.M                    PS-MPC.579.D
Datalock.920.L                         PS-MPC.Dangler
Denied.B                               PS-MPC.Happy_Day
Enterprise                             Sauron
Error_Inc.260                          Scity.678
Error_Inc.393                          Scity.713
Fax_Free.1024.Mosquito.B               Semtex.1000.D
Fax_Free.1024.Mosquito.C               SIC.325
Fax_Free.1536.Topo.B                   SIC.456
FFFF.432                               SillyC.162
FFFF.440                               SillyC.163
Fin                                    SillyC.547
Flash.688.D                            SillyC.657
Freak.604                              Smegdemo
Galeo                                  Star
GameF.1053                             Sterculius.440.B
GameF.1065                             Suriv_1.April_1st.F
Geliyor                                Surprise.1282
Heja                                   SVC.1064.B
HLL.Vova.8896                          SVC.1064.C
HLL.Vova.9904                          Sveta
HLLC.4768.A                            Sword.B
HLLC.4867.B                            Tai_Pan.666
HLLC.Captain                           Teraz.4004
HLLC.W_A                               Timid.313
HS.982                                 Traven
Hymn.Sverdlov.C                        Troi.F
Ieronim.1020                           TU.2500
Ieronim.1024                           Unc.1039
Ieronim.1082                           Unc.1377
IMI.2304                               Unc.1410
Infector.469                           Userlist.1178
Infector.875                           Vacsina.Grog.1082
Int_FF                                 VCL.420
Intruder.1355                          VCL.551
Ironfist                               VCL.634
Istanbul.1312                          VCL.Anston
Istambul.1349                          VCL.Rat
IVP.Angry_Samoans.B                    Vienna.435.C
Jerusalem.1808.Dashes                  Vienna.435.D
Jerusalem.1808.Exciter.A               Vienna.435.E
Jerusalem.1808.Exciter.B               Vienna.435.F
Jerusalem.1808.Exciter.C               Vienna.435.G
Jerusalem.1808.Exciter.D               Vienna.435.H
Jerusalem.1808.Frere.J                 Vienna.435.I
Jerusalem.1808.sumsdos.AP              Vienna.435.J
Jerusalem.1808.sumsdos.AQ              Vienna.435.K
Jerusalem.1808.New                     Vienna.520
Jerusalem.Tarapa.D                     Vienna.565
Junkie.B                               Vienna.641
KA                                     Vienna.680.B
Kela.2002                              Vienna.1006
Kela.2010                              Vienna.Violator.821.B
Kela.2099                              Vienna.Violator.821.C
Keykap.923                             Void.1886
Keykap.1074                            Wildfire.2371
Keykap.1077                            Wordswap.1503.B
Keypress                               WVP.352
Killerwhale.750                        Yankee_Doodle.2433
Kiwi.1000.A                            Yankee_Doodle.3561
Kiwi.1000.B                            Zol
Kiwi.1000.C

The following 35 new viruses can now be detected but not yet 
removed.

_257.258                               Pollution.381
4On                                    Pollution.378
Astra.927.B                            Pollution.390
Cantanto                               Pollution.565
Crepate.1944                           Predator.1055
Estonia                                Problem.845
Eternity.565                           Radyum.509
Eternity.600                           Rider
Grog.2825                              SIC.651
Hello.547                              SIC.736
Keykap.685                             SmartC
Moonlite.417                           Talon.1894
NED.Itshard                            Topa.2456
NED.Tester                             Twisted.292
Nigh                                   Twisted.298
No_Smoking                             VCL.Renegade.5738
NRLG.826                               Xuxa
Nympho.666

F-PROT's earlier versions could detect the following 13 
viruses. Now they can also be removed.

Acvt                                   Creator
Beer.2794                              June_12th
Beer.2850                              Screaming_Fist.II.652
Beer.3164                              Spinner
Beer.3192                              WXYC.A
Beer.3490                              WXYC.B

The following viruses have been renamed in order to make F-
PROT follow the CARO naming standard as closely as possible.

JH          ->>    Error_vir
Rythem.*    ->>    Leprosy.Skism.*

-------------------------------------------------------------------------------

F-PROT Professional 2.16 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi

This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.16 Update Bulletin; Copyright (c) 1995 Data Fellows Ltd.
