
F-PROT 2.07 Update Bulletin Copyright (c) 1993 Data Fellows Ltd

This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.07 Update Bulletin Copyright (c) 1993 Data Fellows Ltd.'

-------------------------------------------------------------------------------


F-PROT 2.07 Update Bulletin
---------------------------

At the turn of the year it is often customary to take a look 
at the past and foretell the future. It is appropriate to do 
both in this first update bulletin of the year 1993.
In the year 1992 there was much talk about viruses. The 
existence of viruses was brought home to most microcomputer 
users by the Michelangelo-fever or by a first-hand 
experience. At this time there are very few of those left 
who claim the virus threat to be negligible.

The expanded awareness of viruses shows clearly in our 
everyday work. When, just a year ago, even big companies 
contacted our support every time a virus was observed, 
nowadays our help is needed only with new or uncommonly 
intractable viruses. The disinfection of Form infections has 
become routine.

The reign of polymorphic viruses started in year 1992. All 
kinds of self-encrypting viruses proliferated quickly with 
the Dark Avenger's Mutation Engine (MtE) at their vanguard. 
Besides polymorphic viruses, MtE represents another central 
trend of 1992 - during the year, numerous toolkit programs 
were developed to either facilitate the making of viruses or 
make them more difficult to spot.

From the viewpoint of Data Fellows Ltd and F-PROT, the year 
1992 was a success. F-PROT consolidated its position as the 
most technically advanced anti-virus software in business. 
The technical development of the software was continuous, as 
new versions came out, new features were added to the 
program along with new viruses.

F-PROT had success also in the world at large. In the USA
F-PROT has become one of the most sought after anti-virus
programs, in Germany it is in a central position and in 
Nordic countries its share of the markets has grown 
steadily...
 
Virus protection is a rewarding area in the sense that 
future can be foretold at least partly. Trends are 
comparatively easy to observe.

We think that the trends for the year 1993 will be the 
following:

o       More and more viruses have been appearing in shorter and shorter
        periods. We believe the growth rate will start to turn down.
        More viruses will still be developed in even shorter periods of
        time, but the growth rate will not increase as fast as before.
o       There will be more polymorphic viruses.
o	The amount of viruses that attack specific anti-virus 
        programs will increase.
o       Toolkit programs for making viruses will grow more common
o	Viruses for the Windows and OS/2 environments will 
        become more common.
o	The first cross-platform viruses will appear.


New virus discoveries
---------------------

Cinderella II
-------------
The Cinderella II virus stays active in memory and infects 
almost all executed COM and EXE files, which consequently 
grow 783 bytes in size. The virus does not change the time 
stamp on the files it infects.

Cinderella II activates after it has infected one thousand 
files. When this happens, the virus tries to destroy data on 
the hard disk, but, due to a programming error, does not 
necessarily succeed.

The virus apparently tries to execute the machine-language 
command INT 13, AH=03h, which translates as an absolute disk 
write. This write would have targeted sectors 1 to 8 of the 
first read/write head on hard disk C. The main boot record 
(MBR) and partition table are stored on this area.

The virus would have written its own code on the target. 
Although it would have been unable to activate in the main 
boot record, the change in the MBR would have prevented the 
computer from booting. The virus is, however, unable to do 
this.

The programming error apparently results because the virus 
transfers the address value of its current code segment to 
the ES register, so that the interrupt call would write its 
own code on the boot sector.

The machine language of Intel processors does not include a 
command which would transfer a value in the Code Segment
Register (CS) directly to the Extra Segment Register (ES). 
Because of this, the virus has to use a somewhat more 
complicated method to transfer the value. While doing so, it 
manages to destroy the original value in the AH register.
The value remaining in the AH register is not determinable, 
because it depends on how much available memory the computer 
had at the time the virus became TSR. Thus the actual 
interrupt call may do just about anything, including 
crashing the computer or, indeed, writing rubbish on a 
random area of the hard disk.

After the INT 13 call the virus prints the text "Cinderella
II<cr><lf>" over and over, eventually crashing the computer. 
The aforementioned text has been encrypted by using the XOR 
operation, so it cannot be seen directly when the virus code 
is examined.

All in all, the Cinderella II virus is quite functional. The 
author of this virus is not known, but he is suspected to be 
from Finland. The know-how of Nordic virus writers seems to 
be improving. 

The signs of a Cinderella II infection are a reduction of 
available memory, a slight slowness in starting programs and 
a growth in the size of COM and EXE programs.
F-PROT finds the Cinderella II virus.

BootExe
-------
The BootExe virus, also known as BFD, was found 20.11.1992 
in the Helsinki University during a routine check. BootExe 
is the world's smallest functional multipartition virus. It 
infects both EXE programs and the boot sectors of disks and 
diskettes.

Because of its small size, BootExe does not contain much in 
the way functions. It only spreads. The virus was first 
discovered in USA and the CIS countries, but its origin is 
not known.

The functioning of this virus is somewhat out of the 
ordinary; contrary to the functioning of most memory-
resident viruses, BootExe hijacks the BIOS interrupt 13h 
instead of the DOS interrupt 21h. By doing so, the virus is 
able to circumvent most of the memory-resident protection 
programs. VIRSTOP, however, does stop BootExe.

The functioning of this virus is described in the following:
When a computer is booted from an infected diskette, BootExe 
stays active in the upper part of DOS memory. The amount of 
available memory is reduced by four kilobytes, and the virus 
hijacks the interrupt 13h for its own use. After this, 
BootExe infects the main boot record. In order to hide its 
actions, the virus then executes the original boot sector 
code. It does not succeed in this, however, if the diskette 
in question is a 5.25" HD diskette.

While active in memory, the virus monitors the interrupt INT 
13h. Whenever the interrupt function 02h (read sectors into 
memory) is called, the virus takes action. It reads the 
first requested sector into its own area and performs 
numerous checks on it.

If the area in question turns out to be a boot sector, the 
virus infects it. Thus every non-protected diskette gets 
immediately infected when it is used in the computer. On the 
other hand, if the sector begins with the letters MZ, the 
virus assumes it to be the first sector of an EXE file. 

Should this happen, the virus makes sure there are at least 
453 unused bytes between the header and the actual code 
area. Furthermore, the file size given in the header must be 
less than 64 kilobytes - otherwise the virus will not infect 
the file. The virus is picky, because its intention is to 
change the file structure into that of a COM file, and COM 
programs cannot exceed the size of 64 kilobytes.

If the sector in question meets the aforementioned 
conditions, the virus changes the first two bytes of the 
program into a jump command that points to the end of the 
program's header. Then it adds its own code there. This 
infection mechanism is very rare, in fact The Rat is 
probably the only other virus to use a method similar to it. 
As its end result, the size of infected files does not grow 
at all.

It must be observed that after infection the programs are 
structurally changed into COM files, although they still 
have the EXE appendix. In spite of that, DOS is able to 
execute them correctly.

The virus does not contain any kind of an activation 
routine. There are no character strings inside the viral 
code.

The presence of the BootExe virus is difficult to notice 
without special tools, since the size of infected files does 
not increase.

F-PROT finds the BootExe virus in both boot sectors and COM 
and EXE files.


F-PROT support informs: Common questions and answers
----------------------------------------------------

Common questions on anti-virus topics will also be discussed 
in the upcoming releases of F-PROT update bulletin.

If you have questions about information security or anti-
virus protection, contact your local F-PROT dealer. Support 
can also be obtained from Data Fellows on the phone number 
+358-0-692 3622. E-mail questions can be sent directly to 
Mikko Hyppnen, our representative on technical support; 
internet: mikko.hypponen@compart.fi. 


  I had a Yankee (TP-44) infection in my computer, after which I removed
  the virus from all infected files. Currently, when an anti-virus
  program is executed directly after booting the computer, it finds the
  virus in memory. It cannot, however, be found in any of the files. Now
  where is the virus lurking?

There are a few alternatives:

1) The virus is a new variant that the anti-virus software 
does not recognize. For example, its encryption can be 
different from the original one, and the anti-virus program 
recognizes the memory-resident, unencrypted program code. 
Scan the hard disk with Heuristic Analysis.

2) The program has been packed after infection with a 
packing program like PKLite or LZEXE. However, F-PROT 
recognizes and extracts packed executable files generated by 
the most common packing programs. Still, the packing program 
could be a new and unrecognized one.

3) The most probable alternative is a virus "ghost". It is 
generated when an infected program is replaced with a 
shorter one when the file is still infected. Because the FAT 
file system of DOS stores files in clusters of a certain 
size, there is unused disk space at the end of almost every 
file. This area is called slack.
Due to disk buffering these unused disk areas are also 
loaded into memory together with actual programs. If parts 
of the viral code remain in the unused area they are loaded, 
too.

Consequently the anti-virus program finds the viral 
signature in memory, even though the virus itself is not 
active.

The slack areas can be erased by using, for example, the 
"Wipe unused areas only"-function of the Norton Utilities' 
programs Wipedisk or Wipeinfo. Sorting the disk with the 
Compress of PC-Tools or Norton Speed Disk may also help. In 
an extreme situation the alarm can be eliminated by taking 
backups of all files, formatting the hard disk and returning 
the files from backups.


  When I was inspecting my hard disk, F-PROT reported "Error:
  invalid program" of two files. Does this indicate the
  presence of a virus?

The message means that the program has been damaged. Such 
programs contain the header of EXE files, but the values in 
it are faulty in some way. For example, the starting address 
of the program may indicate a place outside the program's 
memory area.

Most such programs are either truly damaged or they may also 
be overlay-type programs. Overlay programs function despite 
a faulty header, because the host program does not start the 
execution of an overlay file in the address indicated by the 
header, but in some other predetermined place.

Invalid program -check is performed because many viruses 
damage programs while trying to infect them. In some cases 
F-PROT is able to recognize the virus that has destroyed a 
file. In such a case it reports "A program destroyed by the 
Xxx virus".

For example, some variants of the Vienna virus family 
regularly failed when trying to infect programs. A program 
is not in its original state after this kind of an infection 
because its starting code has been altered, but it does not 
contain a single byte of actual viral code, either. Other 
viruses like this are, among others, Breeder, ExeBug, Hydra, 
Kamikaze, Kuku, LoveChild, Ninja and 99% - some of these 
viruses destroy programs by overwriting a trojan on them.

Conventional anti-virus programs do not report such 
destroyed files, because they do not contain virus 
signature. However, during disinfection the user certainly 
wants to find all programs altered by viruses, since after 
an unsuccessful infection attempt the programs do not work 
any more.

In any case: the F-PROT report "Invalid program" is not 
necessarily caused by an abnormality or a virus infection. 


  During booting, my anti-virus program reported "A virus
  active in the computer". I powered down the computer, but
  now I cannot find any sign of a virus when I boot the
  computer from a clean diskette and search the hard disk.
  Furthermore, it looks like the anti-virus program is
  inspecting only a part of the hard disk, because in the
  final report it reports only a couple of programs as
  checked. I use a disk packing program.

Stacker, SuperStor, XtraDisk and other such programs create 
a new logical disk. These programs transfer the original 
files to this disk and pack them into a form in which they 
can only be read via the packing software's device driver. 
Without this device driver the extra disk shows only as one 
big file.

When such disk packing programs are used in a computer, and 
it is booted from a diskette, the packing software's drivers 
are not loaded. In this case F-PROT, or any other program, 
is quite unable to read the files stored in the packed disk.

Clean copies of the device drivers the packing program 
needs, together with a suitable CONFIG.SYS file, should be 
copied on a panic diskette. The panic diskette is functional 
if the computer can be booted from it so that all the 
partitions on the hard disk are readable.   


  I received a diskette from my business accomplice. When I
  searched the programs on it with my anti-virus software, it
  reported "Vacsina Loader". What is the difference between
  the Vacsina virus and the Vacsina Loader?

The Vacsina Loader is not an actual virus but an addition 
made to an EXE file by the Vacsina virus.

Vacsina was one of the first file viruses capable of 
infecting EXE programs in addition to COM programs. The 
infection of EXE programs is considerably more difficult 
because of their more complex structure. The author of the 
Vacsina virus solved this problem simply: the virus changes 
an EXE file's structure to that of a COM file, so that it 
can use the same infection routine on programs of either 
type.

The Vacsina virus stays resident in memory and activates 
every time the user executes a program. The virus checks 
whether the program starts with the letters "MZ". If this 
happens to be the case, it adds an alteration routine of 132 
bytes to the program. This routine is based on similar code 
that can be found in the FORMAT and CHKDSK programs in 
certain versions of DOS. The alteration routine takes care 
that the program is correctly loaded into memory even though 
its structure has been changed.

When the altered program is executed again, Vacsina can 
infect the file normally.

So, when an anti-virus program reports the Vacsina Loader, 
it means it has found EXE file to which the virus has added 
a routine of 132 bytes. This routine is unable to spread 
itself, and usually it does not hinder the functioning of a 
program.

The reason why F-PROT reports the Vacsina Loader is that, 
after a Vacsina infection, there are typically many files on 
the hard disk which the virus has altered but not yet 
infected. This way, the user can easily find all the 
programs the virus has changed.  


  The text "VIRSTOP error" appears when programs are executed. Why?

VIRSTOP has been started by using the /DISK parameter, after 
which the file VIRSTOP.EXE has been deleted from the hard 
disk. This may also happen when VIRSTOP has been loaded from 
a file server and the network connection has later been 
disconnected.

If VIRSTOP.EXE is updated while the program is active with 
the /DISK parameter on, the result is indefinite: the 
program may print rubbish on the screen or even crash, 
because its virus descriptions are updated "on the run".


  I bought a new game called GunShip 2000. I scanned the
  diskettes before installation, and F-PROT found a MtE
  infection. What's happening here?

F-PROT gives a false report of a MtE infection when this 
game is inspected. The alarm is given only if all the files 
in the game are searched with F-PROT.

The alarm is given of the picture file BLK_CPIT.PIC, which, 
as a data file, could not even contain a virus. In part this 
alarm reflects the complexity of MtE-encrypted viruses - the 
picture file happens to resemble the code created by MtE. 

Generally speaking, the scanning of all files is not 
considered worthwhile if the computer is not known to 
contain a virus. This derives from the fact that searching 
data files is slow and prone to false alarms.

File viruses may occasionally infect data files or programs 
without the appendix of an executable file. The viruses can 
not spread further from pure data files. A virus that 
occasionally infects data files would also infect normal 
program files, and would therefore be found from those, 
also. Thus it is not likely to attain additional security by 
searching all files.

The aforementioned false alarm is known and acknowledged, 
but it was not deemed feasible to change the MtE -search 
algorithm used by F-PROT because of a single incident caused 
by a data file. The MtE search method currently used by
F-PROT is very good indeed: It has been tested on over a
million samples of MtE, and the success rate is one hundred 
percent. 

  I checked the brand new PKZIP with the Norton Anti-Virus
  program and it reported the Maltese Amoeba virus in the files. F-PROT,
  however, does not find the virus. Doesn't F- PROT recognize this virus
  at all?

Version 2 of the PKWare's packing program PKZIP was 
published 4.11.1992, about year and a half behind schedule. 
The great number of hack versions made people check the new 
version, the version number 2.04c to be exact, very 
carefully. Because of an unfortunate coincidence, Symantec 
Norton Anti-Virus gave a false warning of the Maltese Amoeba 
virus while checking the program. In other words, PKZIP 
2.04c is clean. The use of the version 2.04c cannot be 
recommended, however, because it contains many functional 
errors, some of which are dangerous. A better alternative is 
the version 2.04e that was published at the end of January.

It is worthwhile to know the origins of your programs. It is 
quite probable that some malicious person infects PKZIP with 
the Maltese Amoeba and then distributes it. NAV's false 
alarm has been reported so widely that many people would 
ignore a real warning.

F-PROT recognizes the Maltese Amoeba virus, also called the 
Grain of Sand. 


The sensational PROTO-T
-----------------------

A text file describing a new virus called PROTO-T was 
distributed via electronic bulletin boards late in the year 
1992. This text told about a virus of a new kind that was 
threateningly spreading itself all over the world. The virus 
was, among other things, claimed to be impossible to spot 
and supposedly able to hide itself in the RAM memory of a 
modem or a hard disk. This text and the things described in 
it are pure invention, it would be technically impossible to 
build a virus to match the description.

A virus cannot hide its code in the buffers of modems or 
hard disks, because these memory areas are very small and 
unprotected - in reality the virus code would be overwritten 
almost immediately. In any case, part of the viral code 
would have to be stored in normal DOS memory in order for a 
virus to function. PC computers execute code that is located 
in their core memory, and that code only.

It is possible to hide part of the viral code in the memory 
of a VGA card. At least one known virus, Starship, does so, 
but even in this case a part of the virus must be located in 
the DOS memory, where it can be observed by normal means.

The text was apparently a practical joke that spread 
uncommonly far. On the other hand, this joke inspired the 
development of at least two new viruses. As rumors of PROTO-
T spread, some individuals decided to take advantage of its 
reputation and wrote viruses that contained the text
"PROTO-T". Naturally enough, these viruses contained none of
the characteristics mentioned in the original description.


Special Offer: A Computer Virus
-------------------------------

Computer viruses fascinate people. In fact, some people are 
so fascinated that they are willing to pay money for them.
Computer viruses are not very easy to acquire. Only virus 
hobbyists and anti-virus professionals have large 
collections. Anti-virus people are generally unwilling to 
give samples of their viruses to outsiders - understandably 
enough, for it is difficult to bear the responsibility for a 
virus that is not under one's direct control.

It is usually easy to get viruses from virus hobbyists or 
collectors, but it may be quite difficult to contact them. 
Few people boast of collecting viruses. There are, however, 
those who see a marketing niche in viruses, and sell their 
collections publicly.

It is difficult to estimate the number of virus buyers. 
Probably, though, there are comparably many of those who 
want a virus for experimentation, for inspection or for use 
in acts of malice.

There are numerous examples of virus sales. The most brazen 
example is probably "The Black Book of Computer Viruses", 
which is sold together with an ordering card, with which it 
is possible to order a virus diskette. A diskette containing 
four viruses costs fifteen dollars. The book has proved to 
be very popular, and its translations to several languages 
are being planned at the moment. The French translation 
(called C'est decide! J'cris mon virus) has apparently been 
published already.

Viruses for sale -notes can often be find in all kinds of 
underground computer publications. Among the classified 
advertisements in the magazine 2600 - the Hacker Quarterly, 
there are often notes which advertise sales of virus 
collections. The prices vary between 15 and 50 dollars per 
diskette. In this magazine there are also often notes sent 
by collectors, who seek to contact others in the interests 
of sample swapping. 

The idea of selling viruses seems to attract many virus BBS 
system operators - it is, after all, a way to pay off some 
of the expenses of maintaining a BBS. The following message, 
which had been left in the public area of the international 
Fidonet message network, should serve as a good example of 
this:

-----
Msg:     465                    Reply to: -
To:      All                    Date: 01-05-93
From:    Aristotle              Time: 11:39
Subject: Call now!

Hello all, does anyone want some viruses?

                B L A C K    A X i S   B B S

                ( 8 0 4 )  5 9 9  -  X X X X

           2 5 0 0  V i R U S E S  -   6 5 0  A S M

                  T R O J A N S  -  L A B S

                           E T C . . .

The entire library is for sale to responsible individuals 
whom are engaged in active research. No more HIGH DOLLAR 
phone bills, upload / download ratios, or general hassles 
from your constituents. Call for further details.

Responsible people only need inquire. Fools, wanna-be 
anarchists, and other criminal minded folks, need not apply. 
This is strictly legitimate...

ARiSToTLE...   

--- SuperBBS 1.16-B (Eval)
 * Origin: I don't know!!! The Vx BBS (804)599-xxxx 
(1:xxx/xxx)
-----

Similar examples can also be found outside USA. Two of the 
virus BBSs that operated in Finland have collected an 
entrance fee to their virus areas.

At the end of January, the following message was mailed to 
the alt.security area of the Internet message network. This 
area has ordinarily been a forum for information-security 
specialists: 

-----
From: xxxx@xxxxxx.digex.com (Albatross)
Newsgroups: alt.security
Subject: Virus Programs ForSale (Virus,Trojan,etc)
Date: 21 Jan 1993 22:38:00 GMT

	VIRUS'es    FOR    SALE

Have you every wanted to test out your virus Software to see 
if Norton Anti-Virus or Mcafee's Virus scanners really work 
and see if your blowing yor money or are you really 
protecting your vital computer data?

Well now you can play with some of the most ruthless & 
destructive virus'es known to man. See if the Dark Avenger 
virus really can be detected by these money hungry  anti-
virus software companies, or if you dollars are paying off.

Cost:           $20.00 per disk
Contents:	10 Viri per disk

Disk 1:         Disk 2:
1704 Virus	Jerusalem Virus
AIDS Virus	Jerusalem-B Virus
Cascade Virus	Inject Jerusalem (undetectable)
Dark Avenger    Joshi Virus
Elephant Virus	Killer Virus
Friday The 13th Virus	MobyZ Virus
Grither Virus	Leprosy Virus
Iraqi Virus	Kamasya Virus
Israeli Virus	DSZ (Zmodem) Virus
Hawaii Virus	CIA Virus

Disk 3:         Disk 4:
Pakistan Virus	Panic Virus
Phoenix Virus	Psycho Virus
Rabid Virus	Red Cross Virus
Schizo Trojan	Stoned Virus
Sunday Virus	Tequila Virus
Thor Virus	Thrash Virus
Tiger Virus	Tiny Virus (Strains A-F)
Tron Virus	S-Cadet Virus
Razor Virus	Spider Trojan
Sub-Zero Virus	Stoned II Virus (Source Code)

Send  Checks or Money Orders Too:
Anthony Xxxxxxx            <- Make Checks Payable To
xxxx Xxxx Xxxxxxx
Xxxxx 101
Silver Spring,  Maryland
20904

Include a letter or index card  with the Check Noteing which 
Disk Of virus Software you would like to receive. Please 
Allow 1-2 weeks for shipping

NOTE:   Use of These Virus with intent to Destroy Data is a 
Violation of The Law. I will hold NO responsiblity for such 
actions, if incidents are incurred.
-----

Most often the virus sellers want to emphasize that they are 
not responsible for the viruses they sell or the harm done 
with them. The selling of viruses seems not to be illegal in 
itself in any country but the Great Britain.

In its December issue, the Micro Mart magazine published a 
small advertisement that offered 350 viruses for sale. An 
efficient unit operating in England, the New Scotland Yard's 
Computer Crimes Unit that specializes in computer crimes, 
raided the home of the male person who had sent the 
advertisement. The man's hardware was confiscated and he 
will be prosecuted under a law called the Computer Misuse 
Act.

Also in this case the advertisement stressed that sold 
viruses must not be misused and that the seller assumes no 
liability for destruction caused by them. It remains to be 
seen how the case is eventually judged.

In any case, the selling of computer viruses is in breach of 
their authors' copyrights: few virus peddlers have the 
original author's permission to sell them. On the other 
hand, few virus writers will sue anybody for illegally 
duplicating their products - products which have no other 
function than to duplicate themselves!


Shortly
-------

o       The US virus groups Phalcon/Skism, NuKE and YAM have founded
        their own private message network, VxNET. In this network,
        particularly topics connected with virus development will be
        discussed. The network will cover some countries, but apparently
        not the Nordic ones.

o       The ExeBug virus made in South Africa circumvents booting from a
        clean diskette quite efficiently. The virus changes the
        computer's setup information in the CMOS memory so that the
        computer thinks it has no diskette drives. Thus the computer is
        always booted from the hard disk and so loads the virus lurking
        in the main boot record first into memory. The virus continues
        the booting routine from the A drive, if needed, to make the
        computer's functioning seem perfectly normal. It is difficult to
        get to inspect an infected computer's hard disk without having
        the virus active in memory.

o       The Virus Bulletin magazine published a large review of
        anti-virus programs in its January issue. F-PROT won the test by
        having the best finding ability and coming fifth in speed. The
        leading products in the field, all in all twenty different
        anti-virus programs, were included in the comparison. For more
        information contact Virus Bulletin Ltd, phone number +44-235-555
        139.

o       A new virus-writers' group, the ARCV, has been founded in
        England. The name comes from the words "The Association of
        Really Cruel Viruses". The group has proved to be very active,
        if measured by the amount of viruses it has written. Thus far
        the group has produced for about 20-30 different DOS viruses,
        some of which have been technically quite advanced. Some of
        these viruses have spread noticeably far - the group strives
        actively to distribute them. In addition to this, the group
        publishes an electronic magazine and, according to its own
        announcement, designs viruses for Macintosh-, Amiga- and Atari
        environments.

o       At the end of January, another virus infecting only programs of
        the Microsoft Windows environment was found. The new virus,
        which has not yet been named, uses a new method of spreading
        itself. When the virus infects an EXE program, it changes the
        file's appendix to OVL and copies its own code on the disk with
        the original name. When the program is executed, the virus
        infects more files and then executes the original program. The
        size of this new virus varies between 10 and 20 kilobytes.


The new utility program, F-AUTO, automates virus checks
-------------------------------------------------------

A small utility program called F-AUTO.EXE has been included 
on the F-PROT update diskettes. F-AUTO executes a freely 
program that can be freely selected on user-determined 
intervals. By using F-AUTO, it is possible to perform the
F-PROT check automatically on , say, every third day. To
accomplish this the following line is to be added to the 
workstation's AUTOEXEC.BAT file: 

 F-AUTO.EXE /h 3 %COMSPEC% /E:1024 /C C:\F-PROT\FP.BAT

The parameter /h prevents F-AUTO from printing anything on 
the screen, 3 is here the desired interval in days. The last 
parameter on the line is the program that will be executed.
Because, in this example, the batch file FP.BAT will be 
executed, it must be started by using the DOS command 
interpreter. %COMSPEC% starts the command interpreter 
regardless of its position on the disk or whether 
COMMAND.COM, 4DOS.COM or NDOS.COM is in use. The commands 
/E:1024 and /C are needed in order to execute the batch file 
normally.

If the day parameter given to F-AUTO is 0, it will execute 
the desired program when it itself is executed for the first 
time in a day.

Contact your local F-PROT dealer for help in using FP.BAT 
and F-AUTO. 


Do-it-yourself-Virus: Toolkit Programs
--------------------------------------

For years, the virus writers have tried to prove their 
technical skill by increasing the complexity of their 
viruses.

In the interests of making the viral code more difficult to 
interpret, encryption techniques, polymorphism and illegal 
processor opcodes have been used. The viruses have been 
programmed to hide their code in exotic places like the 
lower memory, the computer's stack or the video memory.

The latest trend, however, seems to be the facilitation of 
virus writing. Skillful virus tinkers have written virus-
designing programs whose purpose is to aid the process of 
making viruses. At worst, the result may be a simple, menu-
controlled software which anybody can use. Not even a 
rudimentary programming skill is needed, because these 
programs produce ready-made, executable viruses, which 
function according to their makers' wishes.

These programs can be divided in three different categories 
in the following way: 

1.      Construction sets for Trojan Horses
2.	Construction sets for viruses
3.	Utility-program libraries for viruses

Construction Sets for Trojan Horses
-----------------------------------
Representatives of this first subclass are such programs as, 
for example, the ViPER Trojan Horse Construction Set, the 
TROG Trojan Maker and the Ansi Bomb Generator. The 
functioning methods of the first two programs are the same: 
the user is asked how he wants to name the program, and how 
it should activate. A new COM or EXE file that destroys the 
data on a hard disk is created according to these 
instructions. The user can also define a text that is 
printed on screen after the destruction.

The ViPER Trojan Horse Construction Set and the TROG Trojan 
Maker are both capable of creating quite destructive Trojan 
Horses, but they are not a serious threat as such. Trojan 
Horses do not spread themselves.

Ansi Bomb Generator is a program that simplifies the making 
of ANSI bombs. These are text files which redirect the 
keyboard definitions. The bombs are activated when a user 
examines the aforementioned text files with the DOS commands 
TYPE or MORE. The bomb could, for example, change the space 
bar's functioning so that pressing it will output first "DEL 
*.COM" and then the pressing of the return key.

Ansi Bomb Generator is a menu-controlled program, and by 
using it anybody can add destructive redirection codes 
inside text files. Free-form texts can be written as a smoke 
screen around harmful direction codes, and it is also 
possible to insert a bomb inside an existing text.

The Ansi Bomb Generator is not a serious threat. Ansi bombs 
are encountered quite rarely, and it is possible to protect 
against them totally by leaving the device driver ANSI.SYS 
uninstalled.
 
Construction sets for viruses
-----------------------------

Programs, which enable anybody to create functional viruses 
without a deeper knowledge of programming, are counted as 
actual virus construction sets. 

Virus Construction Set
----------------------
Virus Construction Set, or VCS, published in 1990, was the 
first program whose sole purpose was the creation of 
viruses. VCS is of German make, and its authors have 
announced themselves as Verband Deutscher Virenliebhaber, 
which translates as "The German Association of Virus 
Lovers".

As a program, the VCS is quite simple: the user is asked to 
give the name of the text file the will be linked into the 
virus and the number of generations after which the virus 
should activate. After this, the program creates a file 
called VIRUS.COM on the disk.

A created virus has a basic construction that is always the 
same and easily recognizable. The virus infects other COM 
files and activates after the predefined number of 
infections. Then it overwrites the files C:\AUTOEXEC.BAT and 
C:\CONFIG.SYS and prints the text that was linked to it when 
it was made.

The viruses created by VCS contain one slightly advanced 
feature: they check whether an anti-virus program called 
FluShot Plus is active in memory and will not spread if that 
is the case.

Both English and German versions of the Virus Construction 
Set have been made.

The following variants of the viruses made by VCS are known: 
Manta, Config, DarkSide, Post, Pussy, Ruf and VDV.853

Virus Creation Laboratory
-------------------------
Late in summer 1992 the next virus toolkit software was 
published: the Virus Creation Laboratory or VCL. Behind VCL 
stands the Nowhere Man, a member of the American group of 
virus writers, NuKE.

VCL is quite a remarkable product: it features a colorful 
graphical interface of nearly commercial quality with mouse 
control and drop-down menus, it is installed with a separate 
installation program and it is supplied with quite accurate 
and well-written documentation. VCL also contains the ICO 
and PIF files, with which it can be handily installed in the 
Windows Program Manager.

It is possible to easily create several different kinds of 
viruses with VCL. From the menus one can choose between a 
COM file -infecting, a companion virus or an overwriting 
one. In addition to those, Trojan Horses and Logical Bombs 
can also be made with VCL.

The Virus Creation Laboratory is an application of 
considerable versatility. By using it, it is possible to 
define exact activation conditions for a virus made with it, 
those being, for example, the date, time of the day, the 
number of infected files, a computer's country code, the 
version of DOS or the amount of available RAM.

VCL present many alternatives for the activation routine of 
a virus or a Trojan Horse. Selections mentioned on the menu 
are crashing the computer, a corruption of files, the 
printing of a freely chosen text on the screen or printer, 
the overwriting of whole disks and the playing of a music 
sample that can be freely composed. In addition to this, the 
user can add routines to the program's menu.

When a user has chosen the desired options, VCL creates the 
assembler-language source code of a virus or a Trojan Horse 
on the disk. The user can, if he so wishes, edit it still 
further before compiling it into an executable form.

Despite its great versatility, VCL has not become very 
popular among virus hobbyists. There are many reasons for 
this, but the most important probably is that the majority 
of anti-virus programs were able to find almost all the 
viruses made by VCL soon after it had been published. In 
fact, F-PROT recognized most of them even before VCL had 
been analyzed at all.

The functionality of VCL at the hands of virus tinkers is 
further reduced by the fact that it occasionally makes 
viruses that do not work at all - most of the source codes 
it creates cannot even be compiled with an assembler 
compiler. The Nowhere Man has, however, announced that he is 
working on a new version of the program - a possible VCL for 
Windows is also speculated in the documentation of VCL 1.0.
There are many interesting details to be found in the 
extensive documentation of VCL. Among other things, the 
Nowhere Man forbids the makers of anti-virus software from 
extracting search character strings from VCL or the viruses 
made by it.

Known viruses made by VCL include Code_Zero, Code_Zero.652, 
Diarrhea, Diarrhea6, Diarrhea6_Trojan, Diarrhea_II, 
Diogenes, DM_92_Bios, Dome.1, Dome.2, Dome.3, Dome.4, 
Donatello, Earth_Day, Earthquake, Enun, Heevahava, Kinison, 
Kinnison.734, Mimic, Pearl_Harbour, YD2, YD2.B, Venom, 
VMessiah, Yankee.A and Yankee.B

Phalcon/Skism Mass-Produced Code Generator
------------------------------------------
The American virus group competing with NuKE, Phalcon/Skism, 
quickly answered the challenge of VCL and published its own 
virus generator, the Phalcon/Skism Mass-Produced Code 
Generator or PS-MPC. PS-MPC has been written by a member of 
P/S known as the Dark Angel.

PS-MPC is considerably more functional than VCL, though not 
as showy. PS-MPC does not feature a user interface for it is 
used via an ASCII configuration file.

It is possible to make considerably advanced viruses with 
the PS-MPC. It is capable of creating memory-resident 
viruses which infect both COM- and EXE files. Furthermore, 
the viruses can be provided with a versatile encryption 
layer, which makes finding them a little more difficult.
PS-MPC does not add activation routines to the viruses it 
creates as a default, but since it produces ready-made, 
well-documented assembler source code, those can be later 
added easily by even a novice programmer.

Altogether three different versions of PS-MPC were 
published, after which the Dark Angel released the complete 
C-language source code to be freely distributed.

On all accounts, PS-MPC is a more functional program than 
VCL. The impressive list of known viruses made by it gives 
testimony of the fact: 203, 644, 696, Abraxas, Anathema, 
ARCV-1, ARCV-2, ARCV-3, ARCV-4, ARCV-5, ARCV-6, ARCV-7, 
ARCV-8, ARCV-9, Clint, Crumble, Death 2, Eclypse, Joshua, 
Kersplat, McWhale, Mimic-Den Zuk, Mimic-Jerusalem, Napolean, 
No Wednesday, Page, Schrunch, Skeleton, Small_ARCV, 
Small_EXE, Sunday Death, Swan_Song, Test, Tongue, Toys, 
Walkabout, Warez d00d, Z10 and Zeppelin.

Phalcon/Skism G
----------------
It appears that the Dark Angel was not wholly satisfied with 
the PS-MPC generator he had written, and so he published a 
program called Phalcon/Skism G on the turn of the year
1993. The name derives from its creator's opinion that G is
a second-generation virus generator.

The functioning of G very much resembles that of PS-MPC.
They have certain notable differences, however: G will
create a different virus every time, even though the values 
in the configuration file remain unchanged. G is also
supplied with a smallish file, G2.DAT, which contains the 
actual intelligence of the program. The Dark Angel has 
announced that he will supply update versions of this file, 
which will completely change the functioning methods of the 
program. 

The doumentation of G tells of its features as follows:

FEATURES

The target audience of G includes both novice and advanced
programmers alike who wish to learn more about virus 
programming. A  revolutionary tool in virus generation, G
is both easy to use and  unparalleled in performance. As a 
code generator, it has a number of  features including:

o       Easy updates via data files.
o	Accepts MPC-compliant configuration files.
o	Different viruses may be generated from identical 
        configuration files.
o	Small executable size, allowing for speed during load 
        and execution.
o	Still no IDE - edit the configuration file in your 
        favorite editor and  rapidly generate new code; no
        need for lengthy wait while IDE loads,  allowing you
        to work faster and have results quicker. A definite
        productivity bonus!
o	Rapid generation of code, once again allowing for fast 
        results.
o	Low memory requirements.

As a virus creation tool, it has the following features:

o       Generates compact, easily modified, fully commented, 
        source code.
o	COM/EXE infectors.
o	Resident and nonresident viruses.
o	Supports multiple, semi-polymorphic encryption 
        routines (full  polymorphism coming soon).
o	Easily upgraded when improvements are needed.

Clearly, G is the most advanced virus code generator
available today!
- -

So far, no viruses made by G are known, except for the demo
virus that is supplied with the package.

Instant Virus Producer
----------------------
YAM (Youngsters Against McAfee), a group founded in the USA, 
has contributed the Instant Virus Producer, or IVP, to the 
competition for the best virus generator. IVP has not, 
however, attracted popularity to speak of.

IVP does not feature the amount of functions VCL and PS-MPC 
do, it cannot, for example, create memory-resident viruses. 
In the same vein, the encryption algorithms of IVP are 
really very simple in comparison with, let's say, PS-MPC. To 
top it all, IVP frequently produces dysfunctional code.

Two versions of IVP have been published so far, the versions 
1.0 and 1.7. According to an announcement by YAM, IVP 2.0 
will challenge similar programs of all other groups.
Currently, only one virus made by IVP has been found, that 
being Bubbles which infects COM and EXE files.

GenVir
------
Many rumors abound of the GenVir program, but at the time 
this was written, no virus specialist had been able to 
acquire a sample of it.

The rumor has it that GenVir is a completely commercial 
software made in Netherlands. The program's maker announces 
its purpose as "a package for the testing of anti-virus 
software" 

Utility-Program Libraries for Viruses
-------------------------------------

This subclass consists of object libraries which can be 
linked to any file virus. The use of these libraries 
requires programming skill and familiarity with assembler 
programming, but it is not necessary for the user to 
understand the functioning of the routines in order to use 
them.

There are two known utility-program libraries. They are both 
designed to create a complex encryption layer around viral 
code.

Mutation Engine
---------------
The Mutation Engine, or MtE, is an encryption routine 
library made by the Bulgarian virus writer Dark Avenger. MtE 
was released into distribution early in 1992.

MtE is supplied with detailed instructions on its use. A 
virus writer can fairly simply link MtE to his own virus. As 
a result, the virus changes its outward appearance after 
every infection, for MtE creates dynamically a new 
encryption method and extraction routines for it.

All in all, MtE can create millions of different variants of 
the same virus. Virus writers have used MtE with COM-, EXE- 
and companion viruses.

Viruses using MtE include: Coffe_Shop, CryptLab, Dedicated, 
Encroacher.A, Encroacher.B, Fear, Groove.A, Groove.B, 
Insufficient.A, Insufficient.B, Insufficient.C, Pogue and 
Questo

TridenT Polymorphic Engine
--------------------------
A rival for the MtE, the TridenT Polymorphic Engine, or TPE, 
was found in December 1992. In practice, it is an object 
library that mimics the functioning of MtE. The encryption 
method, however, is completely different.

The man behind TPE is Masud Khafir, a member of "TridenT 
Virus Research Group". The same person is suspected to be 
responsible also for the first Windows-specific virus, 
WinVir. There is no definite information to be had of the 
group or even of its country of origin. The group has, 
nevertheless, proved to be quite skillful. It is possible 
that TPE is capable of even larger number of different 
variations than MtE - which is a thing, however, that is 
difficult to test in practice.

Two versions of TPE, 1.0 and 1.2, have been published. At 
the moment one virus using TPE is known. This virus is 
Giraffe, which infects COM and EXE files and which on random 
Thursdays prints on the screen a marijuana leaf and the text 
"Legalize Cannabis".


Situation in Sweden
-------------------
The sysop of the Swedish BBS Computer Security Center , 
Mikael Winterkvist, and the CEO of the information security 
corporation Virus Help Center Ab, Mikael Larsson, published 
an electronic bulletin, the Svensk Hack Rapport, at the end 
of October. The bulletin was a treatise on the virus 
situation in Sweden.

What made this bulletin so noteworthy was that Winterkvist 
and Larsson published the real names of the persons who 
managed virus BBSs in Sweden. This caused a considerable 
panic reaction in the Swedish underground circles. Among 
other things, there were threats to sue the publishers for 
slander.

The end result, however, was a success: at the end of 
January no charges had been pressed, and most of the BBSs 
that had been mentioned had terminated their operations.

The Svensk Hack Rapport had published the real names for the 
sysops of the following BBSs: Swedish Virus Exchange BBS, 
Swedish Virus Laboratory, Out Of Bounds, Fatal Future, Cross 
Point, Digital Orgazm and Antarctica. Two most notorious 
ones were probably Swedish Virus Laboratory, managed by a 
person with the alias Tormentor, and Out Of Bounds, the 
headquarters of the BetaBoys group.

Regardless of this, some BBSs continue their operations.
Otherwise the virus situation in Sweden has been very 
peaceful of late - doubtless the Swedish Hack Rapport had a 
hand in this. One new virus written in Sweden has been 
found, though. It is known as Tyst, for it contains the 
text: "Tyst fr fan.. Jag sprnger!". The functioning of 
this virus is very simple, and it spreads by overwriting the 
first part of COM and EXE files.


Changes in F-PROT 2.07
----------------------

F-PROT can currently scan also diskettes in which the boot 
sector parameters have been altered so that DOS can no 
longer manage them. This kind of a diskette is still capable 
of spreading boot sector viruses.

F-PROT's compatibility with OS/2:s HPSF disks has been 
improved.

In some cases F-PROT would not disinfect the NoInt variant 
of the Stoned virus. This has been taken care of.

No more "New variant of stoned" when scanning MBRs that have 
been cleaned with FDISK /MBR.

VIRSTOP gives a help screen with the /? switch

Superstore partitions are now recognised when using /HARD

Version 2.06 would not always identify Stoned.NoInt 
accurately, but occasionally as "New or modified variant of 
Stoned", and refuse to disinfect it.

A few minor false positives were corrected:

"Uruguay" in a special version of COMMAND.COM, which is 
included on IBM PS/2 model 80 diagnostic diskettes, and a 
few other rare programs as well.
"Possibly a new variant of Darth Vader" in a Chinese 
character set program named HANVGA.COM
"Power Pump (1)" in some compiled batch files.
Version 2.07 - new viruses:

The following 50 new viruses can now be detected and 
removed:

_354
_377
_889
_1689
AT-140
Bit Addict
Bryansk
Chemnitz
Cinderella II
Cpw
Danish Tiny-310
Deicide II (Brotherhood and Commentator 2378)
Dismember
Dutch Tiny-117
Flash (Gyorgyi-695)
Gotcha-Legalize
Grunt-203
Ha!
Iper
Jerusalem-June 13th
Jerusalem II
Kalah-499
Keypress-1495
Little Brother (307, 349 and 361)
Loki
Malaise
Mr. Virus
Multi
Ncu Li
Proto-T (Civil War II and Proto-T)
PS-MPC (ARCV-4 and McWhale)
Storm
Suriv 1-B
Timemark-1060
VCL (Heevahava and Yankee-2)
Vienna (W13.450, W13.543, W13.679, 547, 598 and 600)
Wilbur
Wizard
Yankee-Casteggi
The following 33 new viruses can now be detected but not yet 
removed:
ARCV (Anna, Scroll and Scythe)
EMF-625
Keypress-Chaos
Kode 4
Nygus-752
Shadow
Small EXE-Joshua
VCL (Diogenes and Mimic)
Vienna-New Generation
Witch
X-1

In addition, the following viruses created with the PS-MPC 
toolkit can now be detected:

Abraxas
ARCV-1
ARCV-2.692
ARCV-3.693
ARCV-3
ARCV-5
ARCV-6
ARCV-7
ARCV-8
Eclypse
Kersplat
Mimic
Page
Schrunch
Small-ARCV
Swansong
Walkabout
Z10.702
Z10.704

The following 11 new viruses can now be detected but not 
removed, only deleted. This is because they overwrite 
infected files, or damage them irreversibly

_17690
4870 Overwriting-B
Burger-536
Deicide-B
Leprosy (736, 8101 and Seneca)
Ondra
Trivial (37, 42-B and Explode)
VCL DM-92

The following virus that could be detected but not removed 
with earlier versions of F-PROT can now be disinfected:

Stoned.Empire.Monkey.A

The following virus have been renamed:

ZK-900 -> Npox-900

F-PROT now recognizes the new Tremor virus which has quickly 
become more common in Germany. Tremor is a retrovirus which 
aggressively attacks the products Central Point Anti-Virus 
and Microsoft Anti-Virus. The virus is also heavily 
polymorphic.


Approaching Zero - More Information About Computer Crimes
---------------------------------------------------------

It may be hard for a person responsible for information 
security to get an overall picture of actual computer 
criminality. The new book Approaching Zero: Data Crime and 
the Computer Underworld contains good general information of 
the field.

The book has been co-written by Bryan Clough and Paul Mungo, 
who live in Great Britain. The book is published in 
hardcover edition and is approximately 240 pages long.

We wish to present our clients with the opportunity of 
expanding their knowledge of computer crimes and so offer 
this book at the price of XXXX. Those who order more than 
one copy get the benefit of a 10% price reduction.

The orders can be sent to any distributor of F-PROT by mail 
or by fax, The books are delivered via mail to customers. 
The delivery time is four weeks.

The following excerpt is taken from the introduction at the 
back of the book:

As our society becomes increasingly dependent on computers, 
so we become ever more vulnerable to the misuse of 
technology, whether for fraud, subversion, the theft of 
sensitive information or for sinister military and espionage 
operations.

In Approaching Zero Bryan Clough and Paul Mungo look at all 
aspects of data crime. They investigate notorious hackers 
and virus writers around the world, including:

o the Dark Avenger, a Bulgarian computer wizard whose 
  'Nomenklatura' virus broke through House of Commons security
  October 1990
o the Italian virus laboratory which produces a new virus
  every week
o the American 'Rabid Group' whose members are committed to 
  the widescale destruction of computer systems

In a frightening yet compelling account they show how 
quickly we are all approaching zero - total computer 
shutdown.

-------------------------------------------------------------------------------

F-PROT 2.07 Update Bulletin Copyright (c) 1993 Data Fellows Ltd

This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.07 Update Bulletin Copyright (c) 1993 Data Fellows Ltd.'

This file may not be stored in a bbs that is offering viruses or
instructions on making them.

