
F-PROT Professional 2.12 Update Bulletin
========================================
Data Fellows Ltd, Wavulinintie 10, 00210 Helsinki, Finland
Tel. +358-0-692 3622, Fax +358-0-670 156, E-mail: f-prot@datafellows.fi

This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.12 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd.

-------------------------------------------------------------------------------

CONTENTS 2/94
=============
 New ideas in the field of anti-virus utilities
 New viruses in the wild
 -  Quox
 -  Danish_Tiny.476
 -  Misis
 -  Dinamo
 -  Finnish_Sprayer
 Two new Macintosh viruses discovered
 Virus Bulletin 1994 Conference is coming
 Malware floating in BBSs
 Common Questions and answers
 Feature: Polymorphic Generators
 Ethics in Anti-Virus Toolkit marketing
 Changes in F-PROT's DOS version
 Changes in F-PROT's Windows version
 Changes in both DOS and Windows versions
 New viruses detected by F-PROT Professional 2.12


New ideas in the field of anti-virus utilities
----------------------------------------------

Any modern software application should adapt to different kinds of end 
users. The more widely an application is used within an organisation 
the more adaptable it should be.

An anti-virus utility should be installed in all personal computers. 
It should thus adapt to all kinds of users. We have aimed at 
developing a product family which combines the best possible scanner 
technology with a user interface that serves all kinds of users.

With this accompanying release of F-PROT for Windows we have added 
some interesting features for the sophisticated end user. It is now 
possible to start a scan by double-clicking a task file in the Program 
Manager or in the File Manager. F-PROT will be launched and the 
specified task executed.

This means that icons called Scan A:, Scan B: and Scan Hard Disk can 
be brought to the desktop. When a scan is needed, just double-click 
one of them and the corresponding task will be carried out.

We have also implemented something else that is, as far as we know, a 
first of its kind in the world. You can now drag and drop a bunch of 
files or folders from the File Manager on top of the F-PROT icon or 
window and they will be scanned with the settings given to the default 
task.

These features are not absolutely essential in an antivirus toolkit. 
However, as F-PROT serves a wide variety of users, we think it is 
important to keep abreast with modern user interface innovations.

F-PROT Professional for OS/2's 16-bit version is now ready and 
shipping. The 32-bit OS/2 version has just entered beta-test phase. 
Contact your local F-PROT Professional distributor for more 
information about our OS/2 virus protection solutions.


New viruses in the wild
-----------------------

The last few months have brought little variety to the global virus 
situation; most of the infections reported have been caused by old, 
well known viruses. However, a couple of viruses have recently been 
able to spread to several locations - and most of these have been boot 
sector viruses.

Quox
----
The Quox virus has been reported in the wild in several locations in 
Europe, Asia and USA during the last year. Quox is a relatively simple 
diskette and Master Boot Record infector. 

Quox is only able to infect a hard disk when a computer is booted from 
an infected diskette in drive A:. At this time, Quox infects the Main 
Boot Record. During later boot-ups from the hard disk, Quox will go 
resident in high DOS memory.

Once Quox is resident in memory, it will infect practically all non-
write protected diskettes used in the machine. Quox is also a stealth 
virus - if you try to examine an infected boot record while the virus 
is resident in memory, you will be shown the original, clean one 
instead.

Quox contains no activation routines or text strings. However, it will 
corrupt some diskettes seriously. Due to the virus's stealth 
capability, the damage may not be visible as long as the virus is 
resident in memory. When infected diskettes are used in certain clean 
machines, they will prove to be unreadable and, due to a bug in DOS, 
may even crash the computer.

The virus was found in Thailand, in July 1992. It was named "Quox" at 
the IBM High Integrity Labs, because, to quote David Chess of IBM, 
"there was no obvious good name, and we didn't have very many viruses 
starting with `Q'".

F-PROT Professional detects the Quox virus.

Danish_Tiny.476
---------------
This virus is also known as Black Wind. It was originally found in 
Estonia in the beginning of 1994. Afterwards, this virus has been 
reported to be in the wild in several Northern European countries. 
Like the original Danish_Tiny, this new variant is a direct action 
infector that targets COM files. The virus is encrypted with a 
variable key.

Danish_Tiny.476 increases the size of infected programs by 476 bytes. 
It activates on the 6th day of any month, at which time it formats the 
hard disk's first track, overwriting the MBR code and the partition 
information. This makes the hard disk effectively inaccessible. After 
this, the virus displays the following text and hangs the computer:

	BLACK WIND VIRUS...
	Copyright (C) 1992, Destructive Technologies, Unlimited.

F-PROT Professional detects the Danish_Tiny.476 virus.

Misis
-----
Misis is a very small boot sector virus from Russia. It is known to be 
in the wild in the west also - confirmed reports have been received 
from UK and Norway. 

The virus uses stealth routines, so the infected boot sectors will 
seem to be clean if they are inspected while the virus is resident in 
memory. 

Practically all boot sector viruses decrease the amount of available 
DOS memory from 640 KB and use this 'memory-hole' to store their code 
in. They cannot go resident by using the usual DOS calls, because they 
activate before DOS is even loaded. This makes most boot sector 
viruses easy to spot, since the user can check the amount of total DOS 
memory with the MEM or CHKDSK commands. 

Misis uses an unusual way to circumvent this symptom: it stores its 
code in low system memory, overwriting part of the interrupt vector 
table. This makes the system potentially unstable, because any program 
that changes the higher interrupt vectors (from 94h to FFh) will 
overwrite part of the resident virus code, probably causing the system 
to crash.

One side-effect of this virus is that infected diskettes will work 
normally in an infected machine, but will cause read errors if 
accessed in a clean computer. This happens because the virus 
overwrites the disk parameter block which, on diskettes, is stored in 
the beginning of the boot sector. On infected machines this has no 
effect, because the virus stealths the changes it has made.

Misis contains several phrases of Russian text. These are not 
comprehensible on machines without a Russian screen driver. Translated 
to English, the texts read approximately as:

        Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov
        Soft 236-25-35. "Zharinov" come!.. Database NIKA!

        Go away from computer! Work for programmers! Fame to Lozinsky!
        Were you warned by the Surgeon General?! Pray all...

Lozinsky is a well-known Russian antivirus expert. The virus contains 
an activation routine, which causes some of the above-mentioned texts 
to be displayed in the upper left corner of the screen. On western 
machines, these messages show up as garbage. The texts are displayed 
in yellow blinking colour on brown background. The virus triggers 
every 16th time the boot sector is accessed.

                         <MISIS.GIF>

    The Misis virus displays Russian comments in the upper-left
                      corner of the screen

The Misis virus was originally known as Zharinov. The name was changed 
when it was found out that Zharinov is the name of a professor at the 
MISiS, and that the virus was most likely written by one of his 
students. Mr. Zharinov himself obviously has nothing to do with this 
virus.

F-PROT Professional detects the Misis virus.

Dinamo
------
Dinamo is another Russian boot sector virus. It has been found in the 
wild in Europe and Asia. Reports of Dinamo have been received from 
Hong Kong, China and Denmark. The virus infects MBRs and diskette boot 
records in the same manner as the Quox and Misis viruses. Unlike them, 
however, Dinamo is not a stealth virus.

The virus gives the only visible sign of its presence if it encounters 
an error while reading the boot sector. Then it will display the 
following text and beep the speaker three times:

        Dinamo(Kiev)-champion !!!

This text is encrypted with a XOR BDh operation, but the virus is not 
otherwise encrypted.

F-PROT Professional detects the Dinamo virus.

Finnish Sprayer
---------------
Finnish Sprayer was first found in Finland in December 1993. 
Thereafter, it quickly became very widespread, emerging all over 
Finland. Later on, this virus has also been found in Sweden, Russia 
and Estonia.

Finnish Sprayer operates as a normal boot sector virus, infecting 
floppy boot sectors and hard disk MBRs. It contains the following 
unencrypted text: 

        Tks to B.B, Z-VirX ..... [Aija]

Finnish Sprayer is two sectors long. It stores the original boot 
sector and its own code on the last sectors of the active partition. 
The virus will not infect a hard disk if the active partition's file 
system is not DOS. This means that PCs running, for example, OS/2, 
Novell DOS with HD password protection, Windows NT or some UNIX 
variant will not be infected.

Finnish Sprayer uses stealth techniques, which means that it cannot be 
found from the MBRs of hard disks while it is active in memory.

The virus activates on the 25th of March, which, in Finland, is the 
name day of Aija. Aija, which is a girl's name, is referenced twice in 
the virus code. When the virus activates, it overwrites random sectors 
of the active partition, changes the screen background to grey, and 
displays the following text:

        FINNISH_SPRAYER.1. Send your painting +358-0-4322019 (FAX), [Aija]

This text is not visible inside the virus code, for it is encrypted 
with a XOR 50h operation. The phone number belongs to the Finnish 
House of Parliament - which received tens of faxes during this year's 
activation day. 

In Finland alone, the virus is reported to have activated on 
approximately two hundred PCs - and the total number of infected 
machines rises to several hundreds. These numbers are quite amazing, 
because the virus was first found only couple of months ago.

The Finnish anti-virus organisations have followed the Finnish Sprayer 
incident very closely, and this has made it possible to compile 
remarkably accurate statistics of the incident. We have attached one 
of these statistics here: a map of Finland with markers showing the 
locations where this virus was found.

F-PROT Professional detects the Finnish Sprayer virus.


News In Short
-------------

Two new Macintosh viruses discovered
------------------------------------
During the last months, there have been two new Macintosh virus 
sightings. The new viruses are INIT9403 and INIT-29-B. INIT9403 has a 
destructive activation mechanism: after infecting a certain number of 
files, it erases the disks connected to the system and attempts to 
destroy disk information on all connected hard drives. For finishing 
touches, it attempts to completely erase the boot volume.

All major Macintosh antivirus products have been upgraded to handle 
these viruses. Contact your local F-PROT Professional support for a 
free copy of the Disinfectant 3.4.1 antivirus software to protect your 
Macintoshes.

Virus Bulletin 1994 conference is coming
----------------------------------------
Virus Bulletin, an UK-based publication focusing on computer virus 
prevention, recognition and removal, is gearing up for its annual VB 
Conference. This year's conference will be held on the 8th and 9th of 
September in Jersey, UK. 

For the first time, this year's conference will feature an exhibition 
of anti-virus products. And as usual, a large number of experts will 
present their papers on current topics in antivirus field. This years 
speakers include:

  o  Vesselin Bontchev (University of Hamburg, Germany)
  o  Steve White (IBM, USA)
  o  Jeremy Gumbley (F-PROT Support of Symbolic, Italy)
  o  Alan Solomon (S&S International, UK)
  o  Joe Wells (Symantec, USA)
  o  Mikko Hypponen (F-PROT Support of Data Fellows, Finland)
  o  Jan Hruska (Sophos, UK)
  o  Sara Gordon (Indiana University, USA)

For more information, contact Virus Bulletin at +44 235 531889, e-
mail: virusbtn@vax.oxford.ac.uk.

Malware floating in BBSs
------------------------
As usual, the BBS scene has been plagued by the occasional trojan 
horse or two. At least two widespread cases have occurred during the 
last few months.

In the beginning of March, a file called NOVADEMO.ZIP was uploaded to 
several European BBSs. The file was described to contain "a new 
amazing demonstration". Amazing it was indeed. The unsuspecting users 
found out that, instead of showing graphical patterns, the program 
copied its own code over all other executable files it could find. The 
program was classified as an overwriting virus, and F-PROT 
Professional now recognizes it as HLLO.Novademo. The program also 
contained the following text: "This is Dangerous Messanger, and here 
is my message to the world". Another version of this piece of malware 
seems to be floating around in a file called !BBS_AD.ZIP.

In the start of April 1994, another harmful program was spread via 
BBSs. This time an existing application, the Galaxy Music Player, was 
trojanized. The trojanized program claimed to be the version 2.06 of 
Galaxy Music Player, but it proved to be a simple trojan horse, which 
attempted to overwrite part of the hard disk when run. In order to 
gain enough time to do as complete a destruction as possible, the 
trojan started by displaying an initialization message. This trojan 
contained several texts like "Hello Fucking Rasist !!! Try your 
harddrive now." and "HD-VIPER BY PHROPHET PHARAKHAN OF C.O.N.E '94".

The author of this trojan also showed a twisted sense of humour: a 
questions-and-answers text file included in the archive had been 
modified to contain one additional question:

  Q: Why i got message 'INVALID MEDIA TYPE' after running GLX ?

  A: Because this is fake production to nail same lamers. Coded by
     Phrophet Pharakhan of C.O.N.E.H '94.


Common Question and Answers
---------------------------
If you have questions about data security or antivirus issues, please 
contact your local F-PROT distributor. You can also contact Data 
Fellows Ltd. directly, in the number 358-0-692 3622. Written questions 
can be mailed to: Data Fellows Ltd, F-PROT Support, Wavulinintie 10, 
00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet 
is: F-PROT@DF.elma.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet, 
A=mailnet C=fi.


After installing F-PROT Professional and executing VIRSTOP.EXE,  I 
received the message "VIRSTOP.EXE has been modified - reboot from a 
clean disk!" What has happened?

        For some reason, VIRSTOP did not pass its self-check. There are two
        probable causes:

        1)  Either your diskette or diskette drive is faulty, and this
            has caused the VIRSTOP.EXE file to be corrupted during the
            copying process. Try to install the program on another
            computer. If that doesn't help, ask for a new floppy from
            your local F-PROT Professional support. Try to execute
            F-PROT.EXE, which is also self-checking.

        2)  Your computer's memory contains a virus, which has infected
            the VIRSTOP.EXE file either when it was copied or when it
            was executed. Again, see what happens if you execute
            F-PROT.EXE. You may also want  to compare the contents and
            the file size of the VIRSTOP.EXE file to the same file on
            the write-protected distribution diskette. Boot the machine
            from a clean DOS diskette and execute F-PROT from the
            installation diskette to check your hard drive.


I have a HP48 pocket computer, and I have heard that there are viruses 
which are able to infect them. Is this true?

        Yes it is. It sounds unbelievable that these little computers
        which look like pocket calculators could actually have a virus
        problem, but there are currently several different viruses which
        infect HP48 series.

        One of the HP48 viruses that has been found in the wild is
        called Michigan. It is probably written in USA. The original
        version of this virus only displayed error messages like
        "Defective ROM", but later variants have destructive routines
        added to them. There are also several different HP48 viruses
        which originate in France. Contact your local HP48 user group
        for antivirus tips and utilities.


Our users like the way F-PROT Professional for Windows adds new quick-
access icons to Program Manager for scanning floppies. However, on 
slower machines the memory test takes longer than the actual floppy 
scan. Is it really necessary to scan the memory every time a quick-
access icon is clicked?

        If your users are already running scheduled checks on their
        local drives, it is not necessary to perform the memory check
        before every scan. There are two ways to by-pass the check.

        Your users can start the actual F-PROT for Windows application
        and keep it minimized. When they want to check a floppy, they
        can enlarge the application and click the appropriate toolbar
        button. F-PROT for Windows will only check the memory when the
        first scan is made.

        Another way is to directly modify the properties of the
        quick-access icons. Select an icon, and open its Properties
        dialog by choosing the command File/Properties in Program
        Manager. In the dialog, add the switch /NOMEM to the end of the
        command line. After this, the memory check is automatically
        by-passed when the icon is clicked. It is not recommended to
        disable the memory check for the Check hard drive icon, though.

                                <Properties.GIF>

                Properties-dialog of a F-PROT for Windows task file


Polymorphic Generators
----------------------

Polymorphic viruses
-------------------
The rise of polymorphic viruses can be seen as virus writers' response 
to the increasing expertise of virus scanners. Since properly built 
scanners can recognise viruses by their characteristic code, the 
obvious way to try to beat scanners was to design viruses that change 
their code, thus rendering recognition with search strings impossible.

Polymorphic viruses employ code alteration and encryption to hide 
themselves from scanners. Their usual tactic is to encrypt the main 
part of their code with a variable key and leave only the decryption 
executor unencrypted. The decryption code is altered during every 
infection to prevent detection with a search string.

However, it takes considerable skill to design a polymorphic virus. 
This kept the number of true polymorphic viruses quite small for a 
relatively long time. Of course, this couldn't last forever: At some 
stage, the heavyweights of the virus trade took notice and came to 
rescue their less skilled brethren by writing and distributing 
polymorphic generators.

Polymorphic generators
----------------------
Polymorphic generators are routines which can be linked to existing 
viruses. The generators are not viruses per se; their purpose is to 
hide actual viruses under the cloak of polymorphism.

The first all-purpose polymorphic generator was the Mutation Engine, 
or MtE. Published in 1991, capable of billions of different 
permutations, linkable to any virus, it heralded the age of instant 
polymorphism. Today, there are 33 different viruses which are known to 
use the MtE.

Other polymorphic generators followed in MtE's wake. The next two 
appeared late in the year 1992. They were the TridenT Polymorphic 
Engine (TPE) and NuKE Encryption Device (NED).

TPE was written in the Netherlands. In principle it is capable of 
producing smaller number of different permutations than the MtE. 
However, it created detection problems for antivirus products because 
the decryptors it creates are more generic than those produced by MtE. 
NuKE's generator wasn't quite as advanced, but unlike most other 
polymorphic generators, it was distributed as readable source code 
instead of an object module.

Other known polymorphic generators are Dark Angel's Multiple Encryptor 
(DAME), Darwinian Genetic Mutation Engine (DGME), Dark Slayer Mutation
Engine (DSME), MutaGen, Guns'n'Roses Polymorphic Engine (GPE) and Dark
Slayer Confusion Engine (DSCE).

These generators are typically distributed via underground networks, 
virus exchange BBSs and private areas in the internet.

Operating Principles
--------------------
Polymorphic generators are code modules which a programmer can 
incorporate into a program. After this, the program can use the 
functions the code module contains. This process is called linking. 
Once a generator is linked to a virus, it becomes an intrinsic part of 
the said virus. The virus will thereafter carry the engine along while 
spreading itself.

It should be noted that the generator itself does not care in which 
kind of a program it is linked to. The known polymorphic generators 
are clearly written to be linked to viruses, but in principle they 
could be used in other kinds of programs as well.

When a virus that employs a polymorphic generator is infecting a 
program file (or some other object), it requests the generator to 
create an encrypted copy of the virus code and the generator itself. 
Besides performing the encryption, the generators also create a 
decryptor - a routine which is able to undo the encryption applied to 
the actual virus code.

The generators often use relatively simple encryption techniques. 
However, they do change the encryption key during every execution. 
This alone makes the detection of such a virus difficult, but 
encrypted viruses retain one Achilles heel: the decryption routine, 
which must remain unencrypted if it is to be executable. Thus, the 
true effectiveness of a polymorphic generator is measured by its 
ability to mutate the decryption routine.

All polymorphic generators need some kind of a randomisation routine 
in order to create different algorithms each time. Some of the 
generators allow the virus programmer to substitute his own 
randomisation routines instead of the original one.

Polymorphic generators are able to create completely different 
encryption methods and a wide variety of different decryption routines 
for them. They modify their decryption routines by such means as 
shifting the commands inside the routine around, adding ineffectual 
commands in random places and using different processor registers and 
opcodes. 

The basic idea is to make the binary image of the decryption routine 
totally different between different infections. All this makes it 
impossible to search for the decryption routine with fixed search 
strings - there is no search string that could always be found in 
infections made by a polymorphic virus.

                     <Polymorphic-infection.GIF>

        How does a virus using a polymorphic generator infect a file?

        1.  A clean file before the infection. We'll call this the
            victim file.

        2.  The virus starts the infection process by modifying the
            victim file's first commands. It replaces them with a
            command to jump to the end of the file. The original first
            bytes of the file are stored in the virus's body.

        3.  Next, the virus calls the polymorphic generator to create an
            encrypted copy of the virus code and the generator itself.
            The generator also creates a decryption routine, which is
            added to the end of the victim file.

        4.  The encrypted code is added to the end of the victim file.
            This encrypted section contains three parts: a copy of the
            actual virus code, the original first bytes of the victim
            file, and the code of the polymorphic generator.


Limitations
-----------
When the first polymorphic generators were found, it was feared that 
there would be a huge rise in the number of polymorphic viruses. 
However, these generators have not proved as popular as was originally 
thought - only about one hundred viruses are known to use a generator.

One of the reasons for this is that a generator must be linked to the 
program to be encrypted, and since the operation requires changes to 
the program itself, some programming experience is necessary. This 
alone places the generators out of the reach of the run-of-the-mill 
virus enthusiasts. Unfortunately, the generators usually come with 
detailed instructions on their use, so that virus aficionados with 
even limited experience of assembly programming can easily use them.

Another limitation is the generators' size. Although the generators 
are quite small in themselves, they do increase the size of viruses by 
some amount. This makes it difficult to link them to boot sector 
viruses, which have limited code space. No generator-masked boot 
sector viruses have been found. With the exception of V-Sign (a mildly 
polymorphic boot sector virus), polymorphic capabilities seem to be 
the privilege of file viruses.

Of course, the advantage that viruses get from polymorphic generators 
is somewhat questionable. If an anti-virus program is able to 
recognise the presence of a particular generator, it is usually able 
to detect all viruses masked by it.

Detection
---------
Despite the cunning nature of polymorphic generators, viruses masked 
by them can be detected by using proper tools. Antivirus programs 
often employ algorithmic means to recognise files infected by 
polymorphically hidden viruses. Another way to find such viruses is to 
use checksumming. It is also possible to try to solve the encryption 
and search for the virus underneath the encryption layer.

Algorithmic methods
-------------------
Algorithmic methods are based on the fact that however much a 
generator mutates the decryption routine, it must still contain 
certain programming structures which make the decryption possible. If 
a program file contains such structures, the antivirus program can say 
with sufficient certainty that the file is infected by a 
polymorphically cloaked virus.

As polymorphic generators vary a lot, a different algorithm is needed 
for each generator - and in order to build such algorithm, the 
generator will have to be studied closely.

However, the algorithmic methods have a certain weakness: they are 
prone to false positives. The program structures employed by 
polymorphic generators can be very random. This means that similar 
structures sometimes occur inside legitimate program code. False 
alarms may crop up especially if data files are also included in the 
search, because they typically contain data similar to the random 
'garbage-code' which the generators produce. It is relatively easy to 
create an algorithm that will find all infections created with a 
polymorphic engine, but if the algorithm would also flag a large 
amount of clean programs as infected, it is useless.

Checksumming
------------
Checksums are comparison values calculated from the executables in a 
system. These values are stored in a database. When a checksum search 
is made, the checksums are re-calculated and compared with the 
original values in the database. Since this method detects all changes 
to a system, the mutability of polymorphically hidden viruses does 
them no good; a change is a change, and thus detectable.

Checksumming has its drawbacks, too: checksummers suspect all changes 
that happen inside a system, and occasionally give warnings of 
ordinary programs which alter their own code. Nowadays, checksummers 
are usually equipped with an exclude-list and a heuristic faculty to 
prevent this from happening.

Although theoretically able to detect all changes to a system, 
checksummers are vulnerable to stealth viruses. If such a virus is 
active in a computer's memory, it is able to hide all the changes it 
has made. When stealth viruses are involved, checksummers base their 
calculations on false data, and will consequently find everything to 
be in order. It should be noted that polymorphic viruses which also 
stealth their presence are very rare, simply because they are 
technically difficult to create.

Decryption-based detection
--------------------------
The decryption-based detection of polymorphic viruses work by first 
reasoning whether the examined object is encrypted. If the object 
seems to warrant suspicion, generic decryption methods are applied to 
it, and a string-based search is done to the code found underneath the 
encryption. 

This method works against some polymorphic generators with great 
success, but is difficult to implement for others. 

What is the best solution?
--------------------------
Checksumming is the strongest method against polymorphic viruses - as 
long as the machine is clean when the checksummer is installed, and 
the virus is not falsifying the information received by the 
checksummer. Checksummers will also detect those polymorphic (and 
normal) viruses that have not yet been analysed. 

The algorithm-based detection mechanisms against polymorphic viruses 
tend to have problems with false alarms, but these can be overcome by 
designing the detection engine carefully. One advantage of algorithm-
based detection is that, once a detection engine is able to detect a 
certain polymorphic generator, it will probably detect all viruses 
utilising it. 

A decryption-based detection mechanism can only detect those 
polymorphic viruses that have been analysed by the creator of the 
antivirus product, but it is very unlikely to produce false alarms. 
Furthermore, such a mechanism is also able to detect the exact variant 
of the virus in question - this is something that most algorithm-based 
detection methods are unable to do.

Thus far found...
-----------------
In the following are brief descriptions of the polymorphic generators 
that have been found to this date. The generators usually come with 
introductory notes which explain their use, and in which the authors 
seek to justify themselves, for example by prohibiting the use of 
their products in viruses, by trying to explain why polymorphic 
generators are beneficial, necessary and generally morally uplifting, 
or by giving the by now well-established lecture about free speech and 
freedom of expression. Since many of the generators' authors are 
members of well-known virus groups, these disclaimers can be seen as 
simple hypocrisy.

MtE (Mutation Engine)
---------------------
Mutation Engine was the first polymorphic generator, written by 
the Dark Avenger. MtE was put into circulation in 1991. It is 
the most widespread polymorphic generator, and has been 
incorporated to 33 different viruses.

Though revolutionary in its time, Mutation Engine is currently 
somewhat outdated. Practically all anti-virus products can 
detect MtE-hidden viruses. Nevertheless, MtE continues to be a 
source of inspiration for people aspiring to write polymorphic 
generators - for example, almost all generators written after 
MtE mimic the documentation provided with MtE.

MtE v0.91's size is 2048 bytes. 

TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine)
--------------------------------------------------------------------------
TPE was written in 1992 by Masud Khafir, a Dutch member of the 
TridenT virus group. Before and after TPE, Masud Khafir has 
created several advanced viruses. Among them are the first 
Windows virus, Win_Vir, the Cruncher virus series, and one of 
the most widespread viruses using MtE, the MtE.Pogue virus. TPE 
itself is based on the encryption routine of Masud Kafir's 
Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A.

To date, four versions of TPE have come out. The author has 
implied that he considers the product finished, and will not 
write further versions. The later versions of TPE are highly 
complex, making it one the most advanced polymorphic generators 
in the world. 

TPE version 1.1 was technically advanced, but it contained bugs 
which made it incompatible with some processor types. Versions 
1.2 and 1.3 corrected this problem. The last version, 1.4, 
introduced an improved, highly complex encryption method, which 
makes TPE-hidden viruses difficult to identify by using 
decryption-based detection methods.

A separate, modified version of TPE has also appeared. It is 
known as the Darwinian Genetic Mutation Engine (DGME). DGME was
published in Mark Ludwig's latest disputed book 'Computer 
Viruses, Artificial Life and Evolution'.

TPE takes up about 1.6 KB. Presently, it is known to be linked 
to 10 different viruses.

NED (NuKE Encryption Device)
----------------------------
NED, the first polymorphic generator from USA, appeared at 
approximately the same time as TPE. According to the 
generator's documentation, it was released in October, 1992. 
Nowhere Man is credited as being the author of this generator, 
but there have been suspicions that it is actually written by 
some other programmer. Nowhere Man is the author of NuKE's 
Virus Creation Laboratory, the VCL.

Unlike most other polymorphic generators, NED was distributed 
as source code. This, of course, makes it easier for other 
virus creators to modify the generator, but so far only a 
single version of NED has been found. The generator's 
documentation expressly forbids its distribution outside NuKE 
itself, but it has obviously been in wide distribution.

NED version 0.90B takes up 1355 bytes. It is known to have been 
linked to two different viruses.

DAME (Dark Angel's Multiple Encryptor)
--------------------------------------
Naturally enough, Phalcon/SKISM didn't want to be upstaged by 
NuKE. In 1993, this virus group, which originates from Canada, 
joined the fray with Dark Angel's Multiple Encryptor, DAME. The 
new generator's name may have been meant as a dig at some 
members of the anti-virus community, who had been using the 
name DAME for Dark Avenger's Mutation Engine, MtE.

Dark Angel published his generator during the summer of 1993 in 
issue 11 of Phalcon/SKISM's magazine, 40Hex. Dark Angel has 
also written the two virus creation toolkits published by 
Phalcon/SKISM, the PS-MPC and G2.

Like NED, DAME was distributed as commented source code. Along 
with the generator, Dark Angel published an article which dealt 
with polymorphism and the writing of polymorphic generators in 
general.

Dark Angel was apparently not completely satisfied with his 
initial product, because he introduced an improved version of 
DAME in the next issue of 40Hex.

The first version of DAME, 0.90, took up 1574 bytes. The 
improved 0.91 version had grown to 1960 bytes. Dame is known to 
have been linked to two different viruses.

DSME (Dark Slayer Mutation Engine)
----------------------------------
DSME was the first polymorphic generator from Taiwan. It was 
written by a person calling himself Dark Slayer. DSME was 
published in the end of 1993.

Interestingly, DSME contains documentation both in English and 
Chinese. The author sends greetings to Dark Avenger and Nowhere 
Man and thanks for the inspiration he received from earlier 
polymorphic generators. 

DSME is not as advanced as the generators produced before it. 
Dark Slayer admits this in his notes. The actual size of the 
generator is little over 2 kilobytes.

At the moment, only one virus is known to use the DSME.

MutaGen
-------
In the beginning of 1994, a new author entered the stage. 
Calling himself MnemoniX, this American virus writer proudly 
presented a new generator called MutaGen.

At the moment, there are four different versions of MutaGen in 
distribution. Each successive version is more complex than the 
previous ones. Their sizes range from 1032 bytes to 1385 bytes. 
In MutaGen's documentation, MnemoniX criticizes the other 
polymorphic generators for being too unreliable and easy to 
detect.

MnemoniX himself has published two different viruses which 
utilise the MutaGen generator, but otherwise the response of 
the virus underground to this new generator is unknown.

GPE (Guns'n'Roses Polymorphic Engine)
-------------------------------------
The Guns'n'Roses Polymorphic Engine is a newcomer, written by a 
person calling himself Slash Wu. Like the Dark Slayer Mutation 
Engine, this generator originates from Taiwan - and it only 
comes with Chinese documentation.

In the generator's documentation, the author prohibits the use 
of the generator in viruses and other malicious software. He 
claims to have developed GPE solely for the purpose of 
protecting data and programs from unauthorised use. These 
claims are lent some credence by the fact that the author has 
included his apparently real name and phone number in the 
introductory notes.

Version 1.00 of the Guns'n'Roses Polymorphic Engine was 
released in March 1994. So far, the generator is not known to 
have been linked to any virus. It's size is about two 
kilobytes.

DSCE (Dark Slayer Confusion Engine)
-----------------------------------
There is at least one polymorphic generator which has so far 
eluded the antivirus researchers. The one that we know of is 
called DSCE, and it is written by the same author as DSME.

A file that demonstrated DSCE's abilities was sent to F-PROT 
Professional Support during April 1994. Deductions based on 
this demo indicate that DSCE is a rewritten version of DSME, 
and capable of creating far more complicated samples.


Ethics in Anti-Virus Toolkit Marketing
--------------------------------------

Anti-virus applications belong to a very special group of programs. 
When buying an anti-virus toolkit you might suffer a considerable loss 
if you purchase a second-class product. If you compare this to 
purchasing a word processor or a disk compression utility, the loss 
that results from getting a 3% smaller compression ratio or missing 
out on some special indexing options for long text documents is almost 
non-existent.

This means that you need to buy one of the best anti-virus utilities. 
How do you choose from the multitude of available tools? There are 
well over one hundred different anti-virus products in the market. 
Even if you represent an extremely large company, you can not test the 
software yourself since you do not have an extensive and up-to-date 
virus database.

Performance tests done against a large and well maintained collection 
of viruses give you a good idea of which toolkits are better than 
others.

Imagine yourself distributing an inferior anti-virus application. The 
position is not enjoyable. You have to convince the customers to buy 
your products, knowing all the while that there are much better 
products available. Furthermore, you know that if the customer 
purchases your product, it is possible that he will suffer a major 
loss because of the choice. 

This has led some companies to shift from promoting their own product 
to badmouthing a competing product. One thing continuously claimed of 
F-PROT by one competitor is that the winning test results are due to a 
hidden test mode in F-PROT. According to them F-PROT would not find 
viruses as well when used normally. This is, of course, technically 
absurd and simply false. 

There are other possible tactics as well. If you already have a 
customer and you do not want him to swap products, you can always 
threaten him with legal action. 

According to several customers of a certain anti-virus utility, an 
agent for the product has threatened them with legal action if a 
single copy of the licensed anti-virus programs is found on their 
computers after their license has expired. The threat was used when 
the customers announced their intention to change to another product. 

If you have thousands of computers you have no way of guaranteeing 
that you can remove all copies of the software before the specified 
date, a fact which the agent naturally realized. 

As an F-PROT customer you naturally retain license rights to the last 
update that you have received even if the update service expires.

A sad episode
-------------
We believe the extremely competitive market situation sheds some light 
on a recent course of events in Finland. An ex-employee of a local 
representative of a leading anti-virus utility was accused of hacking 
into the agent's BBS. Let us call the ex-employee John.

According to John the charges were brought after an unresolved dispute 
about unpaid holiday compensations.

John claims that he was told about a possible bug in the agent's BBS 
setup by an important customer. The customer contacted John because 
the BBS informed every caller that John was still responsible for 
technical support for the BBS. The system was originally built by 
John, and he decided to check whether a bug existed.

He accessed the BBS using a password belonging to the managing 
director of the agent. As the BBS only contained files related to the 
anti-virus utility and even the mail feature was disabled the managing 
director felt safe using a password composed of three similar letters 
(like "XXX"). This was well known by the employees of the company. We 
hope that he has already changed his password.

Even though John should never have used anyone else's user id, he did 
not stop to think about this. After all,  he knew that there was 
nothing confidential in the system.

If John has reported the chain of events fully, it makes one wonder 
why criminal charges were brought against him. An answer may be found 
in the fact that John was employed by us at the time of the alleged 
hacking.

When we heard about the charges being brought against John and after 
talking with the managing director of the agent, we decided to fire 
John. We decided to do this even though we believed and still believe 
his story, because in our line of business we have to be completely 
secure.

We also informed the agent that we had fired John.

An efficient press campaign
---------------------------
After a few days the truth began to come out. A well orchestrated 
press campaign was launched and a couple of articles were printed. In 
these articles the managing director of the agent was quoted as saying 
something like: "It will be very difficult to determine the extent to 
which John's current employer is involved in this theft of 
information."

These articles were also faithfully translated and sent to members of 
the international press to get more publicity to the suspicions. 

No one thought of asking the police whether they had suspicions 
against Data Fellows. The superintendent in charge of the 
investigation would have been happy to reply that at no time during 
the investigation had Data Fellows been even suspected.

After all this, we saw no choice but to sue the agent for 
orchestrating false rumours about our involvement. 

At this stage it seems that, if John's story is true, the agent is 
happily sacrificing an innocent person's career just to get a couple 
of short lived punches in at us.

All of this would be even more depressing if the agent were found to 
have actually falsified evidence to support claims about data theft. 

This is one of the problems in data crimes. The owner of the 
information still has the information after it has been stolen. This 
makes it difficult to prove that information has been stolen but it 
makes it even more difficult to prove that nothing has been stolen. 

If the information system has a log, it will only show that a 
legitimate user has visited the system (in this case the managing 
director has visited the BBS). It is practically impossible to specify 
which login is done by an impostor and which is legal if the owner of 
the system does not want this to be found out. 


Changes in F-PROT Professional 2.12
-----------------------------------

Changes in F-PROT's DOS version
-------------------------------
VIRSTOP's behaviour has changed: it will now beep whenever it finds a 
virus. It will not display a separate alarm screen under Windows, but 
instead sound an alarm and display the alert text as in DOS.

When the /ANALYSE option is used, F-PROT will no longer report 
'Invalid entry point' if a file has some other extension than COM or 
EXE - OVL, for example. This reduces the amount of non-important 
messages during Heuristic Analysis.

Also the operation of VIRSTOP's /DISK-parameter has been changed. When 
this parameter is used, two temporary, hidden files are created: 
_VIRSTOP.TMP and _VIRSTOP.SWP. By default, these files are stored in 
the root directory of drive C:. Files can be located to another disk 
by issuing a drive letter after the /DISK command. For example, 
/DISK:E stores the temprorary files to drive E: Temporary drive should 
be as fast as possible because it affects the speed of VIRSTOP - a 
RAM-drive is a good choice. Due this change, the VIRSTOP.EXE file can 
now be updated or deleted while VIRSTOP is resident with the /DISK-
parameter. VIRSTOP 2.12 allocates 3.7KB of memory with the /DISK 
parameter.

Changes in F-PROT's Windows version
-----------------------------------
An Update option has been added to the SETUP program. 

Memory check now allows multitasking at the same time. A progress bar 
has been added to the dialog.

F-PROT could not scan all network or local drives if VIRSTOP was 
resident in memory. Instead, it only scanned the first available 
drive. This has now been corrected.

The 'Stack overflow' message appeared if very deep directory 
structures were scanned. The problem has now been fixed.

If a task with an impossible drive specification was sent over the 
network, F-PROT entered a loop state. Now tasks which specify invalid 
drives are deleted and a message about this is sent to the 
administrator.

In some cases VIRSTOP would interfere if a diskette infected with a 
boot sector virus was scanned. This has been corrected.

If F-PROT is started with a Taskfile's pathname as the first command 
line parameter, the task is automatically executed.

Previously, the administrator could not delete protected tasks if they 
were sent from another workstation. Administrator is now able to 
delete all tasks.

A user-defined message used to be covered by the scanning indicator 
dialog, so the message wasn't visible until the scanning dialog was 
closed. The matter has been taken care of.

F-PROT can now be launched from F-Agent's system menu.

F-Agent's polling interval can now be adjusted from F-PROT's 
Preferences.

F-PROT can now install icons directly in Program Manager: Scan A:, 
Scan B: and Scan Hard Disk. These icons can be used to execute 
predefined tasks.

The scanning dialog now displays some informational messages during 
scanning, and a summary after the scan is finished.

Even when a task was distributed with the 'Prevent aborting scan' 
option, an end user was able to abort the scan. No more.

Disinfection capabilities have been added to F-PROT for Windows. 
Nevertheless, we still recommend booting from a clean diskette and 
using F-PROT for DOS to clean infections on the local hard drive.

Occasional sharing violation errors on the network drive have been 
eliminated. 

F-PROT now supports the dragging and dropping of files and directories 
on top of the F-PROT or F-Agent icon. The dropped objects will be 
scanned automatically.

F-PROT now supports multitasking during the initial memory test.

Changes in both DOS and Windows version
---------------------------------------
The identification of boot sector viruses has been improved 
significantly. F-PROT performs an exact identification of most boot 
sector viruses it detects. Previously, it would refuse to remove 
variants that differed by as little as one bit from the original 
virus, while other programs which did not do as good an identification 
would happily remove the virus. F-PROT now attempts to determine 
whether a new boot sector virus is sufficiently similar to a known 
variant for disinfection to be carried out.

If a virus is damaged when the file it infects has, for one reason or 
other, been shortened by a few bytes, F-PROT will now report '- 
truncated (xxx bytes missing)', instead of reporting just 'New or 
modified variant of ...'. This situation is very rare under normal 
circumstances. However, the function may interest researchers who have 
corrupted samples in their collections.

Previously, F-PROT would not detect all Cysta.8045-infected .SYS 
files. This has now been fixed.

The Stoned.Angelina virus could not be identified properly on 3.5" 
diskettes. The problem is now corrected.

Voronezh.1600-infected files were not always disinfected correctly. 
They are now.

The following false positives do not occur any more. The 'Tamanna' 
false positive appeared in 2.11. The others were present in older 
versions of F-PROT as well, but had not been reported to us before.

'Possibly a new variant of Tamanna' in PWLICLMT.EXE (part of a beta 
release of DEC Pathworks).

'Possibly a new variant of Cysta' in KBDF.COM (Turkish keyboard 
driver).

'Possibly a new variant of SillyOR' in a program named TRAPKEY.EXE.

'Leprosy' in a program named OPENPORT.COM. This false alarm occurred 
only with VIRSTOP and Quick Scan.


New viruses detected by F-PROT 2.12
-----------------------------------

The following 57 viruses are now identified, but can not be removed as 
they overwrite or destroy infected files. Some of them were detected 
by earlier versions of F-PROT, but only reported as "New or modified 
variant of..."

AB
Abraxas.1214
Abraxas.1304
Abraxas.1508
Burger.405.D
Burger.405.E
Burger.405.F
Burger.441
Burger.505.G
Burger.505.H
Burger.505.I
Burger.505.J
Burger.560.AK
Burger.560.AL
Burger.560.AM
Burger.560.AN
Como.1786
Doubleheart.452.B
Genvir.1376
Grog.Enmity
Grog.Sempre
Grog.Trumpery
HBT
HLLO.4505
HLLO.5760
HLLO.Mission
HLLO.Novademo
Hot
Milan.AntiNazi
Milan.Naziskin.270
Milan.Naziskin.903
Milan.Sabrina
Milan.Verbatim
Silly_Willy-trojan
Slugger
Trivial.23
Trivial.24
Trivial.25.B
Trivial.25.C
Trivial.27.D
Trivial.31.C
Trivial.36.A
Trivial.36.B
Trivial.36.C
Trivial.37
Trivial.38
Trivial.39
Trivial.42.F
Trivial.42.G
Trivial.42.H
Trivial.43.B
Trivial.43.C
Trivial.59
Trivial.66
Trivial.89
Trivial.342
Trivial.Ansibomb
Trivial.Vootie.B
VCL.526
VCL.Mindless.423
VCL.Muu
ZigZag.232

F-PROT can detect and remove the following 443 new viruses. Earlier 
versions of F-PROT could detect many of these viruses. Now they are 
also identified accurately.

_241
_451
_494
_635
_638
_779
_804
_1987
_2717
Accept.3619
Accept.3773
Aiw
Alexander.1843
Alexander.2104
AntiMIT.764
Arcv.Jo.912
Arcv.Ice-9.642
Armageddon.1079.E
Ash 712 1586
Australian_Parasite.152
Australian_Parasite.153
Australian_Parasite.155
Australian_Parasite.187
Australian_Parasite.215
Australian_Parasite.306
Australian_Parasite.635
Australian_Parasite.AMSV
Australian_Parasite.Feeble
Australian_Parasite.Vga_Demo
Australian_Parasite.Comic
Australian_Parasite.Lipo
Australian_Parasite.Gotter
Baba
Badsectors.3422
Baron
Behaviour.Herb
Berlusconi
Betaboys.615
Big_Bang
Billy
Black_Jec.230
Black_Jec.246
Black_Jec.Sad.300
Blood_Sugar
BUPT.1261
Butterfly.FJM
Cascade.1699.B
Cascade.1701.Jojo.G
Cascade.1701.M
Cascade.1701.N
Cascade.1701.O
Cascade.1701.P
Cascade.1704.S
Changsha
Civil_War.281
Civil.IV
Civil.568
Civil.586
Cybercide.1321
Cybercide.2256
Danish_Tiny.NC.284
Danish_Tiny.NC.286
Danish_Tiny.Wild_Thing.287
Dark_Avenger.1797
Dark_Avenger.1799
Dark_Avenger.1800.Eugen
Dark_Avenger.1800.L
Dark_Avenger.1800.Platina
Dark_Avenger.1813 Major
Datalock.828.B
Datalock.828.C
Deicide_II.622
Dementia
Dutch_Tiny.111
Ear Job Homecoming
Fax_Free.608.A
Fax_Free.608.B
Fax_Free.622
Fax_Free.623
Fax_Free.1024.C
Fax_Free.1024.D
Fax_Free.1024.E
Fax_Free.1536.Lamer
Fax_Free.1536.Pinniz.A
Fax_Free.1536.Pinniz.B
Fax_Free.1536.Pinniz.C
Fax_Free.1536.Pinniz.D
Fax_Free.1536.Pisello2
Flip.2153.G
Flip.2153.H        
Friday_the_13th.416.C
Friday_the_13th.416.D
Frodo.Fish_6.D
Ginger
Gippo.JumpingJack
Gotcha.605
Green_Caterpillar.1575.G
Grog.1089
Grog.Gonfie
Grog.IlCuoce
Grog.Noncemale
Grog.Ovile
Grunt.529
Hates.212
Helloween.1228
Helloween.1401
Helloween.1430
HH&H.4087
Hiperion.249
HLLC.Sauna
Hungarian.1409
Hungarian.Kiss.1006
Hungarian_Andromeda.1024
Hungarian_Andromeda.1536.B
Icelandic.656.C
Ienez
Industrial
Intruder.1555
Ionkin.195
IVP.351
IVP.644
IVP.Crystal
IVP.Stress
IVP.Taselhoff
IVP.Wild_Thing.555
IVP.Wild_Thing.557
Japanese_Christmas.722
Jerusalem.2389
Jerusalem.1808.CT.SubZero.B
Jerusalem.1808.SuMsDos.AN
Jerusalem.Sunday.K
Jerusalem.Tarapa
Jerusalem.Zerotime.Australian.C
Keypress.1232.L
Keypress.1600
KMIT
Kolumna
Kommuna
Kuang
Lyceum.1901
March_25th.B
March_25th.C
Marzia.D
Marzia.E
Marzia.F
Marzia.G
Marzia.H
Marzia.I
Marzia.J
Marzia.K
Metallica.2620
Michelangelo.C
Michelangelo.G
Michelangelo.J
Mirage
MMIR.278
Murphy.1477
Murphy.1521.B
Murphy.1650
Murphy.1659
Murphy.1752
Murphy.Delyrium.1788 Napalm
Nipple
NoFrills.840
November_17th.900.B
November_17th.900.C
November_17th.998
Npox.1015
PCBB.1845
Phantasm
PHX.1360
Ping-Pong.Standard.G
Ping-Pong.Standard.H
Ping-Pong.Standard.I
Pirate
Pixel.761
Prague.604
Prague.Pizza
Praying 579 587
Predator.1063
Proto-T.Ritzen
Proto-T.Ritzen.1087
Proto-T.1050
PS-MPC.150.A
PS-MPC.150.B
PS-MPC.338.A
PS-MPC.338.B
PS-MPC.338.C
PS-MPC.339.A
PS-MPC.339.B
PS-MPC.339.C
PS-MPC.339.D
PS-MPC.339E
PS-MPC.343.A
PS-MPC.343.B
PS-MPC.343.C
PS-MPC.344.B
PS-MPC.344.C
PS-MPC.344.D
PS-MPC.344.E
PS-MPC.344.F
PS-MPC.346.B
PS-MPC.347.A
PS-MPC.347.B
PS-MPC.347.C
PS-MPC.347.D
PS-MPC.347.E
PS-MPC.347.F
PS-MPC.347.G
PS-MPC.347.H
PS-MPC.347.I
PS-MPC.347.J
PS-MPC.348.B
PS-MPC.348.C
PS-MPC.351.A
PS-MPC.351.B
PS-MPC.352.B
PS-MPC.352.C
PS-MPC.352.D
PS-MPC.352.E
PS-MPC.352.F
PS-MPC.352.G
PS-MPC.352.H
PS-MPC.352.I
PS-MPC.352.J
PS-MPC.352.K
PS-MPC.352.L
PS-MPC.353.A
PS-MPC.353.B
PS-MPC.357
PS-MPC.425
PS-MPC.565.B
PS-MPC.565.C
PS-MPC.565.D
PS-MPC.569.A
PS-MPC.569.B
PS-MPC.569.C
PS-MPC.570.B
PS-MPC.570.C
PS-MPC.570.D
PS-MPC.572.B
PS-MPC.573.C
PS-MPC.573.D
PS-MPC.573.E
PS-MPC.573.F
PS-MPC.573.G
PS-MPC.573.H
PS-MPC.573.I
PS-MPC.574.C
PS-MPC.574.D
PS-MPC.577.C
PS-MPC.578.D
PS-MPC.578.E
PS-MPC.578.F
PS-MPC.578.G
PS-MPC.579.A
PS-MPC.579.B
PS-MPC.579.C
PS-MPC.594
PS-MPC.597.B
PS-MPC.597.C
PS-MPC.597.D
PS-MPC.598.B
PS-MPC.598.C
PS-MPC.602.A
PS-MPC.602.B
PS-MPC.602.C
PS-MPC.602.D
PS-MPC.603.A
PS-MPC.603.B
PS-MPC.603.C
PS-MPC.605.B
PS-MPC.606.B
PS-MPC.606.C
PS-MPC.607.B
PS-MPC.607.C
PS-MPC.610.A
PS-MPC.610.B
PS-MPC.610.C
PS-MPC.611.C
PS-MPC.611.D
PS-MPC.611.E
PS-MPC.611.F
PS-MPC.611.G
PS-MPC.611.H
PS-MPC.611.I
PS-MPC.611.J
PS-MPC.611.K
PS-MPC.612.A
PS-MPC.612.B
PS-MPC.612.C
PS-MPC.612.D
PS-MPC.612.E
PS-MPC.615
PS-MPC.639
PS-MPC.691
PS-MPC.739
PS-MPC.749
PS-MPC.2668
PS-MPC.Abominog
PS-MPC.Actifed
PS-MPC.Alchemy
PS-MPC.Argent
PS-MPC.Blender
PS-MPC.Birthday
PS-MPC.Doggy
PS-MPC.Fred
PS-MPC.G2.572
PS-MPC.G2.573.A
PS-MPC.G2.573.B
PS-MPC.G2.574
PS-MPC.G2.575.A
PS-MPC.G2.575.B
PS-MPC.G2.576
PS-MPC.G2.578
PS-MPC.G2.582
PS-MPC.G2.584.A
PS-MPC.G2.584.B
PS-MPC.G2.584.C
PS-MPC.G2.585.A
PS-MPC.G2.585.B
PS-MPC.G2.588
PS-MPC.G2.Mudshark
PS-MPC.Greetings
PS-MPC.Joana.942
PS-MPC.Justice
PS-MPC.Love
PS-MPC.McWhale.1023
PS-MPC.McWhale.1124
PS-MPC.Mojave
PS-MPC.Projekt.897
PS-MPC.Projekt.918
PS-MPC.Quest
PS-MPC.Ranger
PS-MPC.School
PS-MPC.Schrunch.442
PS-MPC.Seven_Percent.918
PS-MPC.Shock
PS-MPC.Silent
PS-MPC.Skeleton.542
PS-MPC.Skeleton.550
PS-MPC.Skeleton.570
PS-MPC.Skeleton.616
PS-MPC.Skeleton.617
PS-MPC.Sorlec.597
PS-MPC.Sorlec.639
PS-MPC.Steeve.672
PS-MPC.Steeve.686
PS-MPC.SwanSong.1714
PS-MPC.SwanSong.1772
PS-MPC.Swansong.1773
PS-MPC.SwanSong.2062
PS-MPC.Walt.311
PS-MPC.Walt.355
PS-MPC.Warez.1805
PS-MPC.Weakley
PS-MPC.Z10.683
PS-MPC.Z10.687
PSV.B
Pysk
Raptor
Russian_Tiny.127
Sandy
Satan.602
Shake.C
Sidewinder
SillyC.92
SillyC.100
SillyC.158
SillyC.207
Sparkle
Steryd
Stoned.Standard.F
Stoned.Standard.I
Stoned.Standard.J
Stoned.Standard.L
Stoned.Standard.M
Stoned.Standard.O
Stoned.Standard.P
Stoned.Standard.Q
Stoned.Standard.R
Stoned.Standard.S
Stoned.Standard.Good
Stoned.Standard.Pervert
Stoned.Standard.Space.B
Stoned.Standard.Udos
Sybille.1200
Sze.314
Taiwan.677
Taiwan.743.C
Timid.298
Timid.299
Timid.301
Timid.303
Tiny_GM
Tiny_family.Fred
Trakia
Trident.444
Trident.Nolimit2
Troi.C
Troi.D
Unhandled
VCL.379
VCL.Angel.436
VCL.Angel.1681
VCL.Assassin
VCL.Dial
VCL.Julian
VCL.Olympic.B
VCL.Sorlec
VCL.Suck
VCS.Standard.Darkside
VCS.Standard.Test
Vienna.533
Vienna.608
Vienna.610
Vienna.660
Vienna.680
Vienna.700.A
Vienna.700.C
Vienna.709
Vienna.814
Vienna.Choinka.C
Vienna.Feliz
Vienna.Parasite.861
Vienna.Violator.716.B
Vienna.Violator.716.C
Vienna.Violator.803
Vienna.Violator.821
Vienna.Violator.843.B
Vienna.Violator.843.C
Vienna.Violator.909
Vienna.Violator.957
Vienna.Violator.5286
Vienna.W-13.318
Vienna.W-13.507.E
Virdem.1336.Locked.B
Wrzod
Yam.3596
Yankee_Doodle.Login.3045.C
YB.426
Yesterday

The following 58 new viruses can now be detected but not yet removed.

_592
Antitrace
Appelscha
Arcv.Anna.745
Austr_Term
Backform
Carpe_Diem
Code_Zero.735
Czech_Happy
Daemaen
Dark_Avenger.2829
Dillinger
DIR-II.M
DIR-II.O
DIR-II.Q
DIR-II.S
DIR-II.T
DIR-II.W
Doomsday.715
Doubleheart.649
Gippo.Blow
Glith
Grog.Dream
Grog.Inc
Grog.NTA
Grog.Outwit-C
Grog.Outwit-E
Grog.Public
Grog.Razor
Grog.Wildcard
Hallow
Jerusalem.Vtech
Konkoor
LM
M5-VP2
Mystic.379
PCBB.833
PCBB.1680
PCBB.1683
PHB.B
Pit
Predator.1154
Proto-T.694
Raubkopie.1888.B
Sayha
Screaming_Fist.839
Screaming_Fist.846
Screaming_Fist.855
Screaming_Fist.862
Sluknov
Split_Second.1135
Split_Second.1149
SVC.3122
Sze.351
Topa
V2221
Veronika
Wally
X-1.571
X-3A
Yog

F-PROT's earlier versions could detect the following viruses. Now they 
can also be removed.

CIS
Ein_Volk
Jerusalem.986
PS-MPC.ARCV.2.692
PS-MPC.ARCV.2.693
PS-MPC.ARCV.8
Satanbug
VCL.Chuang
VCL.Diarrhea.933
VCL.Diarrhea.1222
VCL.Diogenes
VCL.Mimic
Warrior
Weak
Yeke.1076
Yeke.1204

The following viruses have been renamed in order to make F-PROT follow 
the CARO naming standard as closely as possible. Also, the _758 and 
Gemand viruses have been moved into the Hungarian_Andromeda virus 
family.

_1068         ->    Spinner
_1417         ->    Spanish_Fool
_1441         ->    Sum
_1588         ->    Distrust
_1784         ->    Three_Tunes
_2000         ->    Alphastrike
Anticlr       ->    Anti-Clerical
Commonwealth  ->    CIS
Dos1          ->    Dos_1
Error_412     ->    Runtime
Groz          ->    Grozny
Inoc          ->    Inoculation
Krusha        ->    Khrusha
Micro-128     ->    Micro
NGV           ->    Genvir
QMU.1513      ->    QMU
Quit-1992     ->    Quit
Satwar        ->    Satanic_Warrior
Simple        ->    Simple_Minded
Talking_Heads ->    No_Party
Tula.419      ->    Tula
V-1920        ->    Dostepu

------------------------------------------------------------------------------
      This text may be freely used as long as the source is mentioned
               F-PROT Professional 2.12 Update Bulletin
                                   -
                 Copyright (c) 1994 Data Fellows Ltd
------------------------------------------------------------------------------
  This file may not be placed to be available for download in a system which
  allows users to access live computer viruses, source codes for viruses, or
  instructions for generating a new virus. Also, the guys in 'Immortal Riot'
  virus group are specifically *not* granted a right to publish any parts of
  this document in their own, virus-related publications.         Thank you.
