F-PROT Professional 2.22 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.22 is mentioned. Copyright (c) 1996 Data Fellows Ltd.
------------------------------------------------------------------------------

Contents 1/96
=============

F-PROT guards against viruses from Internet
Peter Szor to join F-PROT Development team
The Global Virus Situation
        Burglar
        The First Windows 95 Virus Found
        WordMacro/Hot
        WordMacro/Atom
        The First Ami Pro Macro Virus: AmiMacro/GreenStripe
News in Short
        IBM Germany Shipped a Virus by Accident
        Microsoft Slovenia Shipped a Virus by Accident
Common Questions and Answers
Virus Activation Routines, Part 2
Changes in F-PROT Professional version 2.22


F-PROT guards against viruses from Internet
-------------------------------------------

F-PROT Gatekeeper 2.22 protects PCs against viruses from 
Internet. When files are transferred via e-mail or from WWW 
pages, Gatekeeper's `Scan on Create' function searches them 
automatically for viruses when they arrive at the computer.

Gatekeeper has always provided excellent protection against 
viruses from Internet. However, in the past it was possible for 
the viruses to remain unnoticed until an attempt was made to run 
or copy an infected program. This kind of protection is fully 
adequate in keeping computers from being infected, but now 
Gatekeeper searches files for viruses at the time they are 
created. Thus, infected files are detected much sooner.

When this kind of a new feature is introduced, there is always a 
slight possibility that it may not be compatible with some of 
the less common hardware and software combinations. For this 
reason, the new `Scan on Create' feature is not switched on by 
default in this version of the program.

If you wish to try out this new feature, you can switch it on by 
creating a file called F-PROTW.INI in your computer's Windows 
directory. Write the following two lines to the file:

[Gatekeeper]

ScanOnCreateRename=1

This setting takes force after you have saved the file and 
restarted Windows. We have also received requests to make 
Gatekeeper more visual, so that users could see Gatekeeper 
perform its checks. This is now possible; add the following line 
to the [Gatekeeper] section in F-PROTW.INI:

ShowActivity=1

Peter Szor to join F-PROT Development team
------------------------------------------

Data Fellows Ltd's antivirus development team acquired a 
valuable addition in the beginning of this year when the virus 
researcher Peter Szor joined it. Peter Szor is from Hungary, and 
he is known as the main developer of the PASTEUR antivirus 
program. He has now moved to Finland, and started working with 
the F-PROT Professional antivirus program in January 1996.

Peter Szor graduated from the University of Veszprem in 1991, 
majoring in Computer Programming. After that, he worked for two 
years at SG2-H Ltd, a French-Hungarian joint venture, creating 
financial computer software. Two years later he joined Mezobank 
and worked at the Bank's electronic data processing department.

Peter became interested in computer viruses in 1990. His 
University diploma work was the PASTEUR antivirus program. 
PASTEUR quickly became popular and received good reviews in 
magazines such as Chip and Computer Panorama. 

Encouraged by the success of PASTEUR, Peter developed PASTEUR 
PLUS NLM version for Novell Netware. PASTEUR was always one of 
the fastest scanners in the market, being several times faster 
than most of its competitors. 

PASTEUR and PASTEUR PLUS had over 9000 established clients. At 
the moment, PASTEUR is discontinued and the existing customers 
will get a replacement license of F-PROT Professional.

Mr. Szor is now the primary virus analyst at Data Fellows Ltd He 
spends his days analyzing new viruses and developing new 
features to the F-PROT Professional suite.

Welcome aboard, Peter!

The Global Virus Situation
--------------------------

Burglar
-------
This virus infects EXE programs when they are accessed or
executed. In addition to this, Burglar searches for new victims 
and infects them when the `file attribute change' function (used 
by ATTRIB) and `get free disk space' function (used by DIR and 
many other commands) are called.

Burglar has stealth features: it hides the changes in the size 
of the infected files when viewed with the DIR command.

Every time the virus infects files, it checks the time. If the 
minute field is 14, the virus activates and writes a flashing 
message in the top left corner of the screen:

	Burglar/H

The virus also contains an unencrypted text which is never 
shown:

	AT THE GRAVE OF GRANDMA

Burglar has anti-heuristics mechanisms. Burglar checks for and 
does not infect Windows programs or programs which have the 
letters `V' or `S' in the file name (covering programs like 
VIRSTOP, SCAN, VSHIELD, MSAV, NAV, CPAV etc.).

Burglar was found in the wild internationally in January 1996.

The virus has been spread in an infected version of a demo 
called `Dawn'.

F-PROT 2.22 is able to detect and disinfect the Burglar virus.

The First Windows 95 Virus Found
--------------------------------
The first virus to spread only under the Microsoft Windows 95 
operating system was found in January 1996. This virus is of 
Australian origin. It has not been reported in the wild anywhere 
in the world, and can not be seen as a serious threat to Windows 
95 users.

This new virus has been named `Boza'. It infects only Windows 
Portable Executable EXE files - such files are used by Windows 
95 and Windows NT. However, Boza does not infect machines 
running the Microsoft Windows NT operating system. So far, no 
viruses written specifically for Windows NT have been found.

Whenever an EXE file infected by Boza is run, the virus will 
infect programs in the current directory. With each execution, 
one to three EXE files will be infected. After this, Boza 
executes the code of the original infected file - otherwise the 
user would notice that something is wrong. Boza does not stay 
active in memory after execution. For this reason it spreads 
from one program to another relatively slowly. The actual 
infection process is fast enough to go undetected in most 
machines.

Boza has no destructive routines but it contains a bug which 
will in some cases increase an infected EXE file's size by 
several megabytes. This can reduce free disk space rather 
quickly. The virus also has an activation routine which displays 
texts like `The taste of fame just got tastier!' and `From the 
old school to the new'. This message is shown if the virus is 
run on the 31st of any month. Boza also contains internal texts 
like:

Please note: the name of this virus is [Bizatch] 
written by Quantum / VLAD



These texts are never displayed. VLAD is a virus-writers' group 
originating from Australia.

Boza's spreading technique resembles some of the early DOS 
viruses. When the first DOS viruses were found in 1980's, they 
were very simple compared to some of the currently known 
polymorphic multipartite fast infecting stealth viruses. It can 
be expected that a similar evolution will take place with 
Windows viruses.

Boza would be an otherwise totally unremarkable virus, but since 
it was the first virus which spreads only under Windows 95, it 
has received a lot of publicity. Boza is unlikely to become a 
real problem for Windows 95 users.

Two minor variants of Boza have also been found. These are named 
Boza.B and Boza.C. They seem to fix some bugs in original Boza, 
although the C variant seems to just crash always. These 
variants have not been found not in the wild, either.

F-PROT 2.22 is able to detect the Boza virus.

New Macro Viruses
-----------------
Two new Microsoft Word macro viruses and the world's first Ami 
Pro macro virus have been discovered recently.

Microsoft Word and Ami Pro are by no means the only programs to 
use a macro language. However, so far no viruses have been 
developed for such applications as Microsoft Access or Microsoft 
Excel.

 

New Word for Windows macro viruses have been found.
---------------------------------------------------
New Word macro viruses

Since the last program update, two new Microsoft Word macro 
viruses have been discovered. 

WordMacro/Hot
-------------
WordMacro/Hot is the first Word macro virus written in Russia. 
It was found in the wild over there in January 1996.

Hot spreads in a similar manner as the -virus: when an infected 
DOC is first opened, the virus modifies the NORMAL.DOT file. 
After that, it will spread to other documents.

Unlike the earlier Word macro viruses, Hot does not replicate 
when the File/Save As command is used - it infects documents 
only during the execution of the basic File/Save command. This 
means that Hot will infect only existing documents in the system 
- not new ones.

Infected documents contain the following four macros, which are 
visible in the macro list:

 	AutoOpen

 	DrawBringInFrOut

 	InsertPBreak

 	ToolsRepaginat

When Hot infects NORMAL.DOT, it renames these macros to:

 	StartOfDoc

 	AutoOpen

 	InsertPageBreak

 	FileSave

Macros have been saved with the `execute-only' feature, which 
means that a user can't view or edit them.

WordMacro/Hot contains a counter. It adds the following line to 
the WINWORD6.INI file:

        QLHot=35112

This number is based on the number of days that have passed 
since the beginning of this century. Hot adds 14 to this number 
and then waits until this latency time of 14 days has passed. 
Hot spreads normally during this time, but it will not activate.

After the 14 day pause, there is a 1 in 7 chance that a document 
will be erased when it is opened. The virus will delete all text 
and re-save the document. Hot does not do this, if it finds a 
file called EGA5.CPI in the C:\DOS directory. A comment in the 
source code of the virus hints that this feature has been added 
so that the author of the virus and his friends can protect 
themselves from the activation damage.

By default, there is no file by the name EGA5.CPI in MS-DOS 
distributions.

WordMacro/Hot was the first macro virus to use external 
functions. This system allows Word macros to call any standard 
Windows API call. The use of external functions is specific to 
Windows 3.1x, which means that WordMacro/Hot will be unable to 
spread under Word for Macintosh or Word 7 for Windows 95: 
opening an infected document will just produce an error message.

F-PROT Professional 2.21a is able to detect the WordMacro/Hot 
virus.

WordMacro/Atom
--------------
WordMacro/Atom was found in February 1996. Its operating 
mechanism is quite similar to private href="#concept" 
MACROBUTTON HtmlResAnchor WordMacro/Concept , with the following 
differences:

	All the macros in this virus are encrypted (Word's execute-
only feature)

	In addition to file saving operations, the virus replicates 
during file openings as well

	The virus has two destructive payloads

The first activation happens when the date is December 13th. At 
this time, the virus will attempt to delete all the files in the 
current directory.

The second activation takes place when a File/Save As command is 
issued and the seconds of the clock are equal to 13. When these 
conditions are met, the virus will password-protect the 
document, making it inaccessible to the user in the future. The 
password is set to be ATOM#1.

It is not easy to give a search string for this virus: some of 
the replicants are usually in the files password-protected by 
the virus, and thus contain no constant user-definable search 
string.

Disabling automacros will make Atom unable to execute and 
spread. Turning on the Prompt to save NORMAL.DOT setting will 
make Atom unable to infect NORMAL.DOT, but it will still be able 
to infect documents that are opened or saved during the same 
Word session.

WordMacro/Atom is not known to be in the wild.



The First Ami Pro Macro Virus: AmiMacro/GreenStripe
---------------------------------------------------
In Microsoft Word, a document and all the macros related to it 
are stored in a single file. So files like DOCUMENT.DOC or 
DOCUMENT.DOT contain both the document contents and the macros. 
But in Lotus' Ami Pro, macros are stored in a separate file: if 
you have DOCUMENT.SAM, macros related to it are stored in 
DOCUMENT.SMM. This makes it somewhat more difficult for Ami Pro 
viruses to spread; when a user distributes a document, he is 
likely to leave the .SMM file behind, thus effectively disabling 
the virus.

The first Ami Pro macro virus was found in January 1996. The 
virus, which is called Green Stripe or AmiMacro/GreenStripe, 
works by creating a .SMM file for every .SAM file in Ami Pro's 
default DOCS directory (\amipro\docs), and modifying the 
existing .SAM files to use the new macros. The name of the virus 
comes from it's main macro procedure, which is called 
Green_Stripe_virus.

Green Stripe propagates by intercepting Ami's File/Save and 
File/Save As commands. Using File/Save As and saving an infected 
document to a network drive or a floppy is the only likely way 
this virus can spread from one machine to another.

Green Stripe has an activation routine which triggers during 
saving: the virus searches through the document and replaces all 
occurrences of the word "its" with "it's". Such a change can 
easily go undetected by the user. However, it is unclear whether 
this routine works at all.

Green Stripe is rumored to have been originally published in a 
US virus-related magazine. It is unlikely to spread in the wild.

Detecting Green Stripe

Open the Tools/Macros/Edit menu and check whether the document 
has a .SMM macro file which is assigned to be executed on open. 
To disinfect an infected document, just delete the .SMM file, 
open the document in Ami and uncheck the above setting.

Also, the initial infection process takes a long time, and the 
user is likely to notice that something is going amiss, since 
all the documents in the default directory will quickly appear 
and disappear on the screen as the virus infects them. 

News in Short
-------------

IBM Germany Shipped a Virus by Accident
---------------------------------------
IBM Germany distributed a number of infected original diskettes 
in January 1996. The program in question was called VoiceType 
Vokabular. It was shipped on permanently write-protected 
floppies, which were infected by a boot sector virus.

Since the virus in question was pretty new, there is still some 
confusion about the name. F-PROT 2.21 and newer detect it as 
`Newboot_1', but the CARO name has been decided to be `Quandry'. 
Other names for this virus are Parity.Boot.Enc and IHC.

The virus itself is a very simple, basic boot sector virus.

Microsoft Slovenia Shipped a Virus by Accident
----------------------------------------------
In the beginning of February 1996, Microsoft Slovenia held a 
press conference where they presented the Slovenian version of 
Microsoft Office for Windows 95.

All journalists received a floppy disk marked OBVESTILO ZA 
JAVNOST 30. 1. 1996 (in English, "Press Release 30. 1. 1996").

The floppy disk contained two files, NOVKONF1.DOC and 
NOVKONF1.TXT, and the NOVKONF1.DOC file was infected with the 
WordMacro/Concept virus.

Next day, all journalists received a floppy from Microsoft 
Slovenia containing a disinfecting utility.

For more information on the Concept virus, see our update 
bulletin 2.20.

Common Questions and Answers
----------------------------

If you have questions about information security or virus 
prevention, contact your local F-PROT distributor. You can also 
contact Data Fellows directly in the number 350-0-478 444.

Written questions can be mailed to:

Data Fellows Ltd
F-PROT Support
Pivntaite 8
02210 ESPOO
FINLAND

Questions can also be sent by electronic mail to:

Internet:F-PROT@DataFellows.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi
Elisa: Hyppnen Mikko.

Microsoft Word 6 is extensively used in our company, and we're a 
bit scared of a macro virus infection. We send documents to our 
clients and partners every day, and we want to avoid the risk of 
spreading a macro virus completely. We're not only concerned 
about the known macro viruses, but also about completely new 
viruses and trojan horses. How can we exchange documents without 
a virus risk?

        There is an easy solution: instead of sending the
        documents in Word's DOC-format, save the outgoing
        documents in Rich Text Format (RTF). RTF will retain
        the layout of your document, but macros are not
        transferred through it. As a bonus, your clients can
        open RTF files not only in Word, but also in almost any
        other word processor.

Virus Activation Routines, Part 2
---------------------------------

The following article on virus activation routines was written 
by Mikko Hyppnen, Data Fellows LTD's F-PROT Technical Support 
Manager. We publish the article in two parts - the first part 
appeared in the previous Update Bulletin. The text has 
previously been published for the Eicar Conference `95, where 
Mr. Hyppnen presented it in its entirety.

Triggers
--------
There are several different trigger events, which viruses use to 
decide when to activate. These include:

 	Date or time

 	Generation counter of the virus

 	Number of keypresses on the keyboard

 	Amount of free space on the hard drive

 	Amount of minutes the machine has been idle

 	Name of an executed program

Basically, viruses can use any event in the PC as a trigger.

Why It Is Important to Know What a Virus Does
---------------------------------------------
When you have a real infection in your hands, you probably want 
to know what the virus in question does. Actually, this 
information can be crucial, especially in the case of viruses 
which perform gradual corruption. 

A virus like One_Half also demonstrates the importance of 
knowing what a virus does before starting to disinfect it: 
One_Half is a full stealth virus, which gradually encrypts the 
contents of the hard drive. The encryption key and counter are 
kept inside the virus body in the boot sector. If One_Half is 
removed by overwriting the virus code in the boot sector with a 
clean one boot sector, the components required to decrypt the 
drive are lost, and the encryption will not be hidden anymore by 
the stealth routines of the virus. In effect, the data on the 
hard drive is lost due to the virus disinfection procedure.

Information sources
-------------------
It would be great to have a single source of information which 
would describe every computer virus, complete with its 
propagation methods and activation routines. Unfortunately, no 
such reference exists, and will never exist. There are just too 
many viruses out there, and new ones are created too fast.

Today, when several new viruses are found every day, and virus 
experts have limited time which spend in analyzing any single 
virus. Virus analysis systems are automated as much as possible, 
and a virus typically will get only a cursory look - which is 
usually enough to add detection, identification and 
disinfection. Such analysis will not reveal any special features 
the virus may contain. For this reason, no anti-virus vendor can 
provide a complete reference guide for all viruses their product 
detects.

There are, however, some useful sources. These sources typically 
cover only the most common or otherwise special viruses, but 
this is usually enough.

These sources include:

 	The virus description database of F-PROT Professional 
antivirus package. Do note that this is not the same as in the 
shareware version of F-PROT. The emphasis of descriptions are 
on viruses which are known to be in the wild.

 	Virus description service at Data Fellows Ltd's Internet 
World-Wide Web server at http://www.datafellows.com/. This 
database is based on the same information that is used by the 
F-PROT Professional antivirus program, but it is constantly 
updated. Its features include the ability to do free searches 
and browse through the latest updates. This is a free service, 
which currently serves several hundreds of description 
requests every day.

 	AVP Virus Encyclopedia. This Russian freeware DOS hypertext 
program has probably the largest single set of descriptions; 
there are several thousand viruses described here. Some of the 
descriptions even include a demo of the actual activation 
routine. The only problem with AVPVE is that at times the 
language is a bit difficult to understand - English with a 
Russian accent.

 	CAROBase is a joint effort of the Computer Antivirus 
Researcher's Organization to gather technical descriptions of 
viruses. It currently contains only about 120 descriptions, 
but the detail and accuracy of those are excellent.

 	VTC Computer Virus Catalog is already getting outdated, but it 
still contains excellent descriptions of over 200 PC viruses, 
and also covers other platforms, such as Amiga, Atari and 
Unix.

There are other sources available as well. The popular VSUM 
Virus Summary can not be strongly recommended due the several 
errors it contains, but it can be useful as a cross-reference 
tool when trying to locate a virus which is known by several 
alias names. 

Antivirus programs such as McAfee SCAN, Thunderbyte Antivirus or 
Dr. Solomon's Antivirus Toolkit do contain brief descriptions, 
but these are all based on a few basic attributes for each 
virus, so they don't have details on activation routines. S&S 
International has also published a book called Virus 
Encyclopaedia, which has more detailed information.

Future
------
The Worst Possible Activation Routine

What would be the worst possible activation routine that could 
exist in a virus? Obviously, it would not be a virus which just 
destroys data - incidents like that are relatively unimportant 
if good backup practices are followed, and gradually corrupting 
viruses can be found with good integrity checking. But how about 
a virus which would breach the security and privacy of your 
system?

The rising popularity of the Internet does indeed bring new 
risks. Considering the widespread use of the Internet and TCP/IP 
connections for normal PC workstations, and the amount of 
Winsock installations in use, several scary visions come to 
mind. How about a virus which opens a NNTP connection from your 
machine and spams every newsgroup in the Usenet news hierarchy, 
masquerading as you? Or sends rude e-mail messages to all 
addresses found from your e-mail package's alias database. In 
some e-mail systems, a virus could even use the authentication 
features to positively identify the sender as you.

Even worse, how about a virus which waits until a machine with a 
Winsock connection has been idle for some hours, opens an ftp 
connection to some large public ftp server which has an open 
area for incoming files, and uploads all DOC, XLS and DBF files 
found in your hard drive - or your network? If the virus became 
widespread, Internet surfers would make interesting discoveries 
while going through the confidential files of hundreds or 
thousands of unsuspecting users.

It's difficult to think of a worse activation routine for a 
virus. Unfortunately, we will probably see something like this 
in the future.

Conclusions
-----------
There is a wide variety of activation routines found in the 
current viruses. After all, imagination is the only limit. There 
are some scary possibilities which future viruses will probably 
use in their activation routines to make the life of computer 
users miserable.

It is still good to keep in mind that, although flashy viruses 
get all the media attention, most viruses do nothing but 
replicate.

Changes in F-PROT Professional version 2.22
-------------------------------------------

Changes in F-PROT for DOS
-------------------------
When a diskette or hard disk was infected with multiple boot 
sector viruses, F-PROT used to refuse to remove the infections. 
It will now handle this situation properly.

We are continuing the massive virus renaming that was described 
in the previous update bulletin. Many older viruses have now 
been renamed to correspond with the new scheme, including the 
VCL, PS-MPC and IVP-generated viruses. Names like 
VCL.Genocide.839 have been changed to VCL.839.

The following problems were found and corrected:

The Skid_Row viruses were not disinfected correctly in 2.21 and 
earlier versions, which occasionally resulted in the corruption 
of the host programs.

The /BEEP switch did not produce a beep when F-PROT encountered 
overwriting viruses, boot sector image files, and some other 
types of unusual viral objects.

Changes in F-PROT for Windows
-----------------------------
We have added an F-PROTW.INI setting which can be used to 
disable the dialog at F-PROT for Windows startup asking if 
expired tasks should be executed immediately. F-PROT will then 
reschedule those tasks automatically.

To use this feature, add the following two lines to F-PROTW.INI 
in your computer's Windows directory:

[FPWM]

RescheduleAtStartup=1

F-PROT shows now an error message if a batch scan is started 
with non-existent task.

If password in FPWNET.CFG is missing/empty, F-PROT uses the 
password from F-PROTW.CFG and copies it to FPWNET.CFG. Then; if 
not empty, the program uses it and copies it to F-PROTW.CFG.

No more sharing violation error message boxes are shown while 
scanning files opened by Word 6.

A bug causing General Protection Fault when scanning MIRROR.COM 
has been fixed.

Timestamp string is now put into the Gatekeeper message sent to 
admin upon finding an infection; the drive letter of a boot 
infection is also mentioned.

Scan on create/rename has been implemented in Gatekeeper. The 
feature is disabled by default: use the F-PROTW.INI setting 
[Gatekeeper] ScanOnCreateRename=1 to enable it.

If an attempt to execute A-PROT.EXE was made when it was already 
running, error message was shown. This behavior can now be 
overridden with the following F-PROTW.INI setting: [Gatekeeper] 
ErrorIfAlreadyLoaded=0. If the value is 0, no error message will 
be shown if A-PROT.EXE is attempted to load again.

In addition to AUTOINST.EXE, the distribute installations 
feature now also copies DFGROUP.EXE and AUTOW31.EXE to the 
destination directory.

When infected files are being sent to the administrator, viruses 
are encrypted before they are sent to the comm directory. 
Earlier versions used to copy it to comm directory and then 
encrypt it, which caused an unnecessary alarm by Net-Prot etc.

When F-PROTW.EXE (Launcher) is performing auto-updating, and 
Gatekeeper is changed in such a way that the newer version is 
incompatible with the VxD of the old version, the Launcher does 
not load the new Gatekeeper after updating (attempt to load it 
would result in an error message and failure to load anyway). 
Instead, the Launcher will inform the user (in the file copy 
progress dialog) that Gatekeeper will be loaded at next Windows 
startup; the computer's work will not be interrupted and users 
will not be disturbed by the automatic update. The F-PROTW.INI 
setting [Launcher] AlwaysReloadGatekeeper=1 can be used to 
override this behavior.

Network polling frequency in administration mode has been raised 
to 10 minutes. The F-PROTW.INI AdminPollInterval= setting can be 
used to change the administration polling frequency.

The string "Boot infection: `virus_name'  This virus does not 
preserve the original diskette boot sector, and is therefore 
disinfected by overwriting it with `generic' non-bootable code." 
was too long for 1 line. It has been split over multiple lines 
for use in reports.

Command "Load F-Agent at Windows startup" has been added to F-
Agent's menu in standalone and administration modes. The command 
will add/remove F-Agent to/from the run= line of WIN.INI; the 
command is unaware of Windows' startup group.

Changes and fixes in AUTOINST
-----------------------------
Now allowed text with spaces in [TSRLoad] ... <substring> in 
AUTOINST.INI. (until now Autoinst used the 1st word from 
<substring> only).

Now allowed multiple "UserNameFromIni=" and "WorkstationName-
FromIni=" entries in AUTOINST.INI: the first one pointing to an 
entry in an inifile will be used.

If "f-protw.386=" setting is present with remote installations, 
AUTOINST copies f-protw.386 automatically to the designated 
place from InstallRemote directory.

"UserNameFromRegistry=" and "WorkstationNameFromRegistry=" 
settings are now supported in AUTOINST.INI for AUTOW32.EXE.

In addition to the "UserName=", "UserNameFromIni=", 
"WorkstationName=" and "WorkstationNameFromIni=" settings, the 
"UserNameFromRegistry=" and "WorkstationNameFromRegistry=" 
entries are supported. Multiple "UserNameFromRegistry=" and 
"WorkstationNameFromRegistry=" entries may be used: the first 
one that points to a value in the registry will take effect. The 
format for the values of both these entries (called "registry 
locators") is:

MAINKEY [\ SUBKEY] \\ [VALUENAME]

where:

	MAINKEY     : main key name, must be one of: 
HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE", 
"HKEY_USERS"

	SUBKEY      : subkey name, may be missing

	VALUENAME   : name of registry value, may be missing if the 
default value is to be used

For example, these are all valid locator specifiers:

	; all items present: UserNameFromRegistry=
HKEY_LOCAL_MACHINE\
Network\Logon\\username

	; no subkey:
UserNameFromRegistry=
HKEY_LOCAL_MACHINE\\user-name

	; no value name: UserNameFromRegistry=
HKEY_LOCAL_MACHINE\
Network\Logon\\

	; no subkey nor value name: UserNameFromRegistry=
HKEY_LOCAL_MACHINE\\

AUTOW32.EXE now works from directory which has spaces in its 
name (older versions didn't use the correct AUTOINST.INI because 
the command line was processed incorrectly).

A bug in AUTOINST which caused multiple spaces to be left on 
run= line of WIN.INI if the previous run= line had trailing 
spaces there has been fixed.

UNC pathnames are supported by Autoinst and FPW (as for the 
communication dir).

New Viruses Detected by F-PROT
------------------------------
The following 35 viruses are now identified, but can not be 
removed as they overwrite or corrupt infected files. Some of 
them were detected by earlier versions of F-PROT, but not 
identified accurately.

_641
Burger.393
Exe2Win.113
Exe2Win.116
Exe2Win.132
Exe2Win.214
Exe2Win.710
HLLO.5520
HLLO.6561
HLLO.Honi.B
Jerusalem.Nai-Tai.B
Leprosy.554
Leprosy.1306.B
SillyOR.177
Trivial.26.E
Trivial.34.C
Trivial.37.C
Trivial.42.J
Trivial.42.K
Trivial.45.G
Trivial.45.H
Trivial.45.I
Trivial.47
Trivial.50.C
Trivial.52
Trivial.56
Trivial.66
Trivial.77
Trivial.78
Trivial.88
Trivial.137
Trivial.214
Trivial.241
Ymir.101
Ymir.144

The following 281 new viruses can now be removed. Many of them 
were detected by earlier versions, but are now identified 
accurately.

_406
_494
_585
_589
_789
_1000.A
_1000.B
_1024
A_Ant.564
Acdc.499
Alfons.1344
Arme.411
Ash.743.L
Aspargus.768
Awaits.500
Baby.962
Bad_Com.600
Badless.494
BelinHQ.434
Bero.677
Brownie.688
Bunny.497
Canna.357
Carry.534
Chad.750
Chang.3584
Chapa.448
Chapa.450.C
Chapa.566
Chapa.572
Chapa.586
Click.375
Clonewar.252
Clonewar.255
Clonewar.258
Clonewar.267
Creat.795
Crovir.625
Dagg.882
Danish_Tiny.333.C
Dark_Avenger.1728
Dark_Avenger.1783
Dark_Avenger.1803.B
Dark_Avenger.1805
Dark_Avenger.1808
Dark_Avenger.2000.K
Dark_Avenger.2000.L
Deathboy.655
Deino.1000
Destructor.2082
Doperland.490
DSTT.231
DSTT.242
DSTT.330
DSTT.347
DSTT.396
Eb.313
Eb.378
Eddie-2.657
Eleet.726
Escort.151
Fifo.333
Flip.2153.J
Frodo.4096.L
Fumble.866
Garfio.1000
Green_Caterpillar.1575.K
Halka.704
Halt.A
Heja.623.B
Hellis.608
Helloween.1377
Hi.378
Hi.512
Hi.559
Hi.671
Hi.806
Hi.833
IMI.1536.H
Immortal.2174
Immortal.2185
Inch.386
Insane.197
Int_AA
Intruder.1312
Intruder.1319.C
Ivir.221
Ivir.240
IVP.872
Jason.626
Jerusalem.1806.Frere.L
Jerusalem.1808.Sumsdos.AV
Jinx.846.B
Jinx.846.C
Jinx.854
JH_error.1215
Karnavali.1986
Kela.2122
Kela.2163
Keyb.996
Khiznjak.560
Khiznjak.735
Khiznjak.749.B
Khiznjak.761
Khiznjak.766
Kobrin.489
Kobrin.491
Leech.1024.B
Liberty.2857.I
Locust.735
Louse.919
Lunch_Time.783
Maxi.1148
Mirage.1309
Movius.231
Morgul.400
Morgul.424
Murderer.3670
Murphy.1277.C
Mururoa.2469
Myroom.891
Nado.841
Neumann.752
NLA.383
Obid.555
Oppressor.1071
Overdoze.563
Overdoze.568
Overdoze.569
Overdoze.572
Overdoze.573
Overdoze.578
Overdoze.580.A
Overdoze.580.B
Overdoze.580.C
Overdoze.582
Overdoze.584
Overdoze.585
Overdoze.587
Overdoze.588
Overdoze.590
Overdoze.591
Overdoze.593
Overdoze.596
Overdoze.600.A
Overdoze.600.B
Overdoze.606
Paladine.1080
Pixel.847.K
Pixel.3072
Pottery.316
Pressreset.607
PS-MPC.139
PS-MPC.227
PS-MPC.329
PS-MPC.333
PS-MPC.374
PS-MPC.384
PS-MPC.389
PS-MPC.391
PS-MPC.393.A
PS-MPC.392.B
PS-MPC.397.A
PS-MPC.397.B
PS-MPC.399
PS-MPC.404
PS-MPC.408
PS-MPC.412
PS-MPC.418
PS-MPC.424
PS-MPC.428.A
PS-MPC.428.B
PS-MPC.428.C
PS-MPC.442
PS-MPC.443
PS-MPC.481
PS-MPC.482.A
PS-MPC.482.B
PS-MPC.509
PS-MPC.510.B
PS-MPC.515
PS-MPC.520.B
PS-MPC.520.C
PS-MPC.520.D
PS-MPC.526
PS-MPC.535
PS-MPC.575.C
PS-MPC.576.B
PS-MPC.579
PS-MPC.581
PS-MPC.583
PS-MPC.584
PS-MPC.585.D
PS-MPC.589
PS-MPC.597
PS-MPC.600
PS-MPC.602
PS-MPC.605
PS-MPC.609
PS-MPC.611.L
PS-MPC.620.B
PS-MPC.629
PS-MPC.640
PS-MPC.646.B
PS-MPC.719
PS-MPC.723
PS-MPC.728
PS-MPC.802
PS-MPC.848
PS-MPC.868
PS-MPC.910
PS-MPC.1233
Puppets.960
Qpis.2931
Quarrel.390
Quintessence.992
Radar.2155
Revenge.948.D
Rihii.128
RP
Scrappy.416
Scroll.600
Seventh_Son.440
SFT.777
SillyC.161
SillyCR.354
Siskin.311
Siskin.555
Slaughter.512
Sno.1015.A
Sno.1015.B
Spirit
Starslost.596
Sterculius.456
Sterculius.458
Sterculius.474
Sza.1864
Triple5.556
Tanpro.525
Umbrella.3032
Uneven.738
Vang.483
VCC.450.A
VCC.450.B
VCC.565
VCC.585
VCC.592
VCC.625
VCC.667
VCC.735
VCC.753
VCC.793
VCC.813
VCC.857
VCC.867
VCC.917
VCC.1144
VCC.1198
VCC.1263
VCL.346
VCL.348
VCL.383
VCL.847
VCL.848
VFSI.427
Vienna.462
Vienna.480
Vienna.629
Vienna.660.B
Werewolf.658
Werewolf.678
Werewolf.685
Werewolf.1152
WilliWonka.1088
Wolfman.2064.C
Xram.1000
YB.325
Yesmile.4304
Yesmile.5504
Zapper.1121
Zimboot
ZZZ.412

The following 43 new viruses are now detected and identified but 
can not yet be removed.

_2000
_3008
Australian_Parasite.972
Bin.466
Bowl.737
Boza.A
Boza.B
Cybertech.688
Danish_Tiny.390
DIR_II.AF
DIR_II.AG
ElFla.687
ElFla.1017
Enero.2690
Entity.1986
Fangs.658
Fangs.685
Gripped.685
Halka.720.B
HeyHunter.1087
IVP.1103
Kalo.1464
Katya.732
Leech.1024.B
Mosca.849
Nightbird.419
Noone.1237
NRLG.968
Ratboy.539
Silence.4096
Silence.5120
Struck.731
Tornado
Trance.1688
VCC.436
VCC.437
VCC.440
VCC.44
VCC.449
VCC.451
VCC.459
VCC.461
Vigo.1000

The following 3 new viruses are now detected, but not 
identified. F-PROT will just report the family name with a (?) 
or report the virus as "New or modified variant", as it is not 
yet able to determine which variant it is dealing with.  
Disinfection of these viruses is not yet possible.

Positron
Trance.1982
Trance.3336

The following 1 virus which was identified by earlier versions 
can now be removed.

Crazyboot
------------------------------------------------------------------------------
F-PROT Professional 2.22 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.22 is mentioned. Copyright (c) 1996 Data Fellows Ltd.
------------------------------------------------------------------------------
