F-PROT Professional 2.23 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.23 is mentioned. Copyright (c) 1996 Data Fellows Ltd.
------------------------------------------------------------------------------

Contents 2/96
=============

F-Secure to shield Internet connections
F-PROT in European Football Championships
The global virus situation
        Major
        Glupak
        Nado
        Tentacle
        WereWolf
        WordMacro/Wazzu
News in short
        PC World Hong Kong chooses F-PROT as best buy
        Microsoft distributes the Sampo virus by accident
Common questions and answers
Michelangelo 1996
New products
Changes in F-PROT Professional version 2.23


F-Secure to shield Internet connections
---------------------------------------

A new group of information security products has been
developed to stand beside Data Fellows' F-PROT anti-virus
products and the Vineyard sales and marketing software. The
F-Secure products will fulfill companies' information
security requirements in access control and cryptography.

The strongest possible security is common to all F-Secure
products. The cryptographic features of F-Secure products
are one example of this; they are based on the same methods
that are used by military and intelligence organizations.

Among the encrypting algorithms used in F-Secure are RSA,
3key3DES and IDEA.

The SSH software tools are the first F-Secure products to
reach the market. They have been in development since last
spring. The size of the development team has recently been
multiplied, and several new products are about to start
shipping. F-Secure SSH Client and Server programs make
secure communication between two UNIX computers or a UNIX
computer and a Windows computer possible. Macintosh Client
programs will be ready this summer.

These products provide, for instance,  the strongest
possible security for employees connecting remotely to
office systems. The connections are secured automatically
and transparently by powerful cryptography.

The F-Secure Virtual Private Network (VPN). With the F-
Secure VPN it is possible to create a secure network between
several locations connected by unsecure networks, most often
the Internet.

Installing and using VPN does not require any special
knowledge. Installation and configuration can easily be
carried out by any system administrator.

You can find out more about our new products from your local
F-PROT distributor, or by visiting our WWW server
(www.europe.datafellows.com).


F-PROT in European Football Championships
-----------------------------------------

The F-PROT Professional anti-virus software has again proved
its leading position in the market. F-PROT has been chosen
as the official anti-virus product of Europe's Football
Championship Tournament. All computers and networks used in
the Euro'96 tournament will be protected F-PROT Professional
anti-virus products.

This new acknowledgment of F-PROT's capabilities comes only
four months after our product was again named "Editor's
Choice" in the evaluation published by the respected Secure
Computing magazine.


F-PROT to protect more than 50 servers and 450 workstations


According to the technology consultant of the Euro'96
tournament, Bill Alaoglu, Euro'96 wanted the best available
anti-virus software to protect its more than 450 computers
and over 50 servers. "That is why F-PROT Professional was
chosen as the anti-virus software of this year's biggest
European sports event."

Data Fellows' distributor in UK, Portcullis Distribution,
will supply the tournament organizers with the required
F-PROT Professional licenses. Bob Hoxey, the managing
director of Portcullis, states that the choice of F-PROT is
once more an indication of the fact that information
security professionals consider the virus protection offered
by F-PROT to be the best available in the world.


The global virus situation
--------------------------

During the last few months, there have been particularly
many incidents involving viruses which spread through
Internet. Infected files in Internet are typically either
games, demos or a crack programs used for removing the copy
protection from commercial software.


Major
-----
The Major virus got widespread in April 1996, because it had
managed to get into a file package called CANCER01.ZIP in
the ftp site wuarchive.wustl.edu.

In addition to the infected files inside CANCER01.ZIP, Major
virus has spread inside files called TAP.EXE and FLASH.EXE
(PKLited dropper).

Major tries to interact with the Major BBS system. Without
further information about this BBS system, it is impossible
to tell what the virus actually tries to do. However, it is
clear that it tries to access the files \BBSV6\BBSAUDIT.DAT
and \BBSV6\BBSUSR.DAT.

Major contains the following encrypted texts:

         The Major BBS Virus created by Major tomwn to DOS
         Puppet Image Gnat Minion Cindy F'nor

Like many other memory-resident viruses, Major causes
conflicts with some memory-managing programs.

The Major virus has been found in the wild in several
countries.


Glupak
------
Glupak is a buggy direct action infector of COM files. It
activates on October 21st and attempts to overwrite the hard
disk. After this, it displays the following text and hangs
the PC:

         Happy Birthday Freaky!

Glupak also contains the following encrypted text which is
never shown:

         [TV.Suicidal.Dream.B] (c) 1996 The Freak/The Underground

         From the hypnotic spectre of wake I scream locked in
         depths of suicidal Dream

The virus may also delete *.ZIP and ANTI-VIR.DAT files.

Glupak was discovered in the wild in Switzerland and Finland
in April 1996.

There is also another, 890 byte variant of the virus. It
contains slightly different texts.


Nado
----
This Danish virus infects COM files when they are accessed,
and tries to hide the size increase of the infected files.

It contains the following text:

         [Yitzak-Rabin 1.00 (c) made by TorNado in Denmark'96]

Nado contains code which activates when the DEL key is
pressed on the keyboard. At this time, it tries to overwrite
the boot sector of the hard disk with the text shown above.
Nado.841 also deletes ANTI-VIR.DAT files.

There are several different variants of the virus, varying
between 584 and 841 bytes in size. Some of the variants
overwrite hard drives and corrupt CMOS setup information,
others just delete anti-virus programs when they are
executed. Certain variants infect EXE files instead of COM
files. However, the 841 byte variant is the only commonly
found Nado virus. Note that the damage done by the 584 byte
variant can not always be successfully repaired; it corrupts
files while infecting them.

Nado was confirmed to be in the wild in Denmark in April
1996.


Tentacle
--------
This Windows virus was found in the wild in France and UK in
March 1996. The virus spread in a file called DOGZCODE.ZIP,
which was posted in the alt.cracks Usenet newsgroup in
Internet. After that, the virus quickly became widespread.
Tentacle infects Windows 3.1x EXE files.

Tentacle infects files in the current and Windows
directories. It does not stay resident in memory.

Occasionally, Tentacle will replace the icon of an infected
EXE file with its own picture. This new icon has a picture
of a tentacle and the text `Tentacle'.


WereWolf
--------
In fact, WereWolf is a large family of related viruses.
Between December 1995 - February 1996, many of them were
reported to be in the wild in France. Most of the WereWolf
viruses are memory-resident COM and EXE file infectors.

WereWolf is a stealth virus, but it will only hide the
changes in file sizes. The virus is not encrypted, and it
contains the following text:

      BEAST

WereWolf avoids infecting the following programs:

 CLEAN - McAfee CLEAN
 AVP   - Antiviral Toolkit Pro
 TB    - ThunderByte Antivirus
 QB    - QBasic
 SCAN  - McAfee SCAN
 COMM  - Many communication programs
 NAV   - Norton Antivirus
 V     - Anything starting with a `V'
 FINDV - S&S Findvirus
 GUARD - S&S VirusGuard
 FV    - S&S Findvirus
 CHKDS - DOS CHKDSK
 F-PR  - F-PROT
 -D    - AVP TSR

Werewolf.1500.B is a polymorphic variant of this virus. It
managed to get into widespread distribution in April 1996.
The virus had attached itself to a shareware game called
`PackMan', which was available in the upload directory of a
major shareware ftp server. This variant has been found in
the wild in several countries.


WordMacro/Wazzu
---------------
There are now almost 20 Word-specific macro viruses. Unlike
most other macro viruses, WordMacro/Wazzu has actually been
seen in the wild: there were a few reports of infections in
USA during spring 1996.

WordMacro/Wazzu consists of a single AutoOpen macro; this
makes it language independent, i.e. this macro virus is able
to infect localized versions of Word as well as the English
Word.

Wazzu does nothing besides replicating itself.


News in short
-------------

Michelangelo 1996
-----------------
Allan Dyer of Yui Kee Company Ltd Reports from Hong Kong

There were very few Michelangelo activation reports world-
wide this year. The Michelangelo virus activates every year
on March 6th, overwriting the beginning of the hard drive.
However, the South China Morning Post news reported in March
that Martin Lee Chu-Ming, chairman of the Democratic Party
of Hong Kong, lost "every speech, newspaper article, press
release, legal brief or other utterance in English made by
Mr Lee since the middle of 1994" because the Michelangelo
virus had destructively activated on his machine. "Some data
has been recovered and there are some backups, but much is
expected to be lost forever".


PC World Hong Kong chooses F-PROT as best buy
---------------------------------------------
Once again, F-PROT Professional received a "Best Buy" award,
this time in PC World Hong Kong's March review of anti-virus
software. F-PROT had the best detection rate against a test
set of 2223 viruses, and was also praised for ease-of use
and documentation.


Microsoft distributes the Sampo virus by accident
-------------------------------------------------
Microsoft accidentally distributed approximately 1500
diskettes infected with the Sampo boot sector virus (see
Update Bulletin 2.16) at a recent Microsoft Business
Solutions Conference in Hong Kong. The diskettes contained
the Microsoft Internet Explorer 2.0 web browser. The
infection took place at the diskette duplication company,
and Microsoft will replace the infected diskettes.


Common questions and answers
----------------------------

If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can
also contact Data Fellows directly in the number 358-0-478
444.

Written questions can be mailed to:

Data Fellows Ltd
F-PROT Support
Pivntaite 8
02210 ESPOO
FINLAND

Questions can also be sent by electronic mail to:

Internet: F-PROT-Support@DataFellows.com
X.400: S=F-PROT, OU1=DF, O=elma, P=inet, A=mailnet,  C=fi


        I received a warning about a harmful program called
        PKZIP300. What should I do?

Don't worry too much. PKZIP300 was a Trojan Horse program
which claimed to be a new version of the popular
compression/packing utility PKZIP. Actually the program tried
to format the hard disk. This Trojan was reported in a couple
of places during spring 1995. After that, it has not been seen
anywhere.

For some reason, there was a renewed warning scare about the
PKZIP300 Trojan during spring 1996. However, although the
PKZIP300 Trojan does exist, it is extremely unlikely for
anybody to actually run into it.

V2.04g is the latest official version of PKZIP.


        I have heard that there are Trojan Horses capable of
        destroying certain PCs' motherboards for good by
        writing to the Flash BIOS. Is this true? Is such a
        thing possible?

No, we haven't seen any Trojans or viruses which can
actually do so. However, according to an announcement from
Microid Research, the Intel Endeavor-2 motherboards have a
design problem which would make it very difficult to recover
from a flash programming problem.

It seems that the flash ROM on these machines is not
equipped with a write-protected failsafe recovery mode.
Furthermore, the flash chip is soldered directly onto the
system board.

This means that if the flash BIOS gets corrupted, it can not
be reprogrammed and the chip itself cannot easily be
replaced. In practice, you could lose the whole motherboard
because of a program that rewrites the flash BIOS.

On most motherboards, you can write-protect the MBR boot
sector by simply turning a switch.

        I have heard much about the WWW Java language and the
        risks inherent in it. Are there any known Java
        viruses?

No. The Java language itself is considered very safe,
especially when compared to any common programming language.
The problems lie in WWW-browsers' Java implementations; even
simple errors in the browsers are known to have caused serious
problems. At the moment, the Netscape 2.x browsers are known
to have at least three serious gaps in security. These
security holes make it possible to transfer any kind of PC
code inside a Java program, and to execute it in the user's
computer.

There's no real risk of running into Java viruses, but other
harmful programs pose a potential threat. We recommend
switching off Java support in Netscape.


New products
------------

The old NET-PROT Novell Netware NLM scanner has now been
replaced by an all-new NLM product, F-PROT Professional for
Netware.

The main differences between the two products are listed in
the table on next page.

Upon upgrading, NET-PROT must first be unloaded from the
server. Remove also all NET-PROT-related commands from
autoexec.ncf.

AlertTrace Lite should be installed and loaded before
installing F-PROT for NetWare.

Initially, the administrator must install F-PROT for NetWare
on every NetWare server separately. This cannot be automated
either with F-PROT or the normal Netware tools. The deploy
feature will take care of updating once the initial
installations are in place.


Changes in F-PROT Professional version 2.23
-------------------------------------------

Changes in F-PROT for DOS
-------------------------
Disinfection of boot sector viruses has been improved. This
is readily apparent when you browse the list of viruses
which were previously detected, but can only now be
disinfected (following chapter).

F-PROT now detects the PKZIP 3.00B Trojan. This Trojan is,
however, not a "real" threat, but, due to unfounded
hysteria, numerous warnings about it are in circulation, far
outnumbering actual copies of the Trojan.


Changes in F-PROT for Windows
-----------------------------
F-PROT (Win 3.1x/NT): This scanner (available on demand)
will show an error message if an attempt is made to scan a
directory to which access is denied (this can happen on NTFS
partitions).

F-PROT/Gatekeeper/F-Agent (Win3.1x): F-Agent's Gatekeeper
Settings dialog and the main program's Protection
Preferences dialog now have a "More" button. When you click
it, the program brings out another dialog where you can set
scans on created files, document macros and adjust visual
display options. These settings were previously stored in F-
PROTW.INI as undocumented options. They are now stored in F-
PROTW.CFG.

F-PROT (Win95): The Distribute F-PROT Installations feature
now supports Gatekeeper's installation (as Gatekeeper is
included in the Windows 95 package).

The scanning engine: Document macro disinfection has been
implemented. Boot sector scanning used to sometimes cause a
GPF because of a bug in the scan engine. This has now been
fixed

Gatekeeper (Win3.1x): A setting called LoadDelay= has been
added to F-PROTW.INI's [Gatekeeper] section. The setting is
used for delaying the loading of Gatekeeper. This feature
can be useful in situations where many applications are
loaded at Windows startup, and there's not enough
conventional memory available: Gatekeeper's loading can be
delayed until more memory becomes available.

The setting in F-PROTW.INI is:

[Gatekeeper]
; if nonzero, Gatekeeper will wait for the specified number of seconds
; before loading itself (default 0) LoadDelay=0

AUTOW32: Autow32 supports the Windows 95 Gatekeeper
installation. Use the same AUTOINST.INI settings that are
used for installing the Windows 3.1x Gatekeeper.

AUTOW31: If a program group creation/modification is
desired, Autoinst will wait until the "Program Manager DDE"
is available. Previous versions simply failed in program
group creation if no Program Manager DDE was available,
because Autoinst was started from a logon script before the
Windows shell (Program Manager) had had time to completely
boot itself up. The default timeout value is 5000 ms; you
can use the [Autoinst] DDEPMTimeOut= setting to override
this.

F-Agent/Gatekeeper (Win3.1x): The dialog that says that the
VxD is not loaded and Gatekeeper can't be started has now
two new buttons: "Restart Windows" and "Continue". This has
been implemented in F-Agent only.

Gatekeeper (Win3.1x): After a boot sector infection has been
detected and the user has clicked OK in the message box, the
boot sector is scanned again to make sure that the user has
removed the infected diskette. The user will not be able to
continue using the computer until the diskette has been
removed or replaced by another, clean diskette.


New viruses detected by F-PROT
------------------------------
The following 47 viruses are now identified, but can not be
removed as they overwrite or corrupt infected files. Some of
them were detected by earlier versions of F-PROT, but not
identified accurately.

Burma.442.E
Country.611
Crazy.1024
Demand.666.C
Fack.180
HLLO.3836
HLLO.4019
HLLO.7680
HLLO.8096
HLLO.21603
IOE.155
IOE.239.A
IOE.239.B
Itti.99.D
IVP.O.229
Leprosy.371
Leprosy.622
Leprosy.625.A
Leprosy.625.B
Leprosy.2013
Markiz.1972
Milan.249
Rauser.296
SillyC.201
Sod.257
Trivial.28.D
Trivial.42.L
Trivial.45.J
Trivial.45.K
Trivial.53.B
Trivial.53.C
Trivial.53.D
Trivial.53.E
Trivial.67
Trivial.72
Trivial.80
Trivial.87
Trivial.111
Trivial.112
Trivial.117.B
Trivial.284
Trivial.963
VCL.O.372
VCL.O.454
VCL.O.464
VCL.O.466.C
VCL.O.538

The following 377 new viruses can now be removed. Many of
them were detected by earlier versions, but are now
identified accurately.

_264
_432
_709
_768
Abbas.5660
Acid.736
Afraid.1036
Alexe.1287
Alfa.3072
Alfons.1536
Andris.683
Angels.1571
Annres.553
Annres.972
Annres.1052
Antibasic.351
Anti-C.726
AntiCAD.4096.L
AntiMIT.764
Antiwin.633
AOS.736
AOS.744
AOS.752
AOS.758
AOS.833
AOS.847
AOS.854
Babol.2048
Barrotes.1874
Beer.2920
BGU.1295
BGU.1298
Blue_Nine.925.C
Blue_Nine.1725
Blue_Poison.487
BodyBuilding.884
BootExe.444
Boso.1037
Boso.1388
BW.291
BW.343
BW.491
BW.495
BW.751
BW.Mayberry.499
BW.Mayberry.604
BW.Mayberry.682
C&Y.426
Cannabis.C
Cascade.1701.AQ
Cascade.1701.AR
Cascade.1701.AS
Cascade.1701.AT
Cascade.1704.AD
CB.450
Cholera.2415
Civil_Defense.6656.C
Civil_IV.588
Clisti
Clonewar.551
Compiac.379
CPW.1395
Creeper.482.B
Cybercide.1309
Danish_Tiny.333.D
Dark_Avenger.1690
Dark_Avenger.1797.B
Dark_Avenger.1800.AC
Dark_Avenger.1841
Dark_Avenger.2000.M
Dbase.1850
Debilitated.2000
Defo
Delwin.1199
DespChem.633
DieHard.4000.B
Ditwet.465
Dos-1.185
Dron.1024
Dull_Boy.A
Dull_Boy.B
Dumb.192
Dumb.215
Eliza.1194
Eliza.1282
End_of.773
Euskadi.811
Eventide.1061
Exemplary.586
Exile.255
Fack.330
Fallen_Angel.338
Fasola.2215
Favorite.2576
Fizzle.313
Fletan.565
Fletan.574
Flipflop.610
Floriana.939
Four_Seasons.1514
Fowl.3072
Genvir.1600.B
Genvir.1856
Ginger.2337
Glupak.847
Glupak.890
Greetings.297
Gotcha
Guppy.152.E
Hi.680
Hi.764
HLLC.4045
HLLC.4870
HLLC.5129
HLLC.6644
HLLP.5872
HLLP.9072
HLLP.16470
Hole.476
Horror.1173
Horsa.1185
Hue.482
Icelandic.1618.F
Inside.752
Intruder.1413
IstanbulCCC
IVP.366
IVP.368
IVP.371
IVP.647.A
IVP.647.B
IVP.650
IVP.751
IVP.754
Jack.436
Jerusalem.1500
Jerusalem.1607
Jerusalem.1808.Frere.M
Kela.2018
Khiznjak.834
Khiznjak.1101
Kobrin.491
Kouser.1648
Kpi.329
Kusumah.2588
Kyokushinkai.2048.C
La.802
Lamego.722
Lenin.943
Lesson.189
Lesson_I.301
Letter_H.665
Locust.1158
Major.1644
Mand.1061
Maripuri.1942
Mazur.2541
Minzhou.1024
Mirea.665
Morgen.656.B
Morgot.823
Mosca.1278
Mosca.1372
Murphy.1277.C
Nado.838
Narcosis.1431
Natas.4746
NLA.333
NLA.348
No_frills.815.B
No_frills.950
NSD.267
Nutcracker.2000.A
Nutcracker.2000.B
Nutcracker.2293
Nutcracker.2725
Nutcracker.2900
Nutcracker.3100
Nutcracker.3500.A
Nutcracker.3500.B
Nutcracker.3500.C
Nutcracker.3500.D
Oguro.446
Ozzy.546
Pantera.400
PC-Knight.2083
Pixel.847.L
Plove.322
Plove.327
Porridge.1061
Presumptious.680
Proto-T.629
Proto-T.688
Proto-T.893
Proto-T.1041
Proto-T.1048
PS-MPC.269
PS-MPC.281
PS-MPC.305
PS-MPC.356
PS-MPC.377.B
PS-MPC.379
PS-MPC.386.B
PS-MPC.409
PS-MPC.410
PS-MPC.414.A
PS-MPC.414.B
PS-MPC.414.C
PS-MPC.414.D
PS-MPC.415.A
PS-MPC.415.B
PS-MPC.415.C
PS-MPC.444.B
PS-MPC.446.A
PS-MPC.446.B
PS-MPC.450
PS-MPC.454
PS-MPC.460
PS-MPC.495
PS-MPC.505
PS-MPC.513.B
PS-MPC.522
PS-MPC.526.B
PS-MPC.528.A
PS-MPC.528.B
PS-MPC.545
PS-MPC.548
PS-MPC.549
PS-MPC.555
PS-MPC.565.J
PS-MPC.565.K
PS-MPC.568
PS-MPC.570.J
PS-MPC.573.R
PS-MPC.573.S
PS-MPC.573.T
PS-MPC.575.D
PS-MPC.578.T
PS-MPC.578.U
PS-MPC.579.G
PS-MPC.579.H
PS-MPC.581.B
PS-MPC.583.C
PS-MPC.585.E
PS-MPC.585.F
PS-MPC.598.O
PS-MPC.603.E
PS-MPC.603.F
PS-MPC.603.G
PS-MPC.606.H
PS-MPC.606.I
PS-MPC.606.J
PS-MPC.607.D
PS-MPC.607.E
PS-MPC.607.F
PS-MPC.607.G
PS-MPC.610.D
PS-MPC.611.M
PS-MPC.611.N
PS-MPC.611.O
PS-MPC.611.P
PS-MPC.611.Q
PS-MPC.611.R
PS-MPC.611.S
PS-MPC.611.T
PS-MPC.612.H
PS-MPC.612.I
PS-MPC.616.D
PS-MPC.621
PS-MPC.625.B
PS-MPC.634
PS-MPC.652
PS-MPC.661.B
PS-MPC.666.A
PS-MPC.666.B
PS-MPC.701
PS-MPC.761
PS-MPC.808
PS-MPC.853
PS-MPC.921.B
PS-MPC.929
Rabbit
Rael.3211.B
Rain
Red_Hacker.1405
Retailer.1536
RP.B
RWV.549
Rycho.1024.A
Rycho.1024.B
Rycho.1536.A
Rycho.1536.B
Salamander.940
Satria.A
Satria.B
Satria.C
Saturday.669.C
Saynay.5115
SE.1853
Semi.895
Shel.983
Silent_Night.1111
SillyC.91
SillyC.139
SillyC.175
SillyC.192
SillyC.253
SillyC.302.B
SillyC.432
SillyC.478
SillyComp.116
SillyE.512
Sirius.361
Sirius.365
Sirius.402
Sirius.547.A
Sirius.547.B
Sirius.615.A
Sirius.615.B
Sirius.640.A
Sirius.640.B
Sirius.720
Slava.500
Snowfall.945
Stay_Cool.573
SuperF.1175
Suriv.941.B
SVC.2936.B
SVC.2936.C
SVC.2936.D
SVC.2936.E
Syndrome.1485
Szatan
Tanpro.749
Taurus.1153
Tequila.2469
Tet.409
Tiger.1116
Trakia.1471
Trebujena.1094
Trieda.851
Trooper.2259
Tpvo.3464
Tpvo.3654
Uddy.2617.B
Uklott.1327
Union.1531
Ups.1155
Vampiro.1000.D
VCC.328
VCC.341
VCC.357
VCC.614
VCL.500
VCL.550
VCL.822.B
VCL.1212
VCS.1077.M
VCS2.799
VD.1664
Vesna.1000
VFSI.426
Vienna.559
Vienna.595.B
Vienna.638
Vienna.648.SDI
Vienna.699
Vienna.708
Vienna.718
Vienna.733.B
Vulcan.496
Wire.3518
YB.405
Year_1992.1731.C
Youareill.1186
Xantic
Youhave.577

The following 125 new viruses are now detected and
identified but can not yet be removed.

_700
_979
_995
_1499
_2965
Annihilator.599
Annihilator.607
Annihilator.610
AnotherW.706
Antifor.1110
ARCV.800
Ask.708
Asmodeus.1833
Avalgasil.666
Batman.2844
Bolero.1000
Buffalo.486
BW.688
Civil_Defense.6656
Coito.644
Cordobes.3334
Crawler.545
Cybertech.1078
DBF.1046
Detic.1514
DIR-II.1024.AB
Doubleheart.539
Doubleheart.553
Doubleheart.639
Dune.579
Dune.672
Emmie.2496
Faws.2340
Flack.1330
Ghost.5000
Gothic.2097
Green_girl.1055
Green_Monster.784
Gregory.406
Handel.1000
Harvester.1422
HLLC.7508
HLLC.8096
HLLP.5667.A
HLLP.5667.B
HLLP.6144
HLLP.7000
IVP.419
IVP.449
IVP.728
IVP.762
IVP.922
Johnny.826
Johnny.955
Juice.305
Lame.435
Lame.636
Ludwig.573
Mac.1098
Manic.2143
Mantis.1215
Maresme.1062
Mark.2660
Mef.1481
Mef.1538
Moonlite.338
MPTI.1536.B
Nocopy.3655
Notyet.1277
Notyet.1577
November_17th.1045
NRLG.914
NRLG.926
NRLG.933
NRLG.940
NRLG.963
NRLG.982.B
NRLG.984
NRLG.990
NRLG.1010
PCBB.3072.C
Peel.334
Phalcon.1136
Pincher.1632
Pirania.1617
Predator.1070
Predator.2424
Prohibit.1500
Quish.333
Rape.1883
Rape.2496
Riot.464
Rotator.869
Rubbit.3164
SanLoreno.1025
Saratov.1790
Scitzo.1337
Shadow.1185
Shadow.1702
Shel.973
Shel.988
Small_comp.100.B
Sochi.703
Spinner.1071
Svetlana.1110
Svetlana.2060
Svetlana.3410
Svetlana.4734
Swiss.921
TCH.1909
Tease.840
Unskip.1908
Vampiro.1492
Vampiro.1542
Vampiro.1619
Vampiro.1621
VCC.537
VCL.522
Werewolf.684.B
WinVik.A
WinVik.B
WordMacro/Atom
WordMacro/Imposter
WordMacro/Nuclear.B
WordMacro/Xenixos
Yankee_Doodle.XPEH.4048.B

The following new virus is now detected, but not identified.
FPROT will just report the family name with a (?) or report
the virus as a "New or modified variant", as it is not yet
able to determine which variant it is dealing with.
Disinfection of this virus is not yet possible.

Tentacle

The following 60 viruses which were identified by earlier
versions can now be removed.

3_NOPs
Abs-3.A
Abs-3.B
Boot_Intruder
Brasil
Cannabis.A
Cannabis.B
Crazy_Eddie.A
Crazy_Eddie.B
Diskwasher.A
Diskwasher.B
EB79
Flame.A
Flame.B
Galicia
Godoy
Ibex
JKTK
Kaczor.4444
Lavot.A
Lavot.B
Lch15
Lulu
Malaga
MISiS.A
MISiS.B
MISiS.C
MISiS.D
Mr_D.1536
MzBoot.464
Nichols.A
Nichols.B
Nichols.C
Peter
PMBS.A
PMBS.B
RM.A
RM.B
Satria.A
SheHas
Smiley_Boot
Stoned.8.A
Stoned.8.B
Stoned.Stonehenge
Swiss_Boot.A
Swiss_Boot.B
Tony_Boot.A
Tony_Boot.B
Verify
Whirl.A
Whirl.B
Whirl.C
Windmill
X-3a.A
X-3a.B
Yankee_Doodle.1817
Yankee_Doodle.2505
Yankee_Doodle.XPEH.3600
Yankee_Doodle.XPEH.3840
Yankee_Doodle.XPEH.4016

The following viruses have been renamed:

Bones     ->   Ibex
Breasts   ->   SheHas
Hello     ->   Sirius
Ilove     ->   Satria
Sno       ->   Snowfall

------------------------------------------------------------------------------
F-PROT Professional 2.23 Update Bulletin
========================================
Data Fellows Ltd, Paivantaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: F-PROT@DataFellows.com

This material can be freely quoted when the source, F-PROT Professional
Update Bulletin 2.23 is mentioned. Copyright (c) 1996 Data Fellows Ltd.
------------------------------------------------------------------------------
