


                 F  /   W   I   N        3   .   0   7
                 =====================================


    HEURISTIC DETECTION OF WINDOWS, WINDOWS 95 AND MACRO VIRUSES




        Author of F/WIN
        ---------------
        Stefan Kurtzhals
        Drrenberg 42
        42899 Remscheid
        Germany
        E-Mail: kurtzhal@wrcs3.urz.uni-wuppertal.de
        Fido:   2:2480/8849.2



        United States Authorized Agent
        ------------------------------
        Computer Virus Solutions
        C/O Gary Martin
        P.O. Box. 30802
        Gahanna, Ohio  43230
        Voice:  (614) 337-0995
        Fax:    (614) 476-6884
        E-mail: FWIN_SUP@ix.netcom.com
        WWW:    http://www.entrepreneurs.net/fwin/index.htm
                (in early to mid March, 1996, new URL will be:
                http://www.fwin.com/fwin.index)




                             TABLE OF CONTENTS
                             =================

1.0  OVERVIEW OF F/WIN

     1.1    Tips for using this documentation
     1.2    What "Heuristic" detection is
     1.3    What F/WIN can detect - for Non-technical users
     1.4    What F/WIN can detect - for Technical users
     1.5    What F/WIN can clean  - for Non-Technical users
     1.6    What F/WIN can clean  - For Technical users
     1.7    False alarms


2.0  HOW TO USE F/WIN

     2.1    From a DOS prompt
     2.2    From Windows 3.x
     2.3    From Windows '95
     2.4    From OS/2 Warp
     2.5    Choices F/WIN provides when a suspected virus is
            found
     2.6    Situations in which F/WIN should  N-O-T be run


3.0  HOW TO ORDER A REGISTERED VERSION OF F/WIN

     3.1  Extras in the registered version
     3.2  In Germany
     3.3  In the United States
     3.4  In other countries
     3.5  Stefan Kurtzhals PGP public key (Germany)
     3.6  Gary Martin's PGP public key (USA)


4.0  WINDOWS EXE VIRUSES

     4.1  For NON-technical readers
     4.1.1  F/WIN's detection of
     4.2  For Technical readers
     4.2.1  F/WIN's detection of


5.0  MACRO VIRUSES

     5.1  What they are
     5.2  History of
     5.3  Why they pose such a great threat to your data
     5.4  F/WIN's detection of
     5.5  How the viruses are removed


6.0  F/WIN MESSAGES FOR WINDOWS VIRUSES

     6.1  Possible 16-bit virus (NE-EXE)
     6.2  Possible 32-bit virus (PE-EXE)


7.0  F/WIN MESSAGES FOR MACRO VIRUSES

     7.1  - Changes DOS attributes of other files
     7.2  - Contains macros but is not named .DOC
     7.3  - Contains execute-only macros (encrypted macros)
     7.4  - Contains macros
     7.5  - Copy macros into the global template ('CopyMacro')
     7.6  - Deletes other files! (Kill)
     7.7  - Disables NORMAL.DOT write access warnings
     7.8  - Execute other DOS or Windows programs! (Shell)
     7.9  - F/WIN can not check Microsoft Word 2.0 documents!
     7.10 - F/WIN can not clean this file safely!
     7.11 - Might contain suspicious macros
     7.12 - Might contain an antivirus-macro (please verify!)
     7.13 - Reenables auto macro processing
     7.14 - Seems to be infected with a macro virus!
     7.15 - Seems to contain a trojan macro!
     7.16 - System macros:
     7.16.1    AUTOCLOSE
     7.16.2    AUTOEXEC
     7.16.3    AUTONEW
     7.16.4    AUTOOPEN
     7.16.5    FILEEXIT
     7.16.6    FILENEW
     7.16.7    FILESAVE
     7.16.8    FILESAVEAS
     7.16.9    TOOLSMACRO
     7.17 - This document is internally fragmented. The repair
            could have failed !
     7.18 - Uses macro 'FileSaveAs'
     7.19 - Writes into other files directly (Write)


8.0  COPYRIGHT, LICENSE TERMS AND DISCLAIMER


9.0  GLOSSARY OF TERMS USED IN THIS DOCUMENTATION











1.0      OVERVIEW OF F/WIN
=================================================================


1.1    Tips for using this documentation
-----------------------------------------------------------------

       a. Do a character string search for what you're looking
          for.  This may be the fastest way to locate the
          needed information.

       b. Check the Table of Contents, then do a character
          string search on the section number.

       c. In several sections, there are two versions of the
          documentation.  One is for novice users, the other
          for people who are fairly familiar with virus and
          other technical terminology.  We thought about
          splitting these two types of documentation up into
          different files, but decided against doing it.  We
          suspect that many less experienced users will want to
          take a crack at trying to understand the technical
          explanations, and keeping them grouped together by
          topic will make that easier to do.

       d. In the novice sections, there are key words and
          phrases that appear in all uppercase, and are
          enclosed in brackets {}.  These terms are defined in
          the Glossary.


1.2    What "Heuristic" detection is
-----------------------------------------------------------------

       F/WIN doesn't use {scan strings} to detect viruses. This
       method is fast but won't detect {unknown viruses}.
       Instead, it uses heuristic scanning techniques.  Scan
       strings searches look for strings (combinations) of
       characters that are unique to a particular virus.
       Heuristic analysis look for any kind of dangerous code or
       virus like code, regardless of what particular virus it
       may belong to, or what the macro name is.  For instance,
       the <Winword.Concept> virus is typically located by
       searching for the macro names that it uses.  Those macro
       names are:

       AAAZAO
       AAAZFS
       AutoOpen
       Payload

       When scan string scanners find these macro names, they
       correctly flag the document as being infected with this
       virus.  However, what if someone were to copy these
       macros into another document and slightly modify them?
       Well, we did just that and the resulting 'new' virus was
       completely undetectable by a lot of the common virus
       scanners on the market that we tested.  Only F/WIN was
       able to detect it, because it searches for macro viruses
       in a completely different way.

       In this example, F/WIN would look for potentially
       dangerous commands within each macro and flag them.  It
       also notifies the user of any macros that could be run
       automatically, such as those that are run when files are
       opened, closed, saved, etc.  Macro viruses often use
       these automatic or "system" macros to spread themselves,
       or to carry out destructive activities.  These are the
       messages you would see when F/WIN's heuristic scanner
       finds the <Winword.Concept> virus:

       -  Contains macros
       -  System macros:  AUTOOPEN
       -  Copy macros into the global template 'CopyMacro'
       -  Uses macro 'FileSaveAs'
          Seems to be infected with a macro virus

       ANY macro that contained the kind of coding flagged above
       would be flagged as being possibly virus infected, not
       just <Winword.Concept>.  So even though we changed the
       virus internally, F/WIN was still able to locate the virus
       using these heuristic scanning techniques.  These
       messages are explained in more detail in sections 6.0 and
       7.0.


1.3    What F/WIN can detect - for Non-Technical users
-----------------------------------------------------------------

       F/WIN uses heuristic scanning techniques to detect:

       a. Macro viruses in Microsoft Word release 6.0 and 7.0
          documents. The current release will not detect viruses
          or trojans in Word 2.0 files, but that's a feature
          we'll be adding later.  It doesn't matter what the file
          is called.  F/WIN will scan all files that appear in
          the selected directory and all of its sub-directories
          looking for viruses.  So if you have a virus in a Word
          document you've called "PAYROLL.WK1", F/WIN will find
          it just as easily as if you had named it "PAYROLL.DOC"
          or "PAYROLL".

          F/WIN CAN N-O-T DETECT THE PRESENCE OF MACRO VIRUSES
          IN MICROSOFT WORD DOCUMENTS THAT ARE ENCRYPTED WITH
          A PASSWORD.

          If you suspect that a password protected document is
          infected, copy the document onto a PC where it won't
          matter if a virus destroys data and open and scan it
          there.  Or send it to your regular anti-virus company,
          or to the author of F/WIN to check and clean it.

       b. A special kind of virus that infects EXE files for
          Windows or Windows '95.  "EXE" files are executable
          files and usually have the file extension ".EXE" or
          ".DLL".  The ".EXE" file extension (last three
          characters of the file name) is reserved by DOS and
          Windows for executable files only.  DOS EXE files are
          structured differently than Windows EXE files.  F/WIN
          locates viruses that have infected Windows executable
          files only.  (Exception: the DOS executables infected
          by <NE.Ph33r> will also be detected, but not with
          heuristics.)


1.4    What F/WIN can detect - for Technical users
-----------------------------------------------------------------

       Windows executables are quite different from the normal
       DOS EXE files. Windows 3.x uses the NE-EXE format (New
       Executable) and Windows 95 uses PE-EXE (Portable
       Executable) which is also used by Windows NT.  Because the
       new file structures are so different from the standard DOS
       EXE format, most virus coders never manage to write real
       Windows viruses. However, some virus coders from Australia
       finally managed to write a fully functional Windows 3.x
       virus, namely <NE.Winsurfer> and later <NE.Ph33r>. The
       used infection scheme is much more "advanced" in some ways
       so that it's likely that other virus coders will copy it.

       NE-EXE viruses are detected by analysing the program
       header of any NE-EXE file found. The NE-EXE viruses
       modify the programs in a special way which allows a
       reliable detection of this virus type.  It doesn't matter
       if the virus is polymorphic, F/WIN doesn't check any
       program code at all!  In other words, it can detect, in a
       general or generic way, that a virus is likely present.
       But F/WIN can't tell you exactly which virus it is.
       Still, this feature of F/WIN is quite valuable because of
       it's ability to detect unknown viruses, and let you know
       that you have a problem sooner, rather than later.

       It detects specifically the infection scheme that
       <NE.Winsurfer> and <NE.Ph33r> use. These were the first
       really "functional" Windows executables viruses, and their
       techniques will most likely be copied by other virus
       authors.  F/WIN also detects the only known PE-EXE virus
       for Windows 95 using a similar approach.  Because only one
       PE-EXE virus exist so far, it really can't be said how
       good the heuristic detection is, but F/WIN will of course
       be updated in order to catch newer variants if they are
       undetectable by the current heuristic approach.  All three
       known <Boza> variants are detected by F/WIN.

       F/WIN detected all the known NE-EXE and PE-EXE viruses
       which use the described infection mechanism.  If however
       you should happen to come across one that is not detected
       by F/WIN, please e-mail a copy of it to the author of
       F/WIN for analysis.  See SENDVIR.TXT for more information.

       The macro virus detection is more complicated.  Because we
       weren't able to get a technical description of the DOC
       format used by Microsoft Word (how macros are stored
       within each document or template), F/WIN has to scan the
       whole DOC file to find the macro list and definitions.
       F/WIN checks for the existence of auto macros (such as
       AutoExec, AutoOpen, AutoClose, FileExit), encrypted
       macros, renamed templates (templates are normally named
       ".DOT"), standard virus commands (like MacroCopy or
       FileSaveAs) and dangerous commands (like Shell, Kill or
       Write).  Any macro that is found to contain one or more
       of these commands will be flagged as being possibly virus
       infected.  F/WIN checks unencrypted macros as well as
       encrypted (execute-only) ones.

       F/WIN CAN N-O-T DETECT THE PRESENCE OF MACRO VIRUSES IN
       MICROSOFT WORD DOCUMENTS THAT ARE ENCRYPTED WITH A
       PASSWORD (the whole document is encrypted, not just the
       macros).



1.5    What F/WIN can clean - for Non-Technical users
-----------------------------------------------------------------


               Macro viruses in Microsoft Word documents

       F/WIN doesn't remove suspected viruses without asking the
       user or taking some precautions.  First it makes a backup
       copy of the file before disinfecting it.  The backup file
       will have the same file name, except that it will have a
       file extension (end with) .VIR.  So an infected file named
       PAYROLL.WK1 would have a backup file called PAYROLL.VIR.
       If there are more files with the same name, F/WIN will use
       file extensions like ".VI1", ".VI2" etc.. Next F/WIN
       overwrites the virus's macro code with harmless code and
       wipes the offending macro names from the macro list if
       you choosed the 'Clean' option.  Because the DOC format is
       so complex, the cleaning process may fail.  In this case,
       you can then try a different approach by restoring the
       backup copy and using the 'Wipe macro names' option.

       DON'T FORGET TO REMOVE ALL THE .Vnn FILES WHEN YOU'RE
       FINISHED WITH THEM.  We suggest also using a product like
       Norton Utilities WIPEINFO.EXE to wipe the FREE SPACE
       (not the whole drive) on the entire hard drive after all
       macro virus files are cleaned and removed.  If the files
       are just deleted, in many cases, they can simply be
       undeleted and reused by someone with bad intentions.
       Wiping all the free space on the entire hard drive will
       prevent someone from recovering a virus infected file by
       undeleting it, or by using a disk editor.



                            Windows EXE files
                            -----------------

       Actually, F/WIN can't clean NE-EXE or PE-EXE viruses.
       This would require a cleaner for each known virus because
       a generic cleaner would be too unsafe.  And, the known
       Windows EXE viruses are quite buggy and often destroy the
       files while infecting them so that you can't clean the
       programs anymore.  If the number of Windows viruses
       increases it may be possible to derive a secure way to
       clean them with a generic approach.  The best approach is
       to have uninfected write-protected disks or CD's to
       restore with, or clean backup tapes.



1.6    What F/WIN can clean  - for Technical users
-----------------------------------------------------------------

               Macro viruses in Microsoft Word documents
               -----------------------------------------

       F/WIN doesn't remove suspected viruses without asking the
       user or taking some precautions.  First it makes a backup
       copy of the file before disinfecting it.  Actually, F/WIN
       won't start the cleaning process if it can't create the
       backup file! The backup file will have the same file name,
       except that it will have a file extension (end with)
       ".VIR" (if there are duplicate file names, F/WIN will use
       ".VI1", ".VI2" etc.).

       So an infected file named PAYROLL.WK1 would have a backup
       file called PAYROLL.VIR. Next F/WIN overwrites the virus's
       macro code with harmless code that does nothing and wipes
       the offending macro names from the macro list. If on the
       outside chance the cleaning process leaves it unreadable,
       you can then try a different approach using the backup
       copy and selecting 'Wipe macro names'.

       DON'T FORGET TO REMOVE ALL THE BACKUP FILES WHEN YOU'RE
       FINISHED WITH THEM.

       Also note that DOC files are OLE2 objects. An OLE2 object
       could be internally split up in several parts. Like hard
       disk clusters, these parts can be fragmented and worst of
       all, they have a slack area like real clusters. This is
       quite a security hole, and Microsoft already offers an
       update for OLE2 for Windows95 which correcly handle this
       'slack areas'.



                            Windows .EXE files
                            ------------------

       F/WIN can't clean NE-EXE or PE-EXE viruses.  This
       would require a cleaner for each known virus because a
       generic cleaner would be to unsafe.  And, the the known
       Windows EXE viruses are quite buggy and often destroy the
       files while infecting them so that you can't clean the
       programs anymore.  If the number of Windows viruses
       increases it may be possible to derive a secure way to
       clean them with a generic approach.  The known NE-EXE
       viruses could be cleaned by obtaining the old entry point
       from the virus code.  By now, every known NE-EXE viruses
       places a relocation entry at the end of the file.  So if
       you use this pointer and remove the virus code segment,
       the file will be clean again.  But as the NE-EXE virus are
       also often buggy, F/WIN couldn't verify if the cleaned
       file will work correctly.  You better replace infected
       items from a backup or by reinstalling the infected
       application.



1.7    False alarms
-----------------------------------------------------------------

       Every heuristic approach will cause either false positives
       or {false negatives}.  Of course this is also true for
       F/WIN.  This means that F/WIN may flag some harmless files
       as infected and on the other hand will miss some of the
       more unusual viruses.  We tried everything to keep the
       amount of both the false positives and negatives as low
       as possible, but we can't completely avoid them.


                        Windows .EXE files
                        ------------------

       F/WIN may on rare occasions trigger a false alarm on
       Windows EXE files.  Should you experience one, please
       send a copy of the file that was flagged in error to the
       author of F/WIN for evaluation. F/WIN will either be
       modified to stop triggering the false alarm, or a new file
       will be created listing known false alarms.  So far, the
       most false positives were caused by device drivers or
       special DLLs.


                    Microsoft Word Macro Viruses
                    ----------------------------

       After the first macro viruses appeared, the AV companies
       and others released some Microsoft Word .DOT and .DOC
       files that contained anti-virus macros which can detect
       and clean some of the viruses.  F/WIN will flag some of
       the antivirus macros we tested as being possibly infected.
       We tested SCAN831.DOC, SCANPROT.DOT, WVFIX.DOT,
       AVPW10n.DOT (also AVPW10nG.DOT) and CHEKWORD.DOC. The
       reason F/WIN flaggs them is because they contain almost
       all of the same potentially dangerous macro commands which
       are sometimes found in macro viruses.

       It's impossible to distinguish between such an antivirus
       macro and a real macro virus without creating a severe
       security hole in F/WIN!  SCANPROT.DOC, CHEKWORD.DOC and
       AVPW10n.DOT were all flagged as being possibly infected by
       a virus.  However, F/WIN will produce a message that
       flashes in the color green alerting the user to the
       possibility that the document being flagged may be a
       legitimate anti-virus template.  The text of the message
       is:

       "Might contain an antivirus-macro (please verify!)"

       See section 7.14 for more about this.

       As an example we will show here the messages that F/WIN
       produces when it analyzes SCANPROT.DOT:

       C:\MSOFFICE\WINWORD\TEMPLATE\SCANPROT.DOT
          - Contains macros
          - System macros: AUTOOPEN, AUTOCLOSE, AUTONEW
          - Copy macros into the global template (CopyMacro)
          - Uses macro 'FileSaveAs'
          - Execute other DOS or Windows programs! (Shell)
          - Writes into other files directly (Write)
          - Deletes other files! (Kill)
          - Changes DOS attributes of other files
          Seems to be infected with a macro virus!
          Might contain an antivirus-macro (please verify!)

       There is a small percentage of Microsoft Word users
       who write legitimate, useful macros that may use some of
       the commands that F/WIN detects.  Especially the
       experienced user quite often uses macros to speed up the
       work with Winword.  In general, if you know that you have
       not written any macros and that you've not received any
       documents with known macros in them, then it's highly
       likely that you do have a virus if F/WIN detects the
       presence of suspicious macro code in your Microsoft Word
       documents or templates.  This is especially true if
       possible infections are detected in multiple documents.

       If legitimate macros are present in your environment that
       trigger warnings from F/WIN, make a note of what commands
       F/WIN is finding and flagging and make sure your macros
       are supposed to contain those commands.



2.0      HOW TO USE F/WIN
=================================================================

       In general, it's important that you don't run Microsoft
       Word itself at the same time as F/WIN.  F/WIN is able to
       check already opened files, but it can't clean them
       because it will not get write access to such files.  So,
       if your NORMAL.DOT or other document is infected with a
       macro virus, you must exit Word before running F/WIN.


2.1    From a DOS prompt
-----------------------------------------------------------------

       If you run F/WIN without parameters, you will be prompted
       to enter a drive letter which will be scanned then.

       There are three levels of scanning that F/WIN does for
       Macro viruses and trojans.  It is important to understand
       which is right for your needs before choosing the one you
       want.

       LEVEL 0:  F/WIN detects and produces warning messages for
                 obvious virus and trojan files.  All currently
                 known Word 6.0 and 7.0 viruses are detected at
                 this level.  This is the default level of
                 scanning when the /MODE and /PARANOID parameters
                 are not used.  This level detects viruses and
                 trojans that are fully functional.  "Fully
                 functional" means that they contain all the
                 components that would normally be present in
                 a virus or trojan.  The four most important
                 criterias F/WIN uses to make this determination
                 are:

                 a)  How likely is it that the macro code will be
                     executed without the users knowledge or
                     consent?  If the macro code is placed into
                     a macro called "ABC", it is quite unlikely
                     that any user would run such a
                     macro by accident.  But if it were placed in
                     one of the system macros like "AutoOpen" or
                     "FileSaveAs", then it would be very easy for
                     most users to execute the macro code without
                     knowning they were doing it.

                 b)  Does the macro code contain any potentially
                     destructive code?  This would also include
                     any linking to programs other than Word
                     (i.e. running a DOS "ERASE" command).

                 c)  Can the macro(s) that are present in the
                     document spread themselves to other files?

                 d)  Does the pattern of code in the macro(s)
                     fit the pattern of known anti-virus macros?

                 If 'a', 'b' and 'c' are all true, then F/WIN
                 considers the document to be infected by
                 "virus", because viruses by their nature spread
                 to other files.  If only 'a' and 'b' are true,
                 then F/WIN flags the file as being possibly
                 infected by a "trojan", because trojans don't
                 spread.

                 If 'd' is true, then F/WIN produces an extra
                 message informing the user that the current file
                 that F/WIN is producing messages for may be an
                 anti-virus template.  If it is, then they don't
                 need to be concerned.  Users are encouraged to
                 verify for sure that such templates are being
                 used in their environment.  Don't assume that
                 it's harmless when this extra message is
                 produced.  It could be a clever virus designed
                 specifically to trigger this message in F/WIN
                 for the purpose of deceiving the user.


       LEVEL 1:  Level 1 detection does everything Level 0 does,
                 and MORE.  This is called "Extended Mode"  Level
                 1 will produce warning messages even if all the
                 conditions specified in level 0 are not met.  To
                 use LEVEL 1 scanning, use the /MODE=1 parameter.
                 For instance, if F/WIN finds a WordBasic "Kill"
                 command (deletes files) in an execute-only macro
                 called "AutoOpen", at this level of scanning, it
                 will produce a warning message that says:

                 "Might contain suspicious macros"

                 This message will appear only in level 1 or 2
                 scanning. The "Extended Mode" might cause more
                 false positives than the standard scanning mode.


       LEVEL 2:  Level 2 detection does everything Level 1 does,
                 and MORE.  Use the /MODE=2 or /PARANOID
                 parameter to get the most comprehensive scanning
                 F/WIN can deliver.

                 For example, a template called "VIRUS.DOC" with
                 a macro "Harmless" which contains a single
                 KILL will be flagged by F/WIN if you use the
                 Paranoid mode.  In general, F/WIN needs much
                 less criteria to flag a document as being
                 suspicious.  Especially very simple macro
                 trojans can only be detected in this mode but it
                 will also cause much more false positives than
                 the Normal or Standard scanning.

       If you're not sure which level to use, start with the
       highest level, and work your way backwards if you get a
       lot of false alarms.  For instance:

       1.  Start by using /PARANOID or /MODE=2.  If you get too
           many false alarms, then:

       2.  Use /MODE=1.  If you still get too many false alarms,
           then:

       3.  Run F/WIN without specifying either the /MODE=n or
           /PARANOID commands.



       The syntax for F/WIN is as follows.  Parameters enclosed
       in [ ]'s are optional:

       FWIN path [/?] [/H] [/DOC] [/REPORT=Name] [/PARANOID]

                 [/MODE=n]  [/BATCH]  [/WIPEALL] [/CLEANALL]


          path        The directory and all of its
                      sub-directories to be scanned.  Specify
                      just the drive name if the entire drive is
                      to be scanned.  Wild-cards in the dataset
                      name are not allowed.  You may specify
                      only one drive or path name at a time.
                      CD-ROM drives names may also be specified.
                      F/WIN accepts Windows 95 long file name
                      paths, but keep in mind that the DOS
                      command-line only can handle 128 chars.
                      Pathnames with spaces must be enclosed in
                      quotation marks.

          /? or /H    Will display a short help screen.

          /DOC        F/WIN scans only .DOC and .DOT files.  The
                      default is to scan ALL files. This will
                      increase the scan speed, but F/WIN will
                      only detect macro viruses with this option
                      enabled.

          /REPORT=... The path and file name for a text file
                      that contains a report of the files that
                      F/WIN checked. The report option is only
                      available in the registered version.

          /BATCH      F/WIN renames all suspicious files it
                      detects without prompting for user input.

          /PARANOID   By default, F/WIN checks macros carefully
                      and will try to minimize the chance of
                      false positives.  However, this keeps F/WIN
                      from detecting some trojan macros.  If you
                      enable the paranoid mode, F/WIN will also
                      report macros which are only partially
                      suspicious but will also report more false
                      positives.  /PARANOID and /MODE=2 perform
                      exactly the same functions.  The /PARANOID
                      parameter was included because it might be
                      easier for some users to remember than
                      /MODE=2.  If you don't use Word macros at
                      all, /PARANOID or /MODE=2 is a very good
                      choice.

          /MODE=n     Enables the advanced scanning modes.
                      n = 1 : Extended mode
                      n = 2 : Paranoid
                      n=2 is the same as /PARANOID and will
                      enable the Paranoid scanning mode. In the
                      extended mode, F/WIN will also report
                      documents which contain suspicious macros
                      but doesn't seem to contain a complete
                      macro virus or trojan.

          /CLEANALL   By default, F/WIN prompts for what action
                      to take on an infected file as it
                      encounters each one.  This switch tells
                      F/WIN to not prompt for action on each
                      file, but instead, to go ahead and remove
                      the virus from all infected files using the
                      "CLEAN" method.  "Clean" is a deep
                      cleaning.  In additional to writing over
                      the macro definition list, it also writes
                      over the virus code itself.  Because of
                      internal fragmentation in Word templates,
                      clean will sometimes not clean the document
                      properly leaving it unreadable, or locking
                      your PC up when trying to access the
                      document after the clean.  However, a
                      backup of all cleaned files are made, so
                      you can try the WIPE disinfect method
                      instead if the CLEAN method fails (after
                      restoring the document from the backup).
                      Most likely, F/WIN by itself will detect
                      that a file can't be cleaned with the
                      "CLEAN" option and will report the message
                      "This file can not be cleaned safely!".

                      If this option is used, you MUST also use
                      the /REPORT= option.  /CLEANALL Can't be
                      used with /BATCH or /WIPEALL.

          /WIPEALL    By default, F/WIN prompts for what action
                      to take on an infected file as it
                      encounters each one.  This switch tells
                      F/WIN to not prompt for action on each
                      file, but instead, to go ahead and remove
                      the virus from all infected files using the
                      "WIPE" method.  "Wipe" is a shallow
                      cleaning.  In simply writes over the
                      the macro name and offset list.  It does
                      not write over the virus code itself like
                      CLEAN does.  However, Word will never
                      be able to access the virus code again
                      using this cleaning method, so it is quite
                      effective.  Since /WIPEALL only wipes the
                      macro name and offset list, it is far less
                      succeptable to damaging documents it
                      disinfects.  As a result, it is only on
                      very rare occasions that F/WIN damages
                      templates it cleans this way.  /WIPEALL
                      makes a backup copy of all modified files.

                      If this option is used, you MUST also use
                      the /REPORT= option.  /WIPEALL Can't be
                      used with /BATCH or /CLEANALL.


       Examples:

          FWIN D:

            (scans the entire D: drive)


          FWIN "C:\MSOffice\WinWord\Template\My templates"

            (Scan the "My templates" subdirectory and all
             directories below it.  Note that the parameters
             passed to FWIN had to be enclosed in quotes
             in this case because of the space that appears
             between "My" and "templates")


          FWIN A:\ /REPORT=C:\FWIN.RPT

            (scans the entire A: drive, and puts a report of
             what it found into the file C:/FWIN.RPT)


          FWIN D:\ /REPORT=A:\FWIN.RPT /PARANOID /DOC

            (scans the entire D: drive, and puts a report of
             what it found in A:/FWIN.RPT, and checks ONLY
             macros in files that end in .DOC or .DOT)


          FWIN C:\ /REPORT=A:\FWIN.RPT /MODE=2 /CLEANALL

            (scans the entire C: drive in the Paranoid mode and
             puts a report of what it found in A:/FWIN.RPT, and
             cleans all files infected with Word macro viruses
             or trojans.)


          FWIN C:\ /REPORT=C:\FWIN.RPT /MODE=1 /WIPEALL

            (scans the entire C: drive, and puts a report of
             what it found in C:/FWIN.RPT, and wipes the macro
             definition list from all files infected with Word
             macro viruses or trojans that satisfy the /MODE=1
             search criteria.  Also makes a backup copy of all
             disinfected files.)


          FWIN

            (F/WIN will prompt for which drive to scan.  Just
             enter the letter of the drive (don't add a ':'
             after it).  It also produces the same help
             information that's listed when the /H or /?
             parameters are used.


          FWIN  /?

            (F/WIN displays help information)


          FWIN C:\*.DOC

            (will NOT work; wildcards are not valid)




2.2    From Windows 3.x
-----------------------------------------------------------------

       Option #1:   Click on the "MS-DOS PROMPT" icon in the
                    "MAIN" window and follow the previous
                    instructions for running from a DOS prompt.

       Option #2:   On the PROGRAM MANAGER screen, click on
                    "FILE", then on "RUN".  Point to where FWIN
                    is stored, then add the appropriate parms to
                    run it the way you want it to.  For instance,
                    in the box that says "COMMAND LINE", you
                    would enter:  "C:\FWIN C:" to scan the C:
                    drive, assuming that FWIN was being stored
                    in the root directory of the C: drive.


       In either of the above two options, F/WIN will prompt you
       for the path to scan if it isn't specified.



2.3    From Windows '95
-----------------------------------------------------------------

       Option #1:   Run it from DOS.  There are three ways to get
                    to it.

       First way:   Click on "START"
                    Click on "RUN"
                    Key in the appropriate FWIN command.  Use
                    the previous instructions for running F-
                    WIN in DOS.  For instance, enter:
                    C:\FWIN A:   to scan the A: drive.
                    Click on "OK"

       Second way:  Click on "START"
                    Click on "PROGRAMS"
                    Click on "MS-DOS PROMPT"
                    Key in the appropriate FWIN command.  Use
                    the previous instructions for running F-
                    WIN in DOS.  For instance, enter:
                    C:\FWIN A:   to scan the A: drive.

       Third way:   Click on "START"
                    Click on "PROGRAMS"
                    Click on "MAIN"
                    Click on "MS-DOS PROMPT"
                    Key in the appropriate FWIN command.  Use
                    the previous instructions for running F-
                    WIN in DOS.  For instance, enter:
                    C:\FWIN A:   to scan the A: drive.


       You may also set up icons to run FWIN with from the
       Windows 95 Menu.  In thes example below, FWIN will scan
       the A: drive:

       Copy FWIN.EXE into whatever directory you want to run it
            from.  In this example, it is run from the C:\
            directory.
       Click on "START"
       Click on "SETTINGS"
       Click on "TASKBAR"
       Click on "START MENU PROGRAMS"
       Click on "ADD"
       Key in "C:\FWIN.EXE A:" in the box labeled "Command
            Line", then press ENTER
       Click on "NEXT"
       Key in "FWIN (scan A drive)" in the box labeled "Select
            a name for the shortcut", then press ENTER
       Click on the icon of your choice, or use the FWIN.ICO
           file that came with F/WIN.
       Click on "FINISH", then "OK"

       To run what you just set up:

       Click on "START"
       Click on "PROGRAMS"
       Click on "FWIN (scan A drive)"


2.4    From OS/2 Warp
-----------------------------------------------------------------

       Open an OS/2 DOS window.  Then execute F/WIN exactly the
       same way you would as if you were running it in DOS.



2.5    Choices F/WIN provides when a suspected virus is
       found
-----------------------------------------------------------------

       If F/WIN detected a suspicious files, it will stop
       scanning and display some messages.  At the bottom of this
       text you will get a display similar to the examples below:

       This file has suspicious structures! (32 bit virus?)
       Rename file? [Y]es, [N]o, [A]ll, [S]kip all :

       This document has suspicious structures or contents:
       Rename file? [Y]es, [N]o, Rename [A]ll, [C]lean file,
                    [W]ipe macro names, [S]kip all :

       You choose options by pressing the letter enclosed in
       brackets (F/WIN will display this chars in another color).

       The options explained in detail:

       - (Rename file) [Y]es:
         F/WIN will rename this document to another file
         extension (.VIR, VI1, etc.) and will continue the
         search.  The contents of the reported file are not
         changed.

       - (Rename file) [N]o:
         F/WIN will do nothing with the reported file and will
         continue the search normally.

       - (Rename) [A]ll:
         This and all further suspicious files will be renamed
         to a .VIR extension.  F/WIN will not stop and prompt if
         it detects further files with suspicious contents.
         (F/WIN will rename both macro and Windows EXE viruses)

       - [S]kip all:
         The search will be continued and F/WIN will not
         interrupt again if it finds suspicious files.  All
         suspicious files will remain unchanged.  This feature
         may not be very helpful unless you also use the
         /REPORT option.

       - [C]lean:
         F/WIN will try to clean the reported file with the
         full cleaning method.  Before starting the cleaning
         process, it will create a backup of the target file.
         The cleaning process will get aborted if F/WIN can't
         create the backup file.  The cleaning option is only
         available for macro viruses.  All macros are removed
         from the template, not just the virus macros!

       - [W]ipe macro names:
         Like the full cleaning option, F/WIN will create a
         backup before trying to modify a file.  Removing
         just the macro name and offset list from a document is
         much safer than CLEAN and you should use this option if
         you encounter problems with the full cleaning.  All
         macros are removed from the template, not only the
         virus macros.  Again, this option is not available for
         Windows EXE viruses.



2.6    Situations in which FWIN should  N-O-T be run
-----------------------------------------------------------------

       If you suspect that a DOS, Windows 95 or OS/2 virus is
       memory resident, do N-O-T run F/WIN until you are
       confident that the virus is no longer memory resident.
       If a virus is memory resident, and it's a "fast infector",
       running F/WIN can cause it to infect every executable file
       it's capable of infecting during F/WIN's scan.  F/WIN is
       not a full-blown scanner that can check to see if DOS and
       Windows viruses are resident in memory.  It is a
       specialized scanner that supplements the regular scanner
       you already have.  Use your regular scanner to make sure
       there are no memory resident viruses before running F/WIN
       or better yet, boot from a clean system disk.

       These precautions are only necessary against resident DOS,
       Windows 95 or OS/2 file or boot sector viruses.  Macro
       viruses are 'resident' too, but don't directly interfer
       with a running of those three operatings systems programs.



3.0      HOW TO ORDER A REGISTERED VERSION OF FWIN
=================================================================


3.1  Extras in the registered version

       The following extra features will appear in the registered
       version that aren't active in the shareware version.

        a)  Cleaning of all files will be activated (not just
            NORMAL.DOT).
        b)  /REPORT switch will be activated
        c)  /MODE and /PARANOID switches will be activated
        d)  /CLEANALL and /WIPEALL will be activated


3.2  In Germany

       Orders can be submited using e-mail or normal way. Please
       fill in the file REGISTER.TXT and send it to:

       Stefan Kurtzhals
       Drrenberg 42
       42899 Remscheid
       Germany
       E-Mail: kurtzhal@wrcs3.urz.uni-wuppertal.de

       The registered version will be sent either on a 3,5" disk
       or by PGP encrypted E-Mail.  Please don't forget to add
       your public PGP key if you want to recieve the registered
       version by E-Mail!  You will recieve a PKZIP archive which
       will contain the lastest version of F/WIN and a personal
       key file.

       The latest German shareware version of F/WIN can be
       downloaded from:

       - HTTP://www.entrepreneurs.net/fwin/index.html
         (our TEMPORARY URL until the WWW.FWIN.COM URL becomes
         available)
       - HTTP://WWW.FWIN.COM (Homepage)
         (available in early/mid March, 1996)
       - HTTP://WWW.CYBERBOX.NORTH.DE
       - CYBERBOX BBS (v32b: 0441-3990032, v34: 0441-3990033,
         ISDN: 0441-9396977)
       - VHM II BBS (v34/ISDN: 08638-881108)


3.3  In the United States


                    PAYING FOR THE REGISTERED VERSION
                    ---------------------------------

       Print and fill out the file ORDER.TXT, then mail to:

           Computer Virus Solutions
           Order Processing
           P.O. Box 30802
           Gahanna, Ohio  43230
           United States of America

           Please include a check or money-order payable to:

           "COMPUTER VIRUS SOLUTIONS"

           At this time, we are not yet set up to accept credit
           card orders, but we should be in the future.

           When we are able to accept credit card orders, there
           will also be a dedicated fax line to place your orders
           by fax.  We are hoping to have that available in the
           middle to end of March, 1996.  Watch our WWW site for
           news about this.


                 HOW TO RECEIVE THE SOFTWARE AND KEY FILE
                 ----------------------------------------

                              Option #1
                              ---------

      Download the shareware version from an FTP site.
      After receiving your payment by mail, we'll send you
      your unique key file which turns the shareware version
      into the registered version.  You may receive your key
      file in any of the following ways:

           a.  By mail on a floppy diskette.
           b.  By e-mail as a PGP encrypted binary file
               attachment (make sure you're e-mail system allows
               this)
           c.  A UUENCODE'd e-mail message (must be PGP
               encrypted, though)
           d.  A PGP ASCII file sent in an e-mail message
           e.  PKZIP password protected file that's been
               UUENCODED.

      If you wish to receive your key file by e-mail, you
      must make sure to send us your PGP public key.  We
      will not send an unencrypted key file through the
      internet.

      With the exception of the diskette option, the file
      you'll receive will a self-extracting PKZIP compressed
      file.


                             Option #2
                             ---------

       2.  All software sent on a diskette.



                          Getting Updates
                          ---------------

      Updates (which is the shareware version) can be downloaded
      from the following web sites (see below).  As long as you
      have a valid, legal FWIN.KEY file, you can download the
      "shareware" versions from these sites to upgrade your copy
      of F/WIN.

      The FWIN.EXE file by itself is the "shareware" version.
      When FWIN.EXE and FWIN.KEY are used together, collectively
      they make up the fully-functional "registered" version.
      Here's how this works.  When you run F/WIN Anti-Virus, the
      FWIN.EXE program looks to see if a valid FWIN.KEY file
      exists where it expects it to be.  If FWIN.KEY is missing,
      FWIN.EXE is programmed to avoid activating some features.
      If a valid FWIN.KEY is found, then FWIN.EXE will activate
      all of its features.  So you can keep downloading updated
      shareware versions, and have the most up-to-date
      registered version as well because of your FWIN.KEY file.

      See the price list in the ordering files for what it costs
      to receive update diskttes by mail 4 times a year.

      We also have an auto-responder set up that will allow you
      to send an e-mail message (with nothing in the subject or
      message; a completely blank message) to our WWW site, and
      have it automatically send you back through e-mail a
      UUENCODE'd version of the latest shareware release.  This
      will allow anyone with internet e-mail access to get their
      updates (and the original shareware version) by e-mail, so
      long as they have UUDECODE software to decode it.  To get
      the latest version of F/WIN Anti-Virus by e-mail, send a
      message (with nothing in the Subject line or body of the
      message) to:

      EVALUATE@fwin.entrepreneurs.net  (temporary address until
                                        early to mid March, 1996)

      Sometime in early to mid March, 1996, our new autoresponder
      address will be available.  It will be:

      EVALUATE@www.fwin.com


      If you don't currently have UUDECODE, it is available at
      many FTP sites on the Internet.  Our web page also contains
      the DOS and Windows version of UUENCODE/UUDECODE for you to
      download.  Here's how to get to our web page:

       HTTP://www.entrepreneurs.net/fwin/index.html
              (our TEMPORARY URL until the WWW.FWIN.COM URL
               becomes available)

       HTTP://WWW.FWIN.COM (Homepage)
              (available in early/mid March, 1996)

       The shareware version may also be downloaded from:

       http://www.valleynet.com/~joe

       Some time in March, 1996, there will also be several
       BBS or FTP sites that contain the shareware version for
       downloading.


3.4  In other countries

     For ordering the German version, contact Stefan Kurtzhals
     for purchasing instructions.  All others please contact Gary
     Martin.  Both can be contacted by e-mail through our web
     page specified above.



4.0      WINDOWS EXE VIRUSES
=================================================================


4.1.   For NON-Technical readers
-----------------------------------------------------------------

       Until recently, {windows viruses} were very rare and
       primitive. In most cases they just converted the Windows
       executable format {NE-EXE} into normal {DOS-EXE} or used
       {companion style infection} and didn't change the programs
       at all.  Furthermore, they all were {non-resident}
       {direct action} infectors which never spread very far.
       Viruses like {WinVir14} were to clumsy to escape into the
       {wild} and remained pure research viruses.

       But the situation changed after an underground virus
       magazine published the source code for a virus called
       {Winsurfer}. <Winsurfer> used a new {infection scheme} for
       infecting NE-EXE files. It was the first virus which was
       able to infect NE-EXE in a proper way without converting
       the program in DOS-EXE or by just creating companions.
       The new infection scheme is much less noticeable than the
       previous ones because it only changes a very small part
       of the {program header} and leaves the program still
       executable.

       Also, <Winsurfer> (and especially <Ph33r>) stay {resident}
       using the {DPMI API}. This gives them a much higher
       infection rate than the older direct action viruses.
       (<Ph33r> is a partial {fast infector})

       Because this infection scheme is so clearly superior and
       additionally being published widely, it's very likely that
       more viruses will appear which copy this special method
       of infecting files.

       Windows 95 programs (32 bit EXE) have a new format,
       PE-EXE. The viruses that use the NE-EXE infection scheme
       don't infect this format, but as there're still some
       NE-EXE (16 bit EXE) left in Windows 95 or the user still
       uses old Windows programs, the viruses will still spread
       under Windows 95. Also, <Ph33r> infects DOS programs such
       as COMMAND.COM or WIN.COM beside infecting Windows EXE.

       The same underground virus writer group which created
       <Winsurfer> and <Ph33r> also managed to write a PE-EXE
       virus for Windows 95 executables. This virus is still
       quite clumsy (it's again just a direct action virus), but
       surely there will soon follow more complex viruses as the
       virus source was again published by the authors.


4.1.1  F/WIN's detection of Windows EXE viruses
-----------------------------------------------------------------

       F/WIN detects Windows EXE viruses by analysing the NE-EXE
       and PE-EXE header of a file. The known Windows EXE viruses
       modify this header to an very unusual strucuture which can
       be detected by F/WIN. F/WIN does not check the program
       code which seems suspicious, and it will detect normal or
       variable encrypted {polymorphic} viruses because of this.


4.2.   For Technical readers
-----------------------------------------------------------------

       Until recently, windows viruses were very rare and
       primitive. In most cases they just converted the Windows
       executable format NE-EXE into normal DOS-EXE or use
       companion style infection and didn't change the programs
       at all.  Furthermore, they all were non-resident direct
       action infectors which never spread very far.  Viruses
       like WinVir14 were to clumsy to escape into the wild and
       remained pure research viruses.

       But the situation changed after an underground virus
       magazine published the source code for a virus called
       <Winsurfer>. <Winsurfer> used a new infection scheme for
       infecting NE-EXE files. It was the first virus which
       was able to infect NE-EXE in a proper way without
       converting the program in DOS-EXE or by just creating
       companions. The new infection scheme is much less
       noticeable than the previous ones because it only
       changes a very small part of the program header and
       leaves the program still executable.

       In detail, the virus moves the NE header 8 bytes in order
       to get a free slot for a new segment entry which now
       points to the virus code. The virus code will then be
       added to the end of the file, storing the original entry
       point in a relocator entry behind the virus code.

       Also, <Winsurfer> (and especially <Ph33r>) stay resident
       using the DPMI API. This gives them a much higher
       infection rate than the older direct action viruses.
       (<Ph33r> is a partial fast infector)

       Because this infection scheme is so clearly superior and
       additionally being published widely it's very likely that
       more viruses will appear which copy this special method
       of infecting files.

       Windows 95 programs (32 bit EXE) have a new format,
       PE-EXE. The viruses that use the NE-EXE infection scheme
       don't infect this format, but as there're still some
       NE-EXE (16 bit EXE) left in Windows 95 or the user still
       uses old Windows programs, the viruses will still spread
       under Windows 95. Also, <Ph33r> infects DOS programs such
       as COMMAND.COM or WIN.COM beside infecting Windows EXE.

       The same underground virus writer group which created
       <Winsurfer> and <Ph33r> now also managed to write a PE-EXE
       virus for Windows 95 executables. This virus is still
       quite clumsy (it's again just a direct action virus), but
       surely there will soon follow more complex viruses as the
       virus source was again published by the authors.
       Actually, the virus is written for operating systems which
       support the Win32 API. At the moment, Win32 is supported
       by Windows (Win32s), Windows 95 and Windows NT.

       <PE.Boza> increases the amount of segments, changes the
       IP RVA to the new virus entry point, adds a new segment
       to the segment list (the new segment is named .vlad) and
       add the virus code at the end of the file.


4.1.1  F/WIN's detection of Windows EXE viruses
-----------------------------------------------------------------

       F/WIN detects Windows EXE viruses by analysing the NE-EXE
       and PE-EXE header of a file. The known Windows EXE viruses
       modify this header to an very unusual strucuture which can
       be detected by F/WIN. Usually, they add strange segments
       which have no valid code segment flags set. F/WIN does not
       scan into these suspicious code segments, because there
       are yet too few Windows EXE viruses to derive a good code
       heuristic from them. Because F/WIN doesn't check the code
       of the virus, it is able to detect any unencrypted or
       polymorphic virus which use the <Winsurfer> or <Boza>
       infection schemes.



5.0    MACRO VIRUSES
=================================================================

5.1  What they are
-----------------------------------------------------------------

     Macro viruses which infects documents are fairly new. In the
     case of Microsoft Word templates, they use the built-in
     macro language called WordBasic.  Other products like Excel,
     Word Perfect, etc. have their own built-in macro languages
     similar in function to WordBasic.

     Winword Macro viruses copy themselves into the global macro
     template and convert user documents into macro templates
     when the document is saved and infected.  Also, the viruses
     use auto macros that are executed by WinWord automatically
     when for example a file is opened, saved or closed.
     Microsoft Word also allows execute-only macros which means
     that the user can't read the macro definition anymore, a
     feature which is used by most of the macro viruses.


5.2  History of
-----------------------------------------------------------------

     The idea of macro viruses by itself isn't new at all.
     In 1994 an example macro virus (<Winword.DMV>) was
     done to show the dangers of macro languages.  This virus
     is a pure demonstration virus and was never spread.
     The first macro virus that escaped into the wild was
     <Winword.Concept>, which was released in 1995.  Shortly
     after <Concept> other macro viruses where done, such as
     <Nuclear> and <Colors>.  For more information about the
     known macro viruses to-date, use your web browser to link
     to:

     http://www.bocklabs.wisc.edu/~janda/macro_faq.html


5.3  Why they pose such a great threat to your data
-----------------------------------------------------------------

     There are two major reasons why macro viruses in general
     pose such a great potential threat to your data.

     First, macro languages like WordBasic (the macro language of
     Microsoft Word) are easy to learn.  What keeps most people
     with bad intentions from writing DOS viruses is that DOS
     viruses are usually written in Assembler which is quite
     difficult to learn.  But macro languages like WordBasic are
     significantly easier to learn and write viruses with than
     Assembler is.  Coding examples for writing macro viruses can
     be found on the Internet.

     If your business uses one of the Microsoft Word templates
     that have been designed to intercept and remove viruses,
     then you have provided an excellent coding example to your
     employees for coding a WordBasic virus.  Parts of those
     templates can be easily copied and modified to become
     destructive virus code.  And the help screens that are
     available for WordBasic are plentiful.  It would probably
     take the average programmer less than 10 hours to start with
     one of these anti-virus templates, and make a fully
     functional virus with highly destructive capabilities from
     it.  The potential for data loss from a disgruntled employee
     is high if someone made a decision to attack your company in
     this manner.

     The second reason the risk is so high is that most virus
     scanners to-date only check for known macro viruses.  They
     are not capable of detecting unknown ones, or if they do,
     they can misidentify what they've found.  So if someone
     did plant a new virus that they just wrote in your business,
     you may not find it until it's too late.  And it is very
     easy to create a 'new' undetectable virus by just inserting
     spaces and carriage returns into the macro code of a known
     virus.

     F/WIN's strength is that it finds both known and UNKNOWN
     WordBasic viruses and trojan's.  F/WIN uses heuristic
     analysis instead of signature scans to find the viruses.
     F/WIN can also REMOVE most viruses it finds.  And if it
     would happen to remove a virus in such a way where the
     document is no longer accessible, it makes a backup copy of
     the file before attempting to remove the virus.  So F/WIN is
     both effective, and safe.

     Keep in mind that WordBasic is a powerful language. Beside
     the possibility of modifiying almost every parameter and
     option of Winword, you can easily rename, change or delete
     other files (like WIN.INI, SYSTEM.INI, CONFIG.SYS etc.) and
     you can call other Windows or DOS programs, i.e. FORMAT or
     DELTREE. It's also possible to execute Win API calls or
     other embedded OLE objects.


5.4  F/WIN's detection of WordBasic macro viruses/trojans
-----------------------------------------------------------------

     When F/WIN analyses a document, it scans the whole file.
     This is necessary because of the complex internal format
     of document files (which are OLE objects).  F/WIN tries
     to locate macro definition and macro list areas and then
     scans the target areas for suspicious commands or texts.
     Execute-only macros will get decrypted in memory while
     checked (it uses a technique similar to the 'x-ray'
     scanning method).  F/WIN will analyse all the WordBasic
     tokens for virus like commands as FileSaveAs, CopyMacro
     and others.  The macro name lists will be scanned for the
     presence of auto and system macros like AutoOpen or
     FileExit.  After the end of the scanning process, F/WIN
     analyses the temporary results and tries to figure out
     if the macros are normal, or if they could represent
     a trojan or even a macro virus.

     Because of the complexity of OLE objects, F/WIN might
     fail to properly locate all macro areas in a file.  This
     is not a real problem for virus detection, but it may
     cause problems while trying to clean the document.
     If the complete repair method fails (option 'C'), try the
     safer macro name wiping method (option 'W') which will
     work in almost every case.



5.5  How the viruses are removed
-----------------------------------------------------------------

     At this time, F/WIN only can remove macros from documents.
     It's not able to remove Windows EXE viruses.  F/WIN
     offers two possible ways for removing macros.


                  The Clean option (choose 'C')
                  -----------------------------

     For a Winword macro virus to work, two things must be
     present inside the Word template that's infected.  First,
     there must be a macro name list area.  It's similar to a
     Table of Contents in a book that point the reader to the
     page numbers of each chapter.  It's how Word determines
     which macro's are present and where exactly they are
     placed.  Then there's the macro definitions area.  This is
     where the macro code itself is stored.  The "Clean" function
     erases both areas.  In our testing, the "Clean" function
     safely removed the viruses and trojans in the overwhelming
     majority of the cases.  But there were some occasional
     incidents when the clean left the document unreadable.
     If this happens, just restore the document from the backup
     that F/WIN made and use the "Wipe" option to remove the
     virus instead.   If the full cleaning method fails, F/WIN
     will produce the error message ('F/WIN can not clean this
     file safely!').  You should then try the macro name wiping
     instead.


                     The Wipe option (choose 'W')
                     ----------------------------

     Because of the complexity of the internal template
     structures, the Clean option may fail.  You can avoid this
     problem most of the time by using the Wipe option instead
     (option 'W').

     "Wipe" overwrites (wipes) only the macro name list.  It
     does not overwrite the virus code itself (the macro
     "definitions").  The virus/trojan code is only accessible
     with a disk editor after this kind of disinfection.  But
     even a disk editor is quite useless in almost every case
     because the macros are usually encrypted and most people
     could not even find them, let alone decrypt and reuse them.
     There currently are no tools available to decrypt them, at
     least not ones available to the general public.  It is quite
     unlikely that most people could do this, even skilled PC
     programmers.  Once the macro definitions list has been
     erased, it is VIRTUALLY IMPOSSIBLE FOR WORD TO EVER FIND THE
     VIRUS CODE AGAIN.  Your documents will be safe to use again.

     We have on very rare occasions, experienced situations in
     which even Wipe could not safely disinfect a template.  In
     most of those cases, F/WIN clearly tells you that it could
     not safely remove the virus/trojan.  You may then send it to
     your regular anti-virus company, or to F/WIN Support to have
     it removed.

     When comparing F/WIN with other macro anti-virus products,
     keep in mind than some virus scanners still don't include
     any kind of a cleaning facility at all or just clean the
     macro name list.


     REGARDLESS OF WHETHER YOU CHOOSE "CLEAN" OR "WIPE" F/WIN
     WILL REMOVE -ALL- MACROS FROM A DOCUMENT, NOT JUST THE ONES
     WHICH SEEMS TO CONTAIN SUSPICIOUS CODE.   SO IF YOU
     DISINFECT YOUR NORMAL.DOT AND HAVE USEFUL MARCOS INSTALLED,
     THEY WILL BE REMOVED TOO.

     Before starting the actual cleaning process, F/WIN will try
     to backup the target file by creating a copy of the file
     with ".Vnn" file extension.  The file will not get modified
     if F/WIN fails to create a backup!  Here's an example of how
     this naming scheme works.  Assuming that you have eleven
     Word documents containing  payroll information, and all are
     infected, here's how F/WIN would name the backup copies.

     Infected file      Backup file
     -------------      -----------

     PAYROLL.WK1        PAYROLL.VIR
     PAYROLL.WK2        PAYROLL.VI1
     PAYROLL.WK3        PAYROLL.VI2
     PAYROLL.WK4        PAYROLL.VI3
     PAYROLL.WK5        PAYROLL.VI4
     PAYROLL.WK6        PAYROLL.VI5
     PAYROLL.WK7        PAYROLL.VI6
     PAYROLL.WK8        PAYROLL.VI7
     PAYROLL.WK9        PAYROLL.VI8
     PAYROLL.WK10       PAYROLL.VI9
     PAYROLL.WK11       PAYROLL.V10   (notice that the 'I' is now
                                       replaced by a '1')



6.0    F/WIN MESSAGES FOR WINDOWS VIRUSES
=================================================================

6.1  Possible 16-bit virus (NE-EXE)
-----------------------------------------------------------------

     F/WIN will display this message when it finds a Windows
     executable with a suspicious internal file structure.
     This will most likely indicate a Windows 3.x EXE virus
     infection.  Please send such files to the F/WIN Support
     for analysis!  It would be easy to ignore this message
     because of the use of the word "possible".  We encourage
     you to take this message very seriously if you see it.
     We have had no instances in our testing where it has
     produced a false alarm but still the NE-EXE and PE-EXE
     heuristic analysis is quite 'weak'.


6.2  Possible 32-bit virus (PE-EXE)
-----------------------------------------------------------------

     Like NE-EXE viruses, F/WIN will detect this virus type by
     analysing the internal file structures. At the moment,
     only one PE-EXE virus is known, <PE.Boza>. If you encounter
     a possible 32-bit virus infected file, please send us a
     sample for analysis!  It would be easy to ignore this
     message because of the use of the word "possible".  We
     encourage you to take this message very seriously if you
     see it.  We have had no instances in our testing where it
     has produced a false alarm using the latest release of
     F/WIN.



7.0    F/WIN MESSAGES FOR MACRO VIRUSES
=================================================================

7.1  "Changes DOS attributes of other files"

     The "attributes" of a file can be modified to change the way
     DOS views and stores a file. While there are legitimate
     reasons for changing the attributes of a file, viruses often
     remove the attributes before modifying files. READ-ONLY file
     attributes prevent a program from modifying a file while
     this attribute is enabled. SYSTEM or HIDDEN attributes are
     used by DOS and Windows to hide it's critical system files.
     Files with these attributes don't get listed with DIR or in
     the Explorer unless you configure them to do so. Some of
     the known macro viruses remove the system attributes of the
     IO.SYS and MSDOS.SYS files and then delete them. A regular
     macro does not contain such commands.

     This would probably be a good place to point out that the
     READ-ONLY attributes are no protection against viruses.
     These attributes can be removed and set without any problems
     by a virus. In fact, some resident file viruses (DOS) infect
     on setting the file attributes.


7.2  "Contains macros but is named .DOC"

     Templates which normally contain macros are usually named
     ".DOT". Winword, however doesn't need this special file
     extension to recognize macro templates. Macro viruses use
     this and keep the old ".DOC" extension after infecting a
     document, even if it's now a template rather than a
     document. By concealing the true file extension, the virus
     attempts to hide it's presence in infected files.

     Regular macro templates are named ".DOT", so if you find
     macros in a ".DOC" file it's quite suspicious, especially
     if they are auto macros or execute-only macros.


7.3  "Contains execute-only macros (encrypted macros)"

     There are two ways of storing macros in Word templates. The
     non-encrypting method allows Word users to look inside the
     macro just as they do a document and see what is coded in
     it. If the macro is a malicious one, someone who understands
     WordBasic can read the code and determine what it is trying
     to do. WordBasic is a programming language within Microsoft
     Word that allows Word users to create time-saving macros.
     Non-encrypted macros can also be modified into useful code,
     or into destructive virus or trojan code.

     The second way of storing a macro is to use the
     "execute-only" option. This option encrypts the macro so
     that it is no longer eye-readable. It also prevents the
     macro from being modified. However, it may still be renamed
     or deleted and of course, executed.

     Once a macro is encrypted, WordBasic provides no mechanism
     for decrypting it back into readable form. This is the
     choice method of storing macros for virus writers because
     most Word users will not be able to look inside suspicious
     macros to see what they're doing. Except for the information
     F/WIN can provide on such macros, in most cases, the
     document or template must be sent to an anti-virus company
     for analysis to get the full details on what it's trying to
     do.

     This message indicates that F/WIN has found at least one
     execute-only (encrypting) macro. However, F/WIN only
     displays this message if it finds potentially dangerous
     commands within the encrypted macro (F/WIN is able to look
     inside for you). If it simply finds an encrypted macro that
     has no dangerous WordBasic commands in it, this message will
     not appear.

     Execute-only macros are quite suspicious, but there are also
     commercial or shareware macros which uses the encryption to
     prevent modification of their code.


7.4  "Contains macros"

     This warning message indicates that macros are present in
     the template. However, this message will not appear unless
     potentially dangerous WordBasic commands are present in one
     or more of the macros.


7.5  "Copy macros into the global template ('CopyMacro')"

     This warning message indicates that the WordBasic
     "CopyMacro" command has been found in a macro. Of all the
     error messages that F/WIN produces, this one is probably the
     best at indicating the presence of a virus. Virtually all
     Word viruses to-date have used the "CopyMacro" command to
     spread themselves from one Word template to the next. If
     products like SCANPROT.DOT are being used for anti-virus
     defenses, then there may be no cause for concern if this
     warning message is produced for a file called SCANPROT.DOT.

     SCANPROT.DOT is a Microsoft Word template developed by the
     Microsoft Corp. to help combat Microsoft Word viruses.
     SCANPROT.DOT contains several macros that use some of the
     same commands used by viruses. If SCANPROT.DOT is present,
     F/WIN will produce numerous warning messages when it
     analyzes it. See section "1.7 False alarms" in the F/WIN
     documentation to determine how to distinguish SCANPROT.DOT
     warnings from other ones.  We want to make it clear that we
     are not suggesting that Microsoft is writing macro viruses.
     The SCANPROT.DOT file is a template that is intended to
     protect you against WordBasic macro viruses. Our point here
     is that it uses exactly the same WordBasic commands that
     some viruses use, so F/WIN will trigger warnings on
     SCANPROT.DOT when it scans it.  There are other anti-virus
     templates besides SCANPROT.DOT that will trigger warning
     messages from F/WIN.  If any such templates are scanned by
     F/WIN, in most cases, F/WIN will point this out by also
     producting a message that says, "Might contain an
     antivirus-macro (please verify!)".  See 7.14 below for more
     information about that message.

     If you are sure that tools like SCANPROT.DOT are not in use,
     and that legitimate macros that used the CopyMacro function
     are not supposed to be in your environment, then it is quite
     likely F/WIN has detected an actual virus if this particular
     message is produced. Take this message very seriously, and
     have an expert investigate the documents in question.  It is
     important to know if macros should be or should not be
     present in your environment so that you can distinguish real
     viruses from false alarms. Since most individuals and
     corporate users of Microsoft Word rarely if ever use macros,
     more often than not, this warning message will indicate the
     presence of an actual virus, or of an anti-virus template
     like SCANPROT.DOT.

     Macro viruses often use 'CopyMacro' together with auto
     macros like 'AutoOpen', 'AutoExec' or 'AutoClose' and are
     also often encrypted (execute-only macros). To hide
     themself, they also often are not named ".DOT" but ".DOC
     instead.


7.6  "Deletes other files! (Kill)"

     This message indicates that the WordBasic "Kill" command is
     being used within a macro. The Kill command deletes files.
     You need to ask yourself, "why is my Word document deleting
     files?"  This is not a common activity for a macro, and may
     indiciate the presence of destructive code (macro trojan or
     virus).


7.7  "Disables NORMAL.DOT write access warnings"

     Most viruses will install their own special macros into the
     Global Template (the NORMAL.DOT file).  This allows the
     virus to spread itself to virtually any template that is
     opened by the user.  Microsoft Word has an option users can
     activate that alerts users to the fact that NORMAL.DOT has
     been changed.  It's a pop-up window that asks if you want to
     save the changes to NORMAL.DOT.  Some viruses disable this
     warning message through a certain WordBasic command,
     preventing the user from being warned that the Global
     template has been changed.  This message is telling you that
     the warning message will be disabled if the macros in the
     file are allowed to run.


7.8  "Execute other DOS or Windows programs! (Shell)"

     This message indicates that another DOS or Windows program
     is being executed by a macro.  This is quite suspicious. Why
     should a document execute a DOS or Windows program?  While a
     legitimate, useful macro could do this, it's not common.
     Normally, macro viruses use this for dropping DOS viruses
     (like Winword.Nuclear does with Vlad.Ph33r) or they call
     FORMAT, DELETE, ERASE or other damaging DOS commands.


7.9  "F/WIN can not check Microsoft Word 2.0 documents!"

     At this time, F/WIN can not check for viruses and trojans
     in Microsoft Word 2.0 templates.  However, this ability
     is coming in a later release.


7.10 "F/WIN can not clean this file safely!"

     The template is so internally fragmented that F/WIN has
     determined that it can not safely clean the virus or
     trojan using the CLEAN option (option 'C').  However,
     the user has the option of restoring this file from the
     backup copy that F/WIN made and trying to remove the
     virus with the 'W' option instead (W=Wipe Macro Names).
     The 'W' option should fail only on very rare occasions.


7.11 "Might contain an antivirus-macro (please verify!)"

     F/WIN has determined that the file MAY contain anti-virus
     macros which are intended to be helpful to the user, and
     that any warning messages associated with this file may be
     false alarms.  See section 1.7 for more information about
     possible false alarms. In any case you should verify if this
     is really an antivirus macro. Some viruses could mask
     themself as such useful macros.


7.12 "Might contain suspicious macros"

     This is reported when the macro contains suspicious operands
     and structures, but some parts are missing which are usually
     found in macro viruses or macro trojans. This will only be
     reported in the Extended or Paranoid scanning modes (/MODE=n
     or /PARANOID).


7.13 "Reenables auto macro processing"

     There are some macros that can be automatically executed if
     they exist in a template.  They are AUTOOPEN, AUTOCLOSE,
     AUTOEXEC, and AUTONEW.  AUTOOPEN, for instance, is executed
     automatically when a file is OPENed.  Some users in an
     effort to protect themselves from macro viruses have
     disabled all four auto macros.  This message indicates that
     code has been found that reactivate the auto macros.  This
     function is common for viruses to allow them to spread more
     quickly and easily.


7.14 "Seems to be infected with a macro virus!"

     F/WIN detected enough suspicious structures which gives a
     very high chance that the reported document is infected
     with a macro virus (or is an anti-virus template like
     SCANPROT.DOT).

     Be aware, too that this message may also be produced for
     non-virus documents like SCANPROT.DOT, which are intended
     to protect you from macro viruses. These anti-virus macros
     contains almost the same WordBasic commands like a virus,
     so it's impossible to distinguish between them.


7.15 "Seems to contain a trojan macro!"

     This is reported if destructive commands are found and the
     WordBasic "CopyMacro" command isn't used. This can't be a
     virus, because it doesn't spread.  A virus and a trojan can
     both contain destructive code. However, a virus spreads and
     a trojan does not. If you want to increase the trojan
     detection ability of F/WIN you could use the options /MODE=n
     or /PARANOID, but this also increase the chance of false
     positives!


7.16 "System macros:"

     A "system macro" is a macro that is executed automatically
     when the user performs a certain action.  For instance, when
     a document is opened, the "AUTOOPEN" macro will be executed
     automatically if it exists (if automatic execution is
     enabled, which it is be default).  If a file is saved, the
     FILESAVE macro will be executed if it exists.  This messages
     indicates that F/WIN has detected the presence of one or
     more macros that will be automatically executed when some
     function is performed.  The specific macros it finds are
     listed.  The purpose/function of each one is briefly
     explained next.  There could be a legitimate reason for the
     existence of these macros in your document.  However, they
     may also be used by a virus or trojan, which usually contain
     "AutoOpen", "AutoClose" or "AutoExec".


     7.16.1         AUTOCLOSE

                    Called automatically if the user or Micrsoft
                    Word closes a document.

     7.16.2         AUTOEXEC

                    This macro is called automatically every time
                    Microsoft Word is started (when you click on
                    the Word icon).

     7.16.3         AUTONEW

                    This macro is called automatically every time
                    a new document is created.

     7.16.4         AUTOOPEN

                    This macro is called automatically every time
                    an existing document is opened. This is most
                    often used by the macro viruses because it
                    allows them to perform some activity (like
                    spreading itself) right away if you try to
                    read an infected document.

     7.16.5         FILEEXIT

                    This macro is executed when a file is closed
                    (i.e. choosing "File", then "Close" from
                    Microsoft Word).

     7.16.6         FILENEW

                    This macro is run when "File", then "New" are
                    selected from Microsoft Word.

     7.16.7         FILESAVE

                    This macro is run whenever a file is saved.
                    That includes when automatic, timed backups
                    are made.

     7.16.8         FILESAVEAS

                    This saves a document to a different name
                    and/or different file type. This macro must
                    be redefined by macro viruses because they
                    must convert documents into templates in
                    order to save macros in the file. This
                    macro will most likely only be included in
                    the global macro template NORMAL.DOT.

     7.16.9         TOOLSMACRO

                    This function is called when the user tries
                    to view, delete, rename or edit macros.
                    Some of the macro viruses use this to infect
                    further documents, or add some stealth
                    functions which prevent the user from seeing
                    the suspicious macros.


7.17 "This document is internally fragmented. The repair
      could have failed !"

     The CLEAN option was chosen, but because of fragmentation in
     the file, the CLEAN may not have worked.  It is suggested
     that you keep a copy of the backup files that F/WIN created
     until it can be confirmed that the document is still
     accessible. Better yet, rename the backup file and try to
     remove the virus with the 'W' option (Wipe Macro Names)
     option instead.  In most cases, this will clean the file
     successfully.

     It might be helpful to explain in plain English what
     internal fragmentation is.  A Word document/template can
     have many things stored within it.  It can have tables,
     text, graphical images, macros, etc.  All of these different
     components are stored like puzzle pieces that OLE2 can store
     in chronological order, or all mixed up.  OLE2 is the file
     format that Word uses to manage the contents of Word
     documents and templates.  How OLE2 is able to store these
     components all mixed up, and still present them all put back
     together for the user is a very complex process.     

     Imagine if you had a 500 piece puzzle.  Drop it on the
     floor, scramble it all around, then try to put it back
     together.  That's somewhat similar to what an "internally
     fragmented" file is.  Because OLE stored the document in
     such a scrambled manner, it knows how to put it all back
     together into something you can easily view when you open
     the file.  Use of the Word QuickSave option is primarily
     responsible for causing this kind of fragmentation in Word
     documents.

     Because F/WIN is not a Windows program, it can't use the OLE
     API functions to read and analyse Microsoft Word documents.
     It has to figure out where the macros are stored in the
     document by itself and because of the complexity of OLE
     objects the cleaning may occasionally fail.  If you get this
     warning you should try the 'Wipe macro names' option instead
     of the full cleaning.


7.18 "Uses macro 'FileSaveAs'"

     As said above, this is essential for macro viruses because
     they must convert documents into templates.  In fact, if the
     user saves a file, the viruses internally uses FileSaveAs.
     In WordBasic, there is a FileSaveAs "macro name", and a
     FileSaveAs "WordBasic command".  The macro internally calls
     the function, but the FileSaveAs macro could be redefined,
     i.e. to offer special prompts.

7.19 "Writes into other files directly (Write)"

     This WordBasic command writes data directly into another
     file.  Quite unusual for regular macros, but some macro
     viruses like <Winword.Xenixos> use this to drop DOS viruses
     into the system.  They create a debug script file with the
     write command and then execute DEBUG to "compile" it.




8.0  COPYRIGHT, LICENSE TERMS AND DISCLAIMER 
=================================================================

     See file "LICENSE.TXT".



9.0    GLOSSARY OF TERMS USED IN THIS DOCUMENTATION
=================================================================

     16-bit EXE
        Windows 3.x uses a special executable file format,
        NE-EXE. Beside the old DOS EXE file header, it has a new
        NE header which specifiy the locations and sizes of the
        code and data resources in the file. NE-EXE files still
        can call the DOS INT 21h or DPMI API functions. The first
        known virus for NE-EXE was <WinVir_1.4>.

     32-bit EXE
        Windows 95 and Windows NT uses a new executable format,
        PE-EXE (Portable Executable). It is optimized for the
        32-bit OS, i.e. by using 32-bit RVA's and supporting
        MMF (Memory Mapped Files). Like NE-EXE, they still have
        a normal DOS EXE header followed by the PE header which
        indicates the location and size of the file contents.
        PE-EXE run in flat protected mode and the program code
        can only call Windows API functions. The first known
        virus for PE-EXE was <Boza>.

     Auto Macro
        Auto macros are special Microsoft Word macros which are
        executed automatically by Word on certain events, i.e.
        like opening a document. To some degree, they can be
        disabled, but the macro viruses still have enough other
        ways to intrude the system.

     Boza
        <PE.Boza> is the first known virus for PE-EXE files
        (Windows 95), and comes from Australia.  It's only a
        research viruses and not in the wild, mostly because
        it's just a direct action virus and has some bugs.

     COMMAND.COM
        The first normal DOS executable which is started at a
        system bootup. It only contains the command-line
        interpreter, but it's often a target for DOS file
        viruses. DOS itself is stored in MSDOS.SYS and IO.SYS
        (or IBMDOS.COM and IBMBIO.COM). COMMAND.COM itself
        executes AUTOEXEC.BAT.

     Companion Virus
     Companion Style Infection

        If you have two files with the same filename but
        different file extensions (one .COM, one .EXE) in the
        current directory and you execute the program without
        specifing an extension, DOS will always start the .COM
        program and not the .EXE. For example, if you have
        TEST.COM and TEST.EXE and execute "TEST", TEST.COM will
        be started. Companion viruses use this and creates
        corresponding .COM files to existing .EXE programs.
        These .COM files often have the HIDDEN attribute set
        in order to prevent detection (you will see this when
        you run tools like DEFRAG: the whole hard disk cluster
        layout is covered with single unmoveable clusters).

     Concept
        The first Microsoft Word macro virus which appeared in
        the wild.  It appeared in the mid of 1995 and spread
        rapidly world-wide.  Beside displaying a window with a
        '1' in it, <Concept> is quite harmless.  Together with
        some other macro viruses, <Concept> is now very common.

     Direct Action Infector
        A virus which actively scans the system for infection
        targets and doesn't go resident in memory. These viruses
        are not very viable and never spread very far because
        they are too obvious to the users and have a too low
        spread rate. All common viruses are resident.

     DOS-EXE
        The standard DOS executable format. It has a special
        EXE header, which is placed directly at the beginning
        of the file and is marked with a ASCII signature ('MZ').
        The header will specify things like the program entry
        point, code size, amount of relocations, size of stack
        and others. Unlike .COM executables, EXE can be larger
        than 64K.

     DPMI API
        The DOS PROTECTED MODE INTERFACE API is used by real
        mode applications to interfer with the protected mode,
        i.e. mode-switching, transfering memory blocks, calling
        INT 21h from protected mode and other services. In real
        mode, the CPU only can access 1 MB of adress space, in
        protected mode the memory is usually limited to 4 GB
        (real and virtual memory).

     Dropper File
        Sometimes viruses are hidden in a special dropper file.
        The virus is then often encrypted or compressed with
        special tools in order to prevent detection by virus
        scanners. Droppers are also used to 'install' boot
        viruses from files. <Winword.Nuclear> contains a
        debug script of the <Ph33r> virus, which will be
        dropped into the system sometimes.

     Encrypted Macro
     Execute-Only Macro
        Microsoft Word macros which can't be read or modified
        by the user anymore. It's only possible to execute,
        rename or delete such macros. Execute-only macros are
        often used by macro viruses to protect and hide their
        code.

     False Negative
        An infected file which is not detected by a virus
        scanner is called false negative.  An uninfected file
        which is flagged as being infected by a virus is called
        false positive.

     Fast Infector
        At first, resident viruses only infected programs when
        the user execute the application by intercepting the
        INT 21h EXECUTE call. Newer file viruses also infect
        programs when they are opened or closed, which will
        cause very high spread rate for the virus. It is
        possible that a virus scanner will spread the virus
        infection, if the virus is a fast infector and unknown
        to the virus scanner. If you scan the hard disk with
        such a virus being active, almost every executable
        on the hard disk will get infected!

     Flat Protected Mode
        In flat protected mode, the memory is mapped as linear
        4 GB adress space. You don't need multiple selectors
        and can adress the memory without much effort.

     Fragmented document (complex document)
        If you enable the FastSave option in Microsoft Word and
        change a document it will turn into a format that is
        called 'complex document'.  The changes to the document
        will be stored at the end of the file, together with some
        links to the original positions.  Also, the texts,
        graphics and macros in a document are treated as objects
        which can be splitted up and will get fragmented like a
        FAT hard disk. You even will get slack space areas like
        in FAT disk clusters. The FastSave option will also
        increase the size of the document compared to a normally
        saved document.

     In The Wild (ITW)
        Viruses, which have been found often and are very
        common are 'in the wild'.  From the known 8500 viruses,
        only about 300 are in the wild.  All other viruses are
        either extinct or research viruses, which never spread
        very far.

     Infection Scheme
        The way how a virus modifies an executable. Usually a
        virus changes the file header in way that it now points
        to the virus code, which is added at the file end.
        Some special viruses insert themselves at the file
        beginning or split up themselves throughout the file.

     Macro
        Microsoft Word macros contain WordBasic commands which
        can be used to speed up your work with Word. For example,
        you could write a macro which reformats a text block in
        a special way.

     Microsoft Word
        A word processor from Microsoft, which is used quite
        often. Word documents are OLE objects.

     NE Header
        The programm header used by NE executables. Must be
        modified by Windows EXE viruses during the infection.

     NE-EXE
        See 16-bit EXE.

     Non-Resident
        See Direct Action Infector.

     NORMAL.DOT
        The global template of Microsoft Word. Beside some other
        things, global Word options and all global Word macros
        are stored in this file. NORMAL.DOT will be infected
        at once by most Winword macro viruses.

     PE header
        See 32-bit EXE.

     PE-EXE
        See 32-bit EXE.

     PGP
        PGP (Pretty Good Privacy) is a tool for encrypting data
        (i.e. e-mail) and verifying the integrity and source of
        data. It uses RSA and IDEA encryption and is very secure.

     Ph33r
        The second virus which used the <Winsurfer> infection
        scheme. Beside infecting NE-EXE, <Ph33r> also attacks
        DOS .COM and .EXE files and is memory resident using
        DPMI API calls.  A <Ph33r> dropper was included in the
        <Winword.Nuclear> virus.

     Program Header
        Located at the beginning of executables, the program
        header specifies things like the program entry point,
        code size, stack size etc. File viruses must modify
        this part of the program during infection, but a lot
        of viruses are buggy and change the header incorrectly.

     Public Key
        Used by PGP. If you want to exchanged encrypted data
        with someone, you must exchange your public keys.
        Even if someone intercepted both public keys, he can't
        decrypt the transfered data because he doesn't have the
        private keys which are also protected with a password.

     Scan String
        Used by normal virus scanner to identify viruses. It's
        a byte signature which maybe contains wildcards and is
        like a 'fingerprint' to the virus, which will only
        detect this special virus. Virus scanners without
        heuristics will usually quickly be outdated because of
        the large number of new viruses which appear every day
        or month.

     Segment
        Because the normal CPU registers are 16 bit, you only
        can access 64K at a time. If you want to adress other
        space you must change the segment registers. In the
        protected mode, you don't have this segment restriction.

     System Macro
        Beside auto macros, Microsoft word has other important
        macros like FileExit, ToolsMakros and others. This
        system macros are also often used and intercepted by
        macro viruses.

     Trojan
        A program which causes damage but unlike a virus it
        does not spread by itself.

     Unknown virus
        A (new) virus that is yet unknown to the virus scanners
        and is not detected by them without heuristics. Some of
        the heuristic scanners will detect about 60-90% of all
        new viruses.

     Virus
        A piece of executable code which is able to replicate
        and to insert a copy of itself into other executables.

     VLAD
        An Australian virus underground organisation, which
        is responsible for a lot of very advanced viruses,
        like <Ph33r>, <Boza>, <MegaStealth> and others.
        Usually they release their latest viruses in an
        electronic magazine which is also called VLAD.


     WIN API
        The set of functions available to Windows programs.
        This contains functions like virtual memory management,
        file access, graphical operations and other things.
        There are a lot of different API's like Win32s, WinG
        and others.

     Windows EXE
        Can be either NE-EXE (Windows 3.x), PE-EXE (Windows 95
        and Windows NT) or LE-EXE (used by some device drivers).
        See 16-bit and 32-bit EXE.

     Windows Virus
        A virus which is able to infect Windows executables or
        Windows related objects like Microsoft Word documents.

     Winsurfer
        A Windows NE-EXE virus which uses a powerful new
        infection scheme.

     WinVir14
        The very first Windows virus, which never spread and
        is considered as a pure research virus, done by the
        virus coder group called Trident.

     Winword
     Word
        See Microsoft Word.

     WordBasic
        The macro language used by Microsoft Word.


                                   *


            F/WIN - Copyright (c) 1996 by Stefan Kurtzhals
