F-SHELL - Scanner and disinfector for the Shell.10634 virus
Copyright (c) 1996 Data Fellows Ltd

OVERVIEW

F-SHELL will detect and disinfect the Shell.10634 Windows virus
(also known as Tentacle_II). This document gives a brief description of
the Shell virus and explains how to use F-SHELL to detect and
disinfect this virus.

ABOUT THE Shell VIRUS

Shell is one of an increasing number of viruses distributed via the
Internet, in the form of posts to Usenet News.

This virus was found in the wild in June 1996 in USA, UK, Australia,
Norway and New Zealand. It has possibly been distributed over the
internet several times. A known infection happened on the 3rd of
August, 1996, when an infected screen saver called PCTRSHOW.ZIP
was posted to the following newsgroups:

  alt.sex.pictures
  alt.binaries.pictures.erotica
  alt.binaries.pictures.erotica.blondes
  alt.binaries.pictures.erotica.breasts
  alt.binaries.pictures.erotica.cheerleaders
  alt.binaries.pictures.erotica.female
  alt.binaries.pictures.erotica.lesbians
  alt.binaries.pictures.erotica.oral
  alt.binaries.pictures.erotica.orientals
  alt.binaries.pictures.erotica.redheads
  alt.binaries.pictures.erotica.teen
  alt.binaries.pictures.erotica.teen.female
  alt.binaries.pictures.erotica.voyeurism
  alt.binaries.pictures.erotica.young
  alt.binaries.pictures.groupsex
  alt.binaries.pictures.erotica.latina
  alt.binaries.pictures.celebrities
  alt.binaries.pictures.girls


The virus infects only Windows 3.x executables (NE), and it does it
without changing the executable entry point. This is an unusual infection
method and was first introduced in this virus. The virus adds a new
segment to the executable and modifies the structure of the file: this
makes it a very difficult virus to disinfect.

When executed, Shell searches the directory tree for suitable
files to infect. Only EXE and SCR (screen saver) files can get
infected.

Also 32bit Win95 and WinNT executables can be infected by the virus,
but these files are unable to spread the infection further.
Shell does not stay resident in memory.

This virus activates by dropping a GIF file, which contains a picture
of a Shell and text:

	I'm the Tentacle Virus!


SYMPTOMS

Shell causes no obvious symptoms, except slowing the PC down (the
infection process is slow). For this reason it is recommended that
suspect PCs be scanned using the F-SHELL utility.


HOW TO USE F-SHELL

Run F-SHELL with the drive letter of directory as a parameter. For example:

        F-SHELL C:
        F-SHELL Z:\USERS

If F-SHELL finds the virus, you will be notified. Then, type
F-SHELL <drive parameter> /DISINF, and F-SHELL will disinfect
any infected files.

IMPORTANT: It is not always possible to recover an infected file
completely. The file will usually work after disinfection, but is not
an exact copy of the original. We recommend reinstalling and restoring
infected files instead of disinfecting them. Disinfected files will
almost always work correctly, unless the program has a self-check
routine. MS Mail and MS Schedule are examples of programs which will
warn about failed self-check after disinfection.


WHAT ABOUT FLOPPIES?

Since infected files may have been copied to floppy diskettes, you
will want to scan your floppy diskettes as well. To do this, invoke
F-SHELL using the /MULTI switch (eg F-SHELL A: /MULTI).

--

Virus analysis based on information from Mikko Hypponen, Data Fellows
F-PROT Professional Support. F-SHELL by Peter Szor, Data Fellows F-PROT
Professional Development.

F-SHELL is protected by international copyright laws. F-SHELL is (c)
1996 Data Fellows Ltd, and it is not in public domain or freeware, but
you are free to use and share this software with no charges in
non-commercial private use. Use of this software in other environments
is not allowed in Europe, Asia and Africa without a license to F-PROT
Professional or a current license from Frisk Software International.
To purchase a license, contact your local distributor listed in
PRO.DOC. Please redistribute F-SHELL only with this documentation. You
are not allowed to resell this software for your own profit (normal
copying costs excluded) or claim to hold rights to this software.
Although you may have the right to use F-SHELL, it will remain the
exclusive property of Data Fellows. Data Fellows does not warrant that
the software is error free and we will not cover any costs created by
function or malfunction of this program. Data Fellows also disclaims
liability for possible consequential damages. If you cannot agree to
these restrictions, you should not use F-SHELL.

Copyright (c) 1996 Data Fellows Ltd, Finland

                 Data Fellows Ltd
                 Paivantaite 8
                 FIN-02210 ESPOO
                 FINLAND
                 tel:    +358-9-478 444
                 fax:    +358-9-478 44 599
                 e-mail: F-PROT-Support@DataFellows.com
                 www:    http://www.DataFellows.com/
