F-TENT2 - Scanner and disinfector for the Tentacle_II.10634 virus
Copyright (c) 1996 Data Fellows Ltd

OVERVIEW

F-TENT2 will detect and disinfect the Tentacle_II.10634 Windows virus
(also known as Shell). This document gives a brief description of
the Tentacle_II virus and explains how to use F-TENT2 to detect and
disinfect this virus.

ABOUT THE TENTACLE_II VIRUS

Tentacle_II is one of an increasing number of viruses distributed via the
Internet, in the form of posts to Usenet News.

This virus was found in the wild in June 1996 in USA, UK, Australia,
Norway and New Zealand. It has possibly been distributed over the
internet several times. A known infection happened on the 3rd of
August, 1996, when an infected screen saver called PCTRSHOW.ZIP
was posted to the following newsgroups:

  alt.sex.pictures
  alt.binaries.pictures.erotica
  alt.binaries.pictures.erotica.blondes
  alt.binaries.pictures.erotica.breasts
  alt.binaries.pictures.erotica.cheerleaders
  alt.binaries.pictures.erotica.female
  alt.binaries.pictures.erotica.lesbians
  alt.binaries.pictures.erotica.oral
  alt.binaries.pictures.erotica.orientals
  alt.binaries.pictures.erotica.redheads
  alt.binaries.pictures.erotica.teen
  alt.binaries.pictures.erotica.teen.female
  alt.binaries.pictures.erotica.voyeurism
  alt.binaries.pictures.erotica.young
  alt.binaries.pictures.groupsex
  alt.binaries.pictures.erotica.latina
  alt.binaries.pictures.celebrities
  alt.binaries.pictures.girls


The virus infects only Windows 3.x executables (NE), and it does it
without changing the executable entry point. This is an unusual infection
method and was first introduced in this virus. The virus adds a new
segment to the executable and modifies the structure of the file: this
makes it a very difficult virus to disinfect.

When executed, Tentacle_II searches the directory tree for suitable
files to infect. Only EXE and SCR (screen saver) files can get
infected.

Also 32bit Win95 and WinNT executables can be infected by the virus,
but these files are unable to spread the infection further.
Tentacle_II does not stay resident in memory.

This virus activates by dropping a GIF file, which contains a picture
of a Tentacle and text:

	I'm the Tentacle Virus!


SYMPTOMS

Tentacle_II causes no obvious symptoms, except slowing the PC down (the
infection process is slow). For this reason it is recommended that
suspect PCs be scanned using the F-TENT2 utility.


HOW TO USE F-TENT2

Run F-TENT2 with the drive letter of directory as a parameter. For example:

        F-TENT2 C:
        F-TENT2 Z:\USERS

If F-TENT2 finds the virus, you will be notified. Then, type
F-TENT2 <drive parameter> /DISINF, and F-TENT2 will disinfect
any infected files.

IMPORTANT: It is not always possible to recover an infected file
completely. The file will usually work after disinfection, but is not
an exact copy of the original. We recommend reinstalling and restoring
infected files instead of disinfecting them. Disinfected files will
almost always work correctly, unless the program has a self-check
routine. MS Mail and MS Schedule are examples of programs which will
warn about failed self-check after disinfection.


WHAT ABOUT FLOPPIES?

Since infected files may have been copied to floppy diskettes, you
will want to scan your floppy diskettes as well. To do this, invoke
F-TENT2 using the /MULTI switch (eg F-TENT2 A: /MULTI).

--

Virus analysis based on information from Mikko Hypponen, Data Fellows
F-PROT Professional Support. F-TENT2 by Peter Szor, Data Fellows F-PROT
Professional Development.

F-TENT2 is protected by international copyright laws. F-TENT2 is (c)
1996 Data Fellows Ltd, and it is not in public domain or freeware, but
you are free to use and share this software with no charges in
non-commercial private use. Use of this software in other environments
is not allowed in Europe, Asia and Africa without a license to F-PROT
Professional or a current license from Frisk Software International.
To purchase a license, contact your local distributor listed in
PRO.DOC. Please redistribute F-TENT2 only with this documentation. You
are not allowed to resell this software for your own profit (normal
copying costs excluded) or claim to hold rights to this software.
Although you may have the right to use F-TENT2, it will remain the
exclusive property of Data Fellows. Data Fellows does not warrant that
the software is error free and we will not cover any costs created by
function or malfunction of this program. Data Fellows also disclaims
liability for possible consequential damages. If you cannot agree to
these restrictions, you should not use F-TENT2.

Copyright (c) 1996 Data Fellows Ltd, Finland

                 Data Fellows Ltd
                 Paivantaite 8
                 FIN-02210 ESPOO
                 FINLAND
                 tel:    +358-0-478 444
                 fax:    +358-0-478 44 599
                 e-mail: F-PROT-Support@DataFellows.com
                 www:    http://www.DataFellows.com/
