********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) November 1, 1999 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling/Disabling PowerPoint Scanning * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W97M.Class 2 XM.Laroux 3 O97M.Tristate 4 W95.CIH 5 Happy99.Worm 6 WM.Cap 7 W97M.ColdApe 8 W97M.Ethan 9 W97M.Melissa 10 Worm.ExploreZip ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/12/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** New virus definitions: Virus Name Infection Type Week added ---------- -------------- ---------- Abaddon Trojan File infector 10/12/99 AntiCad.4096 File infector 10/12/99 ASBV (b) Boot infector 09/27/99 BAT.Chantal File infector 10/18/99 Bebe.Dropper File infector 10/12/99 Bebe.Dropper (2) File infector 10/12/99 Best Wishes.1024.A(x) File infector 10/12/99 Best Wishes.1024.A(x2) File infector 10/12/99 Best Wishes.Dropper File infector 10/12/99 Best Wishes.Dropper(2) File infector 10/12/99 Burglar.1150.Dr File infector 10/12/99 Burglar.1150.Dr (2) File infector 10/12/99 Carioca.Dropper File infector 10/12/99 Carioca.Dropper (2) File infector 10/12/99 DailyBread.903 File infector 09/27/99 DarkAvenger.1745 File infector 10/12/99 DarkAvenger.1745 (2) File infector 10/12/99 DataLock.Dropper File infector 10/12/99 DonaldD.Trojan (NT) File infector 10/05/99 DonaldD.Trojan (NT2) File infector 10/05/99 DonaldD.Trojan (NT3) File infector 10/05/99 DonaldD.Trojan (NT4) File infector 10/05/99 Doom II.1504.B File infector 10/12/99 Doom II.1504.B(2) File infector 10/12/99 Doom II.Dropper File infector 10/12/99 Doom II.Dropper (2) File infector 10/12/99 Falopa.548 File infector 10/12/99 Gill.765 File infector 10/25/99 HLLO.TPPE.15600 File infector 09/27/99 HLLO.TPPE.15600(2) File infector 09/27/99 HLLT.7909 File infector 10/18/99 HLLT.7909(2) File infector 10/18/99 ICQ2000 File infector 11/01/99 ICQPass File infector 11/01/99 Jerusalem.1682 File infector 10/25/99 KVS.1942 File infector 11/01/99 KVS.1942 (x) File infector 11/01/99 MonkeyB.Intended File infector 09/27/99 Necropolis.Dropper File infector 10/12/99 Necropolis.Dropper(2) File infector 10/12/99 NetBus Pro Server File infector 10/05/99 Number 1.12032.B File infector 10/12/99 Number 1.12032.B (2) File infector 10/12/99 O97M.Tristate.R File infector 11/01/99 Overwriter.124 File infector 10/12/99 Overwriter.124 (2) File infector 10/12/99 QScare.Jerusalem File infector 09/27/99 RedAlert (b) Boot infector 10/18/99 RingZero.Trojan File infector 10/25/99 Ruff.4859 (G1) File infector 10/18/99 Serb.Dropper File infector 10/12/99 Striker.461 File infector 10/12/99 Striker.461 (2) File infector 10/12/99 SubSeven 2.0 server File infector 10/04/99 Suleiman.708 File infector 10/12/99 Suleiman.708 (2) File infector 10/12/99 Tequila (3) File and Boot infector 09/27/99 Terror.1085.B File infector 10/12/99 Terror.1085.B (2) File infector 10/12/99 TraceBack.Dropper File infector 10/12/99 TraceBack.Dropper (2) File infector 10/12/99 Trivial.92.B File infector 09/27/99 Trojan.Revenge File infector 10/25/99 Tumen.1092.Dr File infector 10/12/99 Tumen.1092.Dr (2) File infector 10/12/99 Tumen.1663.Dr File infector 10/12/99 Tumen.1663.Dr (2) File infector 10/12/99 VBasic.C File infector 10/12/99 VBasic.C (2) File infector 10/12/99 VBS.Chantal File infector 10/18/99 VBS.TripleSix File infector 11/01/99 Vien.Hybryd.Dr File infector 10/12/99 Vien.Hybryd.Dr (2) File infector 10/12/99 Vien.Viol.Dr File infector 10/12/99 Vien.Viol.Dr (2) File infector 10/12/99 Virogen.Asexual (1) File infector 10/12/99 VRUNNING.884 File infector 09/27/99 W32.Aldebara File infector 10/25/99 W32.Anap.16384 File infector 10/12/99 W32.Autoworm.3072 File infector 10/12/99 W32.Autoworm.3072 File infector 10/25/99 W32.Azaco.8192.A File infector 10/25/99 W32.Badass.24576 File infector 10/11/99 W32.Badass.24576(2) File infector 10/11/99 W32.Benny.3219 File infector 11/01/99 W32.Bogus.4096 File infector 10/12/99 W32.Bolzano.K (scr) File infector 10/25/99 W32.Bolzano.K (scr2) File infector 10/25/99 W32.Cargo.Int File infector 10/12/99 W32.Drol.5337.A File infector 10/12/99 W32.Drol.5337.B File infector 10/12/99 W32.Esperanto (2) File infector 10/18/99 W32.Gift.32768 File infector 11/01/99 W32.Gift.35561 File infector 10/25/99 W32.Haless.1127 File infector 10/12/99 W32.Harrier.G1 File infector 10/12/99 W32.HLLC.Ext File infector 10/12/99 W32.HLLO.ZMK.50000 File infector 10/12/99 W32.HLLP.Badby File infector 10/05/99 W32.HLLP.Crystal File infector 10/18/99 W32.HLLP.VB.14336.B File infector 10/18/99 W32.HLLP.YAI File infector 10/18/99 W32.Magic.7045.Int File infector 10/12/99 W32.Magic.8192.Int File infector 10/12/99 W32.Morgoth.2560 File infector 11/01/99 W32.Oporto.3078 File infector 10/05/99 W32.Prizm File infector 10/25/99 W32.Savior.1696 File infector 09/27/99 W32.Sysclock File infector 10/12/99 W95.Champ.5447.b File infector 09/27/99 W95.Companion.4096.A File infector 10/25/99 W95.Companion.4096.D File infector 10/25/99 W95.Fabi.9608 File infector 10/18/99 W95.Jacky.G1 File infector 10/12/99 W95.Molly.725 File infector 10/12/99 W95.Poshkill File infector 10/12/99 W95.Regikx.8192 File infector 10/12/99 W95.Regikx.8192.G1 File infector 10/12/99 W95.Rekoj.940 File infector 10/12/99 W95.Rinim.431 File infector 11/01/99 W95.Roma File infector 09/27/99 W95.Spaces.1245 File infector 10/12/99 W95.SV.2332 File infector 10/12/99 W95.Tip File infector 11/01/99 W95.Vlades.29696 File infector 10/12/99 W95.Yoyo.651.Int File infector 10/18/99 W97M.Aleja5.B File infector 10/25/99 W97M.Arbeit.A File infector 10/12/99 W97M.Automat.P File infector 11/01/99 W97M.Automat.Q File infector 11/01/99 W97M.Balloon.A File infector 09/27/99 W97M.Bellingham File infector 10/05/99 W97M.Bribagi File infector 10/25/99 W97M.Candle File infector 10/18/99 W97M.Chantal.A File infector 09/27/99 W97M.Cobra.Family File infector 10/12/99 W97M.Combossa.A File infector 10/18/99 W97M.Hope File infector 09/27/99 W97M.Jedi.H File infector 10/05/99 W97M.Katty.A File infector 09/27/99 W97M.Locale.Variant File infector 09/27/99 W97M.Mamm.B File infector 10/05/99 W97M.Melissa.U File infector 10/18/99 W97M.Melissa.U (Gen1) File infector 10/14/99 W97M.Melissa.V File infector 10/25/99 W97M.Melissa.Y File infector 10/25/99 W97M.Melissa.Z File infector 10/25/99 W97M.Michael.A File infector 10/12/99 W97M.MMKV File infector 09/27/99 W97M.Odious.A File infector 09/27/99 W97M.Panther File infector 10/25/99 W97M.Pathetic.A File infector 09/27/99 W97M.Story File infector 11/01/99 W97M.Taro File infector 10/12/99 W97M.Thus File infector 10/25/99 W97M.VMPCK1.BO File infector 09/27/99 W97M.VMPCK1.CM File infector 10/25/99 W97M.VMPCK1.CM.DROP File infector 10/25/99 W97M.Wazzu.DL File infector 10/12/99 W97M.Wazzu.DN File infector 10/12/99 W97M.Wazzu.FD File infector 10/12/99 W97M.Wazzu.FP File infector 10/12/99 W97M.Wazzu.HF File infector 10/12/99 WarezMPC.Intended File infector 09/27/99 WM.Attention.A File infector 10/12/99 WM.Intended File infector 10/05/99 WNT.Infis.4608 File infector 10/08/99 WTFM.278 File infector 09/27/99 WW-217.Intended File infector 09/27/99 X97M.Hongo File infector 10/05/99 X97M.Laroux.KU File infector 10/12/99 X97M.PTH.variant File infector 10/25/99 X97M.VCX.Variant File infector 10/12/99 XM.PTH.variant File infector 10/25/99 Name Changes: Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Anxiety.1536 to W95.Anxiety 09/27/99 Anxiety.E to W95.Anxiety.1399 09/27/99 Anxiety.II.1600 to W95.Anxiety.1823 09/27/99 Anxiety.III.1750 to W95.Anxiety (2) 09/27/99 Apparation.C to Win.Apparition.C 09/27/99 Apparition.89021 to Win.Apparition.89021 09/27/99 Apparition.B (Gen1) to Win.Apparition.B 09/27/99 Beast.A.Trojan to W32.Beast.A 09/27/99 Beast.B.Trojan to W32.Beast.B 09/27/99 Best Wishes.1024 Gen 1 to Best Wishes.1024.B 09/27/99 Best Wishes.1024.B8 to Best Wishes.1024.A 09/27/99 Bog.233 (1) to Win.Bog.233 09/27/99 Boza (1) to W95.Boza 09/27/99 CyberRiot to Win.CyberRiot 09/27/99 Esperanto.4733 (1) to W32.Esperanto.4733 09/27/99 Explore.59904 to W32.Semisoft.59904.B 09/27/99 Explore666.59392 to W32.Semisoft.59392 09/27/99 Explore666.59904 to W32.Semisoft.59904.A 09/27/99 Explore666.59904.B to W32.Semisoft.59904.C 09/27/99 Heathen.12288(DLL) to W32.Heathen.12288 09/27/99 Homer.A to Win.Homer 09/27/99 Jacky.1107 to W95.Jacky.1107 09/27/99 Jacky.1107 (Gen1) to W95.Jacky.1107 (Gen1) 09/27/99 Lizard.1967 to W95.Lizard.1967 09/27/99 Lizard.1967 (vxd) to W95.Lizard.1967 (VxD) 09/27/99 Lizard.5150 (VXD) to W95.Lizard.5150 (VxD) 09/27/99 P97M.Vic.A to PP97M.Vic.A 11/01/99 RedTeam to Win.RedTeam 09/27/99 RedTeam Kernel to Win.RedTeam (Kernel) 09/27/99 Skim.1455 to Win.Skim.1455 09/27/99 Tentacle II to Win.Tentacle_II 09/27/99 Troj.polygot to Troj.polyglot 10/05/99 Twitch to Win.Twitch 09/27/99 Vicodin.1168 to Win.Vicodin.1168 09/27/99 W32.Apparition to W32.Apparition.A 10/18/99 W32.Beast.A to W32.Beast.41472 10/18/99 W32.Beast.B to W32.Beast.56230 10/18/99 W32.Bolzano.4096.a/b/c to W32.Bolzano.4096 10/18/99 W32.Bolzano.Dropper to W32.Bolzano.G1 10/18/99 W32.Giri.Dropper to W32.Giri.G1 11/01/99 W32.Idyllwild to W32.Idyll 09/27/99 W32.Magic.8192.Int to W32.Staro.8192.Int 10/18/99 W32.VB to W32.HLLP.VB.14336.A 10/18/99 W32/W97M.Fabi.15930 to W97M.Fabi.15930 10/18/99 W95.Apparition to W32.Apparition 09/27/99 W95.Becoming to W95.Bumble.1736 09/27/99 W95.Cabanas to W32.Cabanas 09/27/99 W95.CIH.Killer to W95.CIHKiller 10/18/99 W95.CrazyPunk to Crazypunk 10/18/99 W95.Emotion to W32.Emotion 09/27/99 W95.Enumiacs to W32.Enumiacs 09/27/99 W95.Fabi to W95.Fabi.15930.A 10/18/99 W95.Fabi.B to W95.Fabi 09/27/99 W95.Fono (COM) to W95.Fono (DOS) 09/27/99 W95.Giri to W32.Giri 09/27/99 W95.Giri.Dropper to W32.Giri.Dropper 09/27/99 W95.Highway to W32.Highway.A 10/18/99 W95.HLL.186380 to W32.HLLP.186380 09/27/99 W95.HLLO.ZMK to W95.HLLO.ZMK.22184 10/18/99 W95.HLLP.DeTroie to W32.HLLP.DeTroie 09/27/99 W95.HLLP.Mtv to W32.HLLP.Mtv 11/01/99 W95.HongKong.cmp to W95.Companion.C 09/27/99 W95.I13 to W95.I13.8192 09/27/99 W95.IKX to W32.IKX 09/27/99 W95.K32 to W95.K32.3030 09/27/99 W95.Klunky to W95.Klunky (VxD) 09/27/99 W95.Klunky (vxd) to W95.Klunky (damVxD) 09/27/99 W95.Libertine to W95.Libertine.B 10/18/99 W95.Lisa.27136.a to W32.Lisa.27136.A 10/18/99 W95.Lizard.b to W95.Lizard.2381 (VxD) 09/27/99 W95.Navrhar (vxd) to W95.Navrhar (VxD) 09/27/99 W95.Niko to W32.Niko 09/27/99 W95.Parvo to W32.Parvo 09/27/99 W95.Punch (vxd) to W95.Punch (VxD) 09/27/99 W95.Ruff to W32.Ruff 09/27/99 W95.SAB to W95.Sab.512.B 10/18/99 W95.Savior to W32.Savior.1832 09/27/99 W95.Spawn.cmp to W95.Companion.B 09/27/99 W95.Spit to W32.Spit 09/27/99 W95.Stupid to W32.Stupid 09/27/99 W95.Tentacle.1958 to Win.Tentacle.1958 09/27/99 W95.Twinny to W95.Zombie.C 09/27/99 W95.Weird to W32.Weird 09/27/99 W95.Weird.Dropper to W32.Weird (G1) 09/27/99 W95.Yurn (dll) to W95.Yurn (DLL) 09/27/99 W97M.Astia.E to W97M.Astia.F 09/27/99 W97M.Fabi.15930 to W97M.Fabi.15930 G1 10/18/99 W97M.Fabi.Dropper to W97M.Fabi.15930 09/27/99 W97M.LMN.A to W97M.Brenda.A 11/01/99 W97M.Password.A to W97M.Eight941.A 09/27/99 W97M.Password.B to W97M.Eight941.B 09/27/99 W97M.Password.C to W97M.Eight941.C 09/27/99 W97M.W32.Coke to W97M/W32.Coke 09/27/99 W9xM.VMPCK1.BH to W97M.Remplace.C 09/27/99 Win.Apparition.B to W32.Apparition.B 10/18/99 WIN95.YOUD.1388 to W95.Youd.1388 09/27/99 WinSurf to Win.WinSurf 09/27/99 WinTiny to Win.WinTiny 09/27/99 WinTPVO.3783 to Win.TPVO.3783 09/27/99 Winvir 1.4 to Win.Winvir.A 09/27/99 X97M.LifeBlood to X97M.Manalo.D 09/27/99 XM.Laroux.N to X97M.Button.A 09/27/99 Yurn.1179 to W95.Yurn.1179 09/27/99 Deletions: Virus Name Infection Type Date removed ---------- -------------- ------------ BW.Snowbird.1272 (1) File infector 11/01/99 BW.Snowbird.1272 (2) File infector 11/01/99 DA.Oliver (Gen1) File infector 10/25/99 DonaldD.Trojan (dll) File infector 10/05/99 DonaldD.Trojan (dll2) File infector 10/05/99 DonaldD.Trojan (dll3) File infector 10/05/99 Ebone.5824 File infector 10/12/99 KVS.1942 File infector 10/25/99 LZ File infector 11/01/99 Marzia.2048.E File infector 10/12/99 Marzia.B File and Boot infector 10/12/99 Marzia.C File and Boot infector 10/12/99 Marzia.D File and Boot infector 10/12/99 Mayhem File infector 09/27/99 ONE.3577 File infector 10/12/99 QScare.Jerusalem File infector 10/05/99 Rush Hour File infector 10/12/99 Silly Willy.2258 File infector 10/12/99 VBS.Avm (2) File infector 10/25/99 Virogen.Asexual (1) File infector 10/05/99 Virus-90 (d) File infector 10/25/99 W32.Autoworm.3072 File infector 10/13/99 W95.I13.8192 File infector 10/18/99 W95.Roma File infector 09/22/99 ********************************************************************** ** Enabling/Disabling PowerPoint Scanning ** ********************************************************************** PowerPoint Scanning is now enabled by default and can be optionally disabled. However, you may want to verify that files with PowerPoint extensions will be scanned by making sure that your NAV options have both ".PPT" and ".POT" in the list of extensions to scan. To disable PowerPoint scanning in NAV for Windows 95/NT version 4.x or NAV for OS/2, a text file named NAVEX15.INF should be placed in the directory where NAV 4.x or NAV 5.x is installed (i.e., C:\Program Files\Norton AntiVirus). To disable PowerPoint scanning in NAV for Netware version 4.x, a text file named NAVEX15.INF should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). To disable PowerPoint scanning in NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x a text file named NAVEX.INF should be placed in the directory where NAV is installed (i.e., C:\NAV). The contents of the text file, NAVEX15.INF or NAVEX.INF, determine which components of NAV have PowerPoint scanning disabled. To disable PowerPoint scanning for a particular component, use the following table to determine the lines to add to the text file. PowerPoint scanning can be disabled for more than one component if needed by adding the required lines for the desired components. +---------------------+--------------------------+--------------------+ |Windows 95/NT scanner|Windows 95/NT auto-protect|DOS scanner | +---------------------+--------------------------+--------------------+ |[NAVW32] |[NAVAP] |[NAVDX] | |PowerPointScanning=0 |PowerPointScanning=0 |PowerPointScanning=0| +---------------------+--------------------------+--------------------+ +----------------------+--------------------+--------------------+ |Windows 3.1 scanner/AP|Netware scanner |OS/2 scanner/AP | +----------------------+--------------------+--------------------+ |[NAVWIN] |[NAVNLM] |[NAVOS2] | |PowerPointScanning=0 |PowerPointScanning=0|PowerPointScanning=0| +----------------------+--------------------+--------------------+ To enable PowerPoint scanning for a component, delete the lines added for that component from the NAVEX15.INF or NAVEX.INF file. ********************************************************************** ** Additional Information ** ********************************************************************** SARC has equipped Norton AntiVirus with a new feature called "Infestation Mode." If a large number of new or unknown viruses is found on the system during a scan, Norton AntiVirus will automatically enable its highest level of detection. This gives users the most comprehensive protection in cases where a viral infestation may have been detected. If you would like to disable this feature, you can do so by following these instructions: 1. Create a text File called NAVEX15.INF in your Norton AntiVirus directory,e.g., C:\Program Files\Norton AntiVirus. If this file already exist go to step two. 2. Place the following lines in this File on the left-hand margin: [NAVW32] infestmode=0 [NAVDX] infestmode=0 3. Save the File. Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.