********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) February 24, 2000** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling Scanning Features * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W97M.Class 2 XM.Laroux 3 O97M.Tristate 4 W95.CIH 5 Happy99.Worm 6 WM.Cap 7 W97M.ColdApe 8 W97M.Ethan 9 W97M.Melissa 10 Worm.ExploreZip ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/12/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). 02/10/00 * Added support for scanning of UNIX executables. * Added detection for infected Visio documents. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** New virus definitions: Virus Name Infection Type Week added ---------- -------------- ---------- AOL 79316.Trojan File infector 01/24/00 ACG File infector 02/10/00 Backdoor.DeepThroat.b File infector 02/22/00 Backdoor.Doly File infector 02/07/00 Backdoor.GF.135 File infector 02/22/00 Backdoor.InCommander File infector 02/10/00 Backdoor.Insane File infector 02/22/00 Backdoor.Kamikaze File infector 02/07/00 Backdoor.NetSpy.20 File infector 02/22/00 Backdoor.Sockets23 File infector 01/24/00 Backdoor.TheThing-1.2 File infector 01/31/00 Backdoor.TheThing.a File infector 02/22/00 Buttman.Trojan File infector 02/22/00 Deltree Trojan #5 File infector 01/31/00 Divine.Trojan File infector 01/31/00 Eek (b) Boot infector 01/31/00 Help.Dummy File infector 02/10/00 HLP.Demo File infector 01/31/00 ICQ.81493.PWSteal File infector 02/07/00 ICQ.82424.PWSteal File infector 02/07/00 IRCWorm.Jim.A File infector 02/22/00 Linux.DoS.tfn2k.td File infector 02/22/00 Linux.DoS.tfn2k.tfn File infector 02/22/00 Linux.DoS.trinoo.ms File infector 02/22/00 Linux.DoS.trinoo.ns File infector 02/22/00 Linux.Dummy File infector 02/07/00 Linux.Mandragore.666 File infector 02/07/00 Linux.Siilov.5916 File infector 02/07/00 Linux.Vit.4096 File infector 02/07/00 O97M.Shiver.K File infector 02/10/00 Opera File infector 01/24/00 Oscar File infector 02/07/00 Pada.Trojan File infector 02/22/00 PieGates.Demo.Trojan File infector 01/31/00 PIF.Elsa File infector 02/10/00 PIF.Emma File infector 02/10/00 Snob.IRCworm File infector 01/31/00 SoftWar.Trojan File infector 02/07/00 Solaris.DoS.stacheld.c File infector 02/22/00 Solaris.DoS.stacheld.m File infector 02/22/00 Solaris.DoS.stacheld.t File infector 02/22/00 SubSeven 2.1 server File infector 02/07/00 Trojan dropper File infector 02/07/00 Trojan.77254 File infector 01/24/00 Trojan.78609 File infector 01/31/00 Trojan.Amena File infector 02/07/00 Trojan.Bat.Acid File infector 02/10/00 Trojan.Boom File infector 01/31/00 Trojan.Coced File infector 01/24/00 Trojan.Dripper File infector 02/07/00 Trojan.FreeGift File infector 02/07/00 Trojan.Gas File infector 01/24/00 Trojan.MSREXE.b File infector 01/24/00 Trojan.XalNaga File infector 02/10/00 V5M.Radiant.A File infector 02/07/00 V5M.Unstable.A File infector 02/07/00 V5M.Vision.A File infector 02/07/00 VBS.Fool File infector 02/22/00 VBS.Illen.B File infector 01/24/00 VBS.JudgeDay File infector 02/22/00 VBS.Leebill File infector 02/22/00 VBS.Network File infector 02/22/00 W2K.Infis.4608 File infector 02/22/00 W32.Adson.1703 File infector 02/07/00 W32.Bolzano.S File infector 02/07/00 W32.Buffy.12568.Worm File infector 02/07/00 W32.Buffy.33280.Worm File infector 02/07/00 W32.DoS.funtime File infector 02/22/00 W32.Eclipse.8192 File infector 02/07/00 W32.ExploreZip.D.Worm File infector 01/24/00 W32.Gloria.2820 File infector 02/07/00 W32.Gloria.2928 File infector 02/07/00 W32.I13.8192.B File infector 01/24/00 W32.Iced.1344 File infector 02/07/00 W32.Magic.7045.B File infector 02/07/00 W32.NewApt.E.Worm File infector 01/31/00 W32.NewApt.F.Worm File infector 01/31/00 W32.PettyPark.C.Worm File infector 02/07/00 W32.Plage.Worm File infector 01/14/00 W32.PrettyPark.D.Worm File infector 02/22/00 W32.White.Worm File infector 02/22/00 W32.White.Worm (1) File infector 02/22/00 W32.Winext.Worm File infector 01/24/00 W95.Argos.328 File infector 02/07/00 W95.Caw.1457 File infector 01/31/00 W95.Dictator.2304 File infector 02/07/00 W95.DoS.Trinoo File infector 02/22/00 W95.Enumiacs File infector 01/24/00 W95.Filth.1030 File infector 01/24/00 W95.Haiku.16384.Worm File infector 02/10/00 W95.Horn.1862 File infector 01/24/00 W95.Nathan.3476 File infector 02/07/00 W95.Qozah File infector 02/07/00 W95.Roma.1256.Int File infector 02/07/00 W95.SillyWR.B File infector 02/07/00 W95.SK (com) File infector 01/31/00 W95.SK (HLP) File infector 01/31/00 W95.Spaces.1445 File infector 02/07/00 W95.Vood.1590 File infector 02/07/00 W97M.Appder.Z File infector 02/07/00 W97M.Astia.AF File infector 02/22/00 W97M.Astia.Variant File infector 02/22/00 W97M.Class.Ej File infector 02/07/00 W97M.Cobra.K File infector 02/07/00 W97M.Cobra.L File infector 02/10/00 W97M.Gamlet File infector 02/07/00 W97M.GROOV.C File infector 02/07/00 W97M.Hubad.A File infector 02/07/00 W97M.Jedi.G2 File infector 02/22/00 W97M.Jim.A File infector 02/22/00 W97M.LUPI File infector 02/07/00 W97M.Marker.CE File infector 02/10/00 W97M.Marker.CG File infector 02/22/00 W97M.Melissa.AL File infector 01/31/00 W97M.Mxfile.B File infector 01/24/00 W97M.Myna.C File infector 01/24/00 W97M.Myna.E File infector 02/07/00 W97M.Myna.Variant File infector 02/10/00 W97M.Odious.B File infector 02/22/00 W97M.Panther.F File infector 02/22/00 W97M.Panther.Variant File infector 02/22/00 W97M.Plain.Int File infector 01/31/00 W97M.Rgade File infector 01/24/00 W97M.Thus.B File infector 01/24/00 W97M.Thus.H File infector 01/31/00 W97M.THUS.J File infector 02/07/00 W97M.Thus.L File infector 02/22/00 W97M.THUS.M File infector 02/22/00 W97M.VMPCK1.DD File infector 02/07/00 W97M.VMPCK1.DG File infector 01/24/00 W97M.Wrench.A File infector 02/10/00 W97M.Wrench.B File infector 02/22/00 W97M.Wrench.D File infector 02/22/00 Wafer.1953 File infector 02/22/00 Wafer.1953 (x) File infector 02/22/00 Win.Klon.11776 File infector 02/10/00 Win.Klon.11776 (2) File infector 02/10/00 Win.Klon.11776 (3) File infector 02/10/00 WinSCK.Trojan.B File infector 02/10/00 WinSCK.Trojan.C File infector 02/10/00 WM.Npad.EE File infector 02/07/00 WM.TH.B File infector 01/24/00 X97M.Automat.AA File infector 01/31/00 X97M.DIVI.D File infector 02/07/00 X97M.Shan File infector 02/07/00 XM.Laroux.LZ File infector 01/31/00 XM.Ueda.C File infector 02/22/00 YAI.Trojan File infector 01/24/00 Name Changes: Old Virus Name New Virus Name Date changed -------------- -------------- ------------ SubSeven 2.0 server to Backdoor.SubSeven2svr 02/07/00 SubSeven 2.0 to Backdoor.SubSeven2 02/07/00 Trojan.MSREXE.b to Backdoor.SubSeven2gld 02/07/00 W32.Passion.27648(2) to Backdoor.VHM 01/24/00 W32.PettyPark.C.Worm to W32.PrettyPark.C.Worm 02/22/00 W95.Caw to W95.Caw.1416 01/31/00 W97M.Aleja to W97M.Aleja.B 01/24/00 W97M.Aleja5 to W97M.Aleja.A 01/24/00 W97M.Aleja5.B to W97M.Aleja.C 01/24/00 W97M.Aleja5.C to W97M.Aleja.E 01/24/00 W97M.Aleja5.D to W97M.Aleja.I 01/24/00 W97M.Aleja5.E to W97M.Aleja.D 01/24/00 W97M.AntiSocial to W97M.AntiSocial.A/B 01/24/00 W97M.AntiSocial.F to W97M.AntiSocial.F,H 01/24/00 W97M.Appder.O to W97M.Appder.S 01/24/00 W97M.Bablas to W97M.Bablas.Family 01/24/00 W97M.BADTEMP.A to W97M.Smac.B 01/24/00 W97M.Bellingham to W97M.Metys.A 01/24/00 W97M.Biolord to W97M.Nid.A 01/24/00 W97M.Cali.A to W97M.Caligula.A 01/24/00 W97M.Carrier.D to W97M.Sin.A.intd 01/24/00 W97M.Cartman.B to W97M.VMPCK1.F 01/24/00 W97M.Cartman.C to W97M.VMPCK1.T 01/24/00 W97M.Cartman.D to W97M.VMPCK1.U 01/24/00 W97M.Cartman.E to W97M.VMPCK1.CX 01/24/00 W97M.CHACK.I to W97M.Chack.K 01/24/00 W97M.CHACK.J to W97M.Chack.AR 01/24/00 W97M.Class.BD to W97M.Class.AZ/BD/EA 01/24/00 W97M.Class.BE to W97M.Class.AY 01/24/00 W97M.Class.BP to W97M.Class.BH 01/24/00 W97M.Class.BT to W97M.Class.BV 01/24/00 W97M.Class.D to W97M.Jerk.A 01/24/00 W97M.Class.S to W97M.Class.I.var 01/24/00 W97M.ColdApe.B to W97M.ColdApe.C 01/24/00 W97M.ColdApe.C to W97M.ColdApe.B 01/24/00 W97M.CopyTemp.intd to W97M.Buendi.A 01/24/00 W97M.Counter.D to W97M.Counter.E 01/24/00 W97M.Creeper to W97M.Magnetic.A 01/24/00 W97M.Daydream.A to W97M.Lys.E 01/24/00 W97M.Derroche to W97M.DWMVCK1.F 01/24/00 W97M.Destro to W97M.Class.BV(2) 01/24/00 W97M.Drawbridge to W97M.Opey.O 01/24/00 W97M.DWMVCK1.C to W97M.PassBox.C 01/24/00 W97M.DWMVCK1.F to W97M.Ozwer.A 01/24/00 W97M.DWMVCK1.G to W97M.VMPCK1.CZ 01/24/00 W97M.DWMVCK1.H to W97M.Ozwer.C 01/24/00 W97M.Footprint to W97M.Footer.B 01/24/00 W97M.Furby to W97M.Class.BA/BB 01/24/00 W97M.Hark.B to W97M.Nottice.Y 01/24/00 W97M.India.C to W97M.Marker.AB 01/24/00 W97M.IRCJack.A to W97M.Story.A 01/24/00 W97M.ITSC to W97M.Osm 01/24/00 W97M.Jedi.G to W97M.Jedi.J 01/24/00 W97M.Joy to W97M.Class.W 01/24/00 W97M.JuneFill.A to W97M.Marker.BN 01/24/00 W97M.Myna.C to W97M.Myna.D 02/07/00 W97M.Passbox.C to W97M.Passbox.D 01/24/00 W97M.Passbox.D to W97M.Passbox.D(2) 01/24/00 W97M.VMPCK1.F to W97M.Remplace.E 01/24/00 WinSKC.Trojan to WinSCK.Trojan 02/10/00 WM.AntiNS to W97M.Wazzu.DU 02/07/00 Deletions: Virus Name Infection Type Date removed ---------- -------------- ------------ HLLO.13112 (2) File infector 02/07/00 Oscar File infector 01/31/00 ********************************************************************** ** Enabling Scanning Features ** ********************************************************************** Several scanning features can be enabled through the use of an INF configuration file. For NAV for Windows 95/NT version 4.x and later, or NAV for OS/2, this configuration file should be called NAVEX15.INF and should be placed in the directory where NAV is installed (i.e., C:\Program Files\Norton AntiVirus). For NAV for Netware version 4.x, the file should be called NAVEX15.INF and should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). For NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x, the file should be named NAVEX.INF and should be placed in the directory where NAV is installed (i.e., C:\NAV). If this configuration file does not exist, create one in the appropriate directory if you want to change the default settings. To enable a scanning feature for a particular component, one or more entries need to be added to the configuration file under the correct section. For each platform there is a corresponding section that is used in the INF file. Below is a table of section names and platforms. Section Name Platform ------------ -------- NAVW32 Windows 95/98/NT NAVAP Windows 95/98/NT Auto-Protect NAVDX DOS NAVNLM Netware NAVWIN Windows 3.1 NAVOS2 OS/2 NAVAIX AIX NAVSOL Solaris Entries are case insensitive. Below is a description of possible entries. 1. Files can be excluded from scans by the NAVEX engine. To exclude a specific file from the NAVEX engine scan, add an entry with the full path and file name. This is case insensitive. No wildcards are allowed. To exclude multiple files, add a separate entry for each file. To exclude a file, add an entry like the one below where is the full path and file name. ExcludeFile = 2. Files within a directory can be excluded from scans by the NAVEX engine. To exclude all files within a directory, add an entry with the full directory path. This is case insensitive. No wildcards are allowed. This does not exclude files located in subdirectories of the specified directory. To exclude multiple directories, add a separate entry for each directory. To exclude a directory, add an entry like the one below where is the full path. ExcludeDirectory = The following example of an INF configuration file excludes two files, NOSCAN.EXE and BIGFILE.DOC, from NAVEX scans for the Windows 95/98/NT scanner. It excludes the D:\PRIVATE directory from Windows 95/98/NT Auto-Protect. [NAVW32] ExcludeFile = C:\PROGRAM FILES\NOSCAN.EXE ExcludeFile = C:\TEMP\BIGFILE.DOC [NAVAP] ExcludeDirectory = D:\PRIVATE ********************************************************************** ** Additional Information ** ********************************************************************** Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.