********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) May 30 ,2000 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling Scanning Features * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** VBS.LoveLetter, a new worm which has been wide-spread since May 4th, is detected by this definitions set. The ten most commonly reported viruses, worldwide: 1 VBS.LoveLetter.A 2 WScript.KakWorm 3 VBS.Network 4 W95.CIH 5 Happy99.Worm 6 Worm.ExploreZip 7 W97M.ColdApe 8 W97M.Ethan 9 W97M.Melissa 10 WM.Cap ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/15/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). 02/10/00 * Added support for scanning of UNIX executables. * Added detection for infected Visio documents. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** New virus definitions: Virus Name Infection Type Week added ---------- -------------- ---------- 911BAT.Worm.B File infector 05/04/00 Backdoor.Asylum File infector 05/09/00 Backdoor.Eclypse File infector 05/04/00 Backdoor.Fantasy File infector 05/04/00 Backdoor.Frenzy File infector 05/09/00 Backdoor.GDoor File infector 05/30/00 Backdoor.Muie File infector 05/09/00 backdoor.netbus.12 File infector 05/09/00 Backdoor.Ping.C File infector 05/04/00 Backdoor.Poly File infector 05/04/00 Backdoor.PolyDrop File infector 05/04/00 Backdoor.Servidor File infector 05/30/00 Backdoor.Wincrash File infector 05/09/00 Bat.Winstart_II.511 File infector 05/30/00 Beard.Trojan File infector 05/04/00 CLRC.554 File infector 05/04/00 ConCon.Trojan File infector 05/15/00 DrZip.512 File infector 05/22/00 FEC(b) Boot infector 05/04/00 FEC.Dropper File infector 05/04/00 GIP.Trojan File infector 05/22/00 ICQ.PWS.Trojan File infector 05/09/00 Intd.Leprosy.TheThing File infector 05/04/00 IRC.Csr.Worm File infector 05/04/00 JPEG.Trojan File infector 05/30/00 Linux.DDoS.MStream File infector 05/22/00 Maze.Trojan File infector 05/30/00 Movie.Pif.Worm.B File infector 05/09/00 Netsphere.Trojan File infector 05/04/00 O97M.CyberNet.A File infector 05/22/00 O97M.Hopper.U File infector 05/04/00 PriceDoc.Trojan File infector 05/30/00 PWS.Hooker.Trojan File infector 05/04/00 PWSteal.LoveLetter File infector 05/04/00 Solaris.DDoS.MStream File infector 05/22/00 Stoned.HM (db) Boot infector 05/09/00 Trojan.Ansibomb File infector 05/30/00 Trojan.Bat.Format.FR File infector 05/09/00 Trojan.Call911 File infector 05/04/00 Trojan.WinDac File infector 05/04/00 Unix.LoveLetter File infector 05/15/00 VBS.CoolNote File infector 05/30/00 VBS.Fireburn.A File infector 05/30/00 VBS.LoveLetter.(HTM) File infector 05/05/00 VBS.LoveLetter.A File infector 05/04/00 VBS.LoveLetter.A(1) File infector 05/05/00 VBS.LoveLetter.B(1) File infector 05/05/00 VBS.LoveLetter.C(1) File infector 05/05/00 VBS.LoveLetter.E File infector 05/08/00 VBS.LoveLetter.E(1) File infector 05/08/00 VBS.LoveLetter.E(2) File infector 05/08/00 VBS.LoveLetter.E(3) File infector 05/08/00 VBS.LoveLetter.F File infector 05/08/00 VBS.LoveLetter.F(1) File infector 05/08/00 VBS.LoveLetter.F(2) File infector 05/08/00 VBS.LoveLetter.F(3) File infector 05/08/00 VBS.LoveLetter.G File infector 05/08/00 VBS.LoveLetter.G(1) File infector 05/08/00 VBS.LoveLetter.G(2) File infector 05/08/00 VBS.LoveLetter.G(3) File infector 05/08/00 VBS.LoveLetter.H File infector 05/08/00 VBS.LoveLetter.I File infector 05/08/00 VBS.LoveLetter.K File infector 05/08/00 VBS.LoveLetter.L File infector 05/08/00 VBS.LoveLetter.M File infector 05/08/00 VBS.LoveLetter.N File infector 05/08/00 VBS.LoveLetter.O File infector 05/08/00 VBS.LoveLetter.P File infector 05/08/00 VBS.LoveLetter.Q File infector 05/08/00 VBS.LoveLetter.R File infector 05/08/00 VBS.LoveLetter.S File infector 05/08/00 VBS.LoveLetter.variant File infector 05/05/00 VBS.Lowjo File infector 05/30/00 VBS.MP3Free.A File infector 05/22/00 VBS.MP3Free.A(2) File infector 05/15/00 VBS.NewLove.A File infector 05/18/00 VBS.Scrambled File infector 05/30/00 VCG.Belka File infector 05/22/00 W32.Android.Worm File infector 05/22/00 W32.Blink.8192 File infector 05/15/00 W32.Cargo.B.Int File infector 05/22/00 W32.Demo.Worm File infector 05/22/00 W32.Dolly.14848.Mirc File infector 05/15/00 W32.Headline.Worm.Int File infector 05/04/00 W32.Hellfire.Mirc File infector 05/22/00 W32.HLLO.ZMK.30030 File infector 05/22/00 W32.HLLP.Cramb File infector 05/04/00 W32.HLLP.Cramb.B File infector 05/22/00 W32.HLLP.Gotem.Int File infector 05/15/00 W32.HLLP.Hetis.34304 File infector 05/04/00 W32.HLLP.This.16896 File infector 05/22/00 W32.Magic.1922 File infector 05/22/00 W32.Mypics.Worm.36352 File infector 05/09/00 W32.PrettyPark.O.Worm File infector 05/04/00 W32.RainSong.3891 File infector 05/15/00 W32.Riccy.A File infector 05/22/00 W32.Riccy.B File infector 05/22/00 W32.Riccy.C File infector 05/22/00 W32.Segax.Gen File infector 05/30/00 W32.Silver.Mirc File infector 05/22/00 W32.Southpark.Worm File infector 05/15/00 W32.Tasmer.46395 File infector 05/15/00 W95.CIH.1103.Int File infector 05/30/00 W95.CIH.1297.Int File infector 05/30/00 W95.Grenp.2804 File infector 05/04/00 W95.Kala.7620 File infector 05/15/00 W95.Sab.753 File infector 05/04/00 W95.Shaitan.3550 File infector 05/22/00 W95.SillyWR.Gen File infector 05/04/00 W95.ZOM File infector 05/22/00 W95.ZOM.Gen File infector 05/30/00 W95.Zomb.432 File infector 05/22/00 W97M.Aquil File infector 05/30/00 W97M.Bablas.W File infector 05/30/00 W97M.Bablas.X File infector 05/30/00 W97M.Balblas.Y File infector 05/30/00 W97M.Blink.8192.A File infector 05/15/00 W97M.Candle.B File infector 05/30/00 W97M.Claud.B File infector 05/30/00 W97M.Claudio.B File infector 05/30/00 W97M.DogHack File infector 05/30/00 W97M.Donkey File infector 05/30/00 W97M.Eight941.G File infector 05/09/00 W97M.Eight941.H File infector 05/09/00 W97M.Eight941.I File infector 05/15/00 W97M.Fly File infector 05/30/00 W97M.Groov.F File infector 05/30/00 W97M.Heels.A File infector 05/15/00 W97M.LCM File infector 05/04/00 W97M.LoveDrop File infector 05/22/00 W97M.Lupi.C File infector 05/04/00 W97M.Marker.BB File infector 05/30/00 W97M.MARKER.CB File infector 05/09/00 W97M.Marker.CR File infector 05/09/00 W97M.MARKER.CS File infector 05/15/00 W97M.Marker.CT File infector 05/22/00 W97M.Marker.CU File infector 05/30/00 W97M.Marker.Intend File infector 05/30/00 W97M.Marker.S File infector 05/22/00 W97M.Melissa.BG File infector 05/26/00 W97M.Opey.D File infector 05/30/00 W97M.OutlookWorm.Gen File infector 05/26/00 W97M.Shab File infector 05/09/00 W97M.Shining.A File infector 05/15/00 W97M.Sprite File infector 05/22/00 W97M.Stand File infector 05/30/00 W97M.Thus.T File infector 05/04/00 W97M.Thus.U File infector 05/04/00 W97M.Thus.V File infector 05/22/00 W97M.Thus.W File infector 05/30/00 W97M.Ucase File infector 05/09/00 W97M.Verlor (dropped) File infector 05/30/00 W97M.VMPCK1.DH File infector 05/04/00 W97M.VMPCK1.DJ File infector 05/09/00 W97M.Vortex File infector 05/30/00 W97M.XYZ.A File infector 05/04/00 Winfig.Trojan File infector 05/04/00 X97M.Automat.AH File infector 05/04/00 X97M.Automat.AJ File infector 05/15/00 X97M.Automat.AK File infector 05/15/00 X97M.Automat.AM File infector 05/22/00 X97M.Divi.G File infector 05/30/00 X97M.Laroux.KV File infector 05/26/00 X97M.Laroux.KW File infector 05/30/00 X97M.OutlookWorm.Gen File infector 05/26/00 XM.Automat.AI File infector 05/09/00 XM.Automat.AL File infector 05/15/00 Zhit.1654 File infector 05/04/00 Zombie.3592 File infector 05/22/00 Name Changes: Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Backdoor.Psychward.b to Backdoor.Psychward 05/15/00 VBS.NewLove.A2(gen 1) to VBS.NewLove.A2(Gen 1) 05/22/00 W32.Inrar.B to W32.Inrar.Gen 05/30/00 W32.Magic.7045.B to W32.Magic.7045.Gen 05/22/00 Deletions: Virus Name Infection Type Date removed ---------- -------------- ------------ Joshi Dropper Boot infector 05/04/00 Narcosis (d) File infector 05/04/00 X97M.Automat.AJ File infector 05/22/00 XM.Automat.AL File infector 05/22/00 ********************************************************************** ** Enabling Scanning Features ** ********************************************************************** Several scanning features can be enabled through the use of an INF configuration file. For NAV for Windows 95/NT version 4.x and later, or NAV for OS/2, this configuration file should be called NAVEX15.INF and should be placed in the directory where NAV is installed (i.e., C:\Program Files\Norton AntiVirus). For NAV for Netware version 4.x, the file should be called NAVEX15.INF and should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). For NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x, the file should be named NAVEX.INF and should be placed in the directory where NAV is installed (i.e., C:\NAV). If this configuration file does not exist, create one in the appropriate directory if you want to change the default settings. To enable a scanning feature for a particular component, one or more entries need to be added to the configuration file under the correct section. For each platform there is a corresponding section that is used in the INF file. Below is a table of section names and platforms. Section Name Platform ------------ -------- NAVW32 Windows 95/98/NT NAVAP Windows 95/98/NT Auto-Protect NAVDX DOS NAVNLM Netware NAVWIN Windows 3.1 NAVOS2 OS/2 NAVAIX AIX NAVSOL Solaris Entries are case insensitive. Below is a description of possible entries. 1. Files can be excluded from scans by the NAVEX engine. To exclude a specific file from the NAVEX engine scan, add an entry with the full path and file name. This is case insensitive. No wildcards are allowed. To exclude multiple files, add a separate entry for each file. To exclude a file, add an entry like the one below where is the full path and file name. ExcludeFile = 2. Files within a directory can be excluded from scans by the NAVEX engine. To exclude all files within a directory, add an entry with the full directory path. This is case insensitive. No wildcards are allowed. This does not exclude files located in subdirectories of the specified directory. To exclude multiple directories, add a separate entry for each directory. To exclude a directory, add an entry like the one below where is the full path. ExcludeDirectory = The following example of an INF configuration file excludes two files, NOSCAN.EXE and BIGFILE.DOC, from NAVEX scans for the Windows 95/98/NT scanner. It excludes the D:\PRIVATE directory from Windows 95/98/NT Auto-Protect. [NAVW32] ExcludeFile = C:\PROGRAM FILES\NOSCAN.EXE ExcludeFile = C:\TEMP\BIGFILE.DOC [NAVAP] ExcludeDirectory = D:\PRIVATE ********************************************************************** ** Additional Information ** ********************************************************************** Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.