********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) February 1, 2001 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling Scanning Features * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** VBS.LoveLetter, a new worm which has been wide-spread since May 4th, is detected by this definition set. The ten most commonly reported viruses, worldwide: 1 W32.Navidad 2 W95.MTX 3 W32.HLLW.QAZ.A 4 VBS.Stages.A 5 VBS.LoveLetter 6 VBS.Network 7 Wscript.KakWorm 8 W32.Funlove.4099 9 PrettyPark.Worm 10 Happy99.Worm ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/15/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). 02/10/00 * Added support for scanning of UNIX executables. * Added detection for infected Visio documents. 12/18/00 * Added heuristics for for 32-bit Windows viruses. * Added a script scanner which increases our capabilities for detecting script based threats. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** DATE ---- 12/21/00 * A memory initialization problem in NAV NLM 4.x products was identified in the 12/20/2000 definitions release, which included an updated scanning engine. This problem has been resolved in definitions dated 12/21/2000 or later. 12/29/00 * A false positive for Bloodhound.W32.EP was corrected. 01/04/01 * A false positive for W32.Navidad.16896 was corrected. * A false positive for Backdoor.Trojan was corrected. 01/18/01 * Modification to repair of Microsoft Word and Excel files for Office 2001. 02/01/01 * A false positive for Backdoor.Trojan was corrected. New virus definitions (by Virus Name): Virus Name Infection Type Week added ---------- -------------- ---------- BackFont.905 File infector 01/15/01 Backdoor.BO2K.cfg File infector 01/22/01 Backdoor.NetTerrorist File infector 01/29/01 Backdoor.SubSeven.213 File infector 01/29/01 Backdoor.SysOCXDLL File infector 01/22/01 Bat.Pot File infector 01/15/01 Burglar.1042 File infector 01/22/01 Burglar.1356 File infector 01/22/01 Burglar.1356 (2) File infector 01/22/01 Dialer.Trojan File infector 01/15/01 EICAR Test String (2) File infector 01/10/01 EICAR Test String (3) File infector 01/10/01 HTML.Davinia File infector 01/15/01 HTML.Davinia.dam File infector 01/15/01 HybrisF File infector 01/12/01 IRC.DMSetup.H File infector 01/10/01 IRC.Menak.Worm File infector 01/22/01 IRC.XCod File infector 01/29/01 Invert.CMOS File infector 01/12/01 Invert.CMOS.ow File infector 01/12/01 JS.KakWorm.F File infector 01/29/01 JS.KakWorm.Variant File infector 01/29/01 LDA.306 File infector 01/29/01 Linux.Lotek File infector 01/10/01 Linux.Ramen.Worm File infector 01/22/01 NatalCom.Trojan File infector 01/10/01 NatalCom.Trojan (2) File infector 01/10/01 NatalCom.Trojan (3) File infector 01/10/01 O97M.Toraja.F File infector 01/29/01 PHP.Neworld File infector 01/29/01 PHP.Sysbat File infector 01/29/01 Pers(b) Boot infector 01/29/01 Retoob(b) Boot infector 01/29/01 VBS.Bunny.Intended File infector 01/15/01 VBS.DWorld.A File infector 01/22/01 VBS.DWorld.A(2) File infector 01/22/01 VBS.DWorld.A.bat File infector 01/22/01 VBS.DWorld.A.ini File infector 01/22/01 VBS.DWorld.A.ini(2) File infector 01/22/01 VBS.Davinia.A File infector 01/15/01 VBS.Fonts.C File infector 01/10/01 VBS.Insect.A@mm File infector 01/15/01 VBS.Legal.A File infector 01/22/01 VBS.Retnirp File infector 01/29/01 VBS.Ribas@mm File infector 01/10/01 Viroped.492 File infector 01/29/01 W2KM.Davinia.A File infector 01/15/01 W32.Aid File infector 01/29/01 W32.Ataxia File infector 01/29/01 W32.Demiurg.16354 File infector 01/10/01 W32.Demiurg.dr File infector 01/10/01 W32.Eclypse.A File infector 01/29/01 W32.Eclypse.B File infector 01/29/01 W32.Eva.D File infector 01/22/01 W32.Ginseng File infector 01/10/01 W32.HLLP.Zori File infector 01/10/01 W32.HLLW.Dennis File infector 01/10/01 W32.HLLW.Shorm File infector 01/29/01 W32.Halen.2596 File infector 01/22/01 W32.Hatred.gen File infector 01/22/01 W32.Icecubes.Worm.B File infector 01/10/01 W32.Icecubes.Worm.gen File infector 01/10/01 W32.Idele.2560 File infector 01/10/01 W32.Poetry File infector 01/22/01 W32.Rigel File infector 01/29/01 W32.Roussarc.int File infector 01/10/01 W32.Spit.C File infector 01/22/01 W32.Spit.D File infector 01/29/01 W32.Vicevi.worm File infector 01/29/01 W32.Voyager.C File infector 01/10/01 W32.WIT.A File infector 01/10/01 W32.WIT.B File infector 01/10/01 W32.XCod@m File infector 01/29/01 W95.BeeFree File infector 01/22/01 W95.Etymo File infector 01/29/01 W95.Examplo File infector 01/29/01 W95.Iced.1376 File infector 01/29/01 W95.Matrix.817 File infector 01/29/01 W95.Matrix.909 File infector 01/29/01 W95.Repus.128 File infector 01/10/01 W95.Resurrel File infector 01/10/01 W95.Senti.9269 File infector 01/10/01 W95.Trood.worm File infector 01/10/01 W95.Xine.Gen File infector 01/29/01 W95.ZMist File infector 01/22/01 W97M.Antiv.A File infector 01/15/01 W97M.Bablas.BG File infector 01/15/01 W97M.Bablas.BH File infector 01/22/01 W97M.Bablas.BI File infector 01/29/01 W97M.Bablas.BJ File infector 01/22/01 W97M.Bablas.BK File infector 01/22/01 W97M.Bablas.BL File infector 01/22/01 W97M.Bablas.BM File infector 01/29/01 W97M.Bablas.Dam File infector 01/15/01 W97M.Bobo.E File infector 01/22/01 W97M.Cobra.M File infector 01/29/01 W97M.Death.B File infector 01/15/01 W97M.Erab.A File infector 01/22/01 W97M.Gesture.B File infector 01/29/01 W97M.GoodDay.C File infector 01/10/01 W97M.Intended File infector 01/22/01 W97M.Invert.B File infector 01/12/01 W97M.Iseng.B File infector 01/10/01 W97M.Latenit.A File infector 01/10/01 W97M.Macroble.D File infector 01/22/01 W97M.Macroble.E File infector 01/29/01 W97M.Marker.EK File infector 01/29/01 W97M.Melissa.W File infector 01/18/01 W97M.Myna.Y File infector 01/15/01 W97M.Nagem.E File infector 01/10/01 W97M.Nagem.E (1) File infector 01/10/01 W97M.Nagem.F File infector 01/12/01 W97M.Puyah File infector 01/29/01 W97M.Remplace.J File infector 01/15/01 W97M.Shepmah.F File infector 01/10/01 W97M.Sherlock.D File infector 01/22/01 W97M.Thus.AZ File infector 01/22/01 W97M.Thus.CA File infector 01/10/01 W97M.Thus.CE File infector 01/15/01 W97M.Thus.CF File infector 01/22/01 W97M.Thus.CG File infector 01/22/01 W97M.Titch.G File infector 01/29/01 W97M.Toy.A File infector 01/29/01 W97M.VMPCK1.BS File infector 01/22/01 W97M.Vmpck1.EA File infector 01/22/01 W97M.Walrus.kit File infector 01/22/01 W97M.Wrench.H File infector 01/22/01 W98.Universe.B.Worm File infector 01/29/01 W98.Universe.Worm File infector 01/29/01 Win.Klon.12800 File infector 01/12/01 X97M.Demiurg.A File infector 01/10/01 X97M.Gene.A File infector 01/22/01 X97M.Laroux.JG File infector 01/29/01 X97M.Reten.A File infector 01/10/01 X97M.Sufe.B File infector 01/12/01 X97M.Sufe.C File infector 01/15/01 X97M.Vcode.A File infector 01/29/01 Year 1992 File infector 01/29/01 New virus definitions (by Week added): Virus Name Infection Type Week added ---------- -------------- ---------- Backdoor.NetTerrorist File infector 01/29/01 Backdoor.SubSeven.213 File infector 01/29/01 IRC.XCod File infector 01/29/01 JS.KakWorm.F File infector 01/29/01 JS.KakWorm.Variant File infector 01/29/01 LDA.306 File infector 01/29/01 O97M.Toraja.F File infector 01/29/01 PHP.Neworld File infector 01/29/01 PHP.Sysbat File infector 01/29/01 Pers(b) Boot infector 01/29/01 Retoob(b) Boot infector 01/29/01 VBS.Retnirp File infector 01/29/01 Viroped.492 File infector 01/29/01 W32.Aid File infector 01/29/01 W32.Ataxia File infector 01/29/01 W32.Eclypse.A File infector 01/29/01 W32.Eclypse.B File infector 01/29/01 W32.HLLW.Shorm File infector 01/29/01 W32.Rigel File infector 01/29/01 W32.Spit.D File infector 01/29/01 W32.Vicevi.worm File infector 01/29/01 W32.XCod@m File infector 01/29/01 W95.Etymo File infector 01/29/01 W95.Examplo File infector 01/29/01 W95.Iced.1376 File infector 01/29/01 W95.Matrix.817 File infector 01/29/01 W95.Matrix.909 File infector 01/29/01 W95.Xine.Gen File infector 01/29/01 W97M.Bablas.BI File infector 01/29/01 W97M.Bablas.BM File infector 01/29/01 W97M.Cobra.M File infector 01/29/01 W97M.Gesture.B File infector 01/29/01 W97M.Macroble.E File infector 01/29/01 W97M.Marker.EK File infector 01/29/01 W97M.Puyah File infector 01/29/01 W97M.Titch.G File infector 01/29/01 W97M.Toy.A File infector 01/29/01 W98.Universe.B.Worm File infector 01/29/01 W98.Universe.Worm File infector 01/29/01 X97M.Laroux.JG File infector 01/29/01 X97M.Vcode.A File infector 01/29/01 Year 1992 File infector 01/29/01 Backdoor.BO2K.cfg File infector 01/22/01 Backdoor.SysOCXDLL File infector 01/22/01 Burglar.1042 File infector 01/22/01 Burglar.1356 File infector 01/22/01 Burglar.1356 (2) File infector 01/22/01 IRC.Menak.Worm File infector 01/22/01 Linux.Ramen.Worm File infector 01/22/01 VBS.DWorld.A File infector 01/22/01 VBS.DWorld.A(2) File infector 01/22/01 VBS.DWorld.A.bat File infector 01/22/01 VBS.DWorld.A.ini File infector 01/22/01 VBS.DWorld.A.ini(2) File infector 01/22/01 VBS.Legal.A File infector 01/22/01 W32.Eva.D File infector 01/22/01 W32.Halen.2596 File infector 01/22/01 W32.Hatred.gen File infector 01/22/01 W32.Poetry File infector 01/22/01 W32.Spit.C File infector 01/22/01 W95.BeeFree File infector 01/22/01 W95.ZMist File infector 01/22/01 W97M.Bablas.BH File infector 01/22/01 W97M.Bablas.BJ File infector 01/22/01 W97M.Bablas.BK File infector 01/22/01 W97M.Bablas.BL File infector 01/22/01 W97M.Bobo.E File infector 01/22/01 W97M.Erab.A File infector 01/22/01 W97M.Intended File infector 01/22/01 W97M.Macroble.D File infector 01/22/01 W97M.Sherlock.D File infector 01/22/01 W97M.Thus.AZ File infector 01/22/01 W97M.Thus.CF File infector 01/22/01 W97M.Thus.CG File infector 01/22/01 W97M.VMPCK1.BS File infector 01/22/01 W97M.Vmpck1.EA File infector 01/22/01 W97M.Walrus.kit File infector 01/22/01 W97M.Wrench.H File infector 01/22/01 X97M.Gene.A File infector 01/22/01 W97M.Melissa.W File infector 01/18/01 BackFont.905 File infector 01/15/01 Bat.Pot File infector 01/15/01 Dialer.Trojan File infector 01/15/01 HTML.Davinia File infector 01/15/01 HTML.Davinia.dam File infector 01/15/01 VBS.Bunny.Intended File infector 01/15/01 VBS.Davinia.A File infector 01/15/01 VBS.Insect.A@mm File infector 01/15/01 W2KM.Davinia.A File infector 01/15/01 W97M.Antiv.A File infector 01/15/01 W97M.Bablas.BG File infector 01/15/01 W97M.Bablas.Dam File infector 01/15/01 W97M.Death.B File infector 01/15/01 W97M.Myna.Y File infector 01/15/01 W97M.Remplace.J File infector 01/15/01 W97M.Thus.CE File infector 01/15/01 X97M.Sufe.C File infector 01/15/01 HybrisF File infector 01/12/01 Invert.CMOS File infector 01/12/01 Invert.CMOS.ow File infector 01/12/01 W97M.Invert.B File infector 01/12/01 W97M.Nagem.F File infector 01/12/01 Win.Klon.12800 File infector 01/12/01 X97M.Sufe.B File infector 01/12/01 EICAR Test String (2) File infector 01/10/01 EICAR Test String (3) File infector 01/10/01 IRC.DMSetup.H File infector 01/10/01 Linux.Lotek File infector 01/10/01 NatalCom.Trojan File infector 01/10/01 NatalCom.Trojan (2) File infector 01/10/01 NatalCom.Trojan (3) File infector 01/10/01 VBS.Fonts.C File infector 01/10/01 VBS.Ribas@mm File infector 01/10/01 W32.Demiurg.16354 File infector 01/10/01 W32.Demiurg.dr File infector 01/10/01 W32.Ginseng File infector 01/10/01 W32.HLLP.Zori File infector 01/10/01 W32.HLLW.Dennis File infector 01/10/01 W32.Icecubes.Worm.B File infector 01/10/01 W32.Icecubes.Worm.gen File infector 01/10/01 W32.Idele.2560 File infector 01/10/01 W32.Roussarc.int File infector 01/10/01 W32.Voyager.C File infector 01/10/01 W32.WIT.A File infector 01/10/01 W32.WIT.B File infector 01/10/01 W95.Repus.128 File infector 01/10/01 W95.Resurrel File infector 01/10/01 W95.Senti.9269 File infector 01/10/01 W95.Trood.worm File infector 01/10/01 W97M.GoodDay.C File infector 01/10/01 W97M.Iseng.B File infector 01/10/01 W97M.Latenit.A File infector 01/10/01 W97M.Nagem.E File infector 01/10/01 W97M.Nagem.E (1) File infector 01/10/01 W97M.Shepmah.F File infector 01/10/01 W97M.Thus.CA File infector 01/10/01 X97M.Demiurg.A File infector 01/10/01 X97M.Reten.A File infector 01/10/01 Name Changes (by Old Virus Name): Old Virus Name New Virus Name Date changed -------------- -------------- ------------ IRC.DMSetup.G@m to IRC.DMSetup.G 01/10/01 Mrod.5154 to ILoveDOS.5154 01/29/01 Mrod.5154 (2) to ILoveDOS.5154 (2) 01/29/01 Mrod.5154 (3) to ILoveDOS.5154 (3) 01/29/01 Mrod.5154 (4) to ILoveDOS.5154 (4) 01/29/01 VBS.Fonts to VBS.Sorry.C 01/15/01 VBS.Fonts.B to VBS.Sorry.B 01/15/01 VBS.Fonts.C to VBS.Sorry.D 01/15/01 W32.Demiurg.16354 to W32.Demig.16354 01/22/01 W32.Demiurg.dr to W32.Demig.dr 01/22/01 W97M.Latenit.A to W97M.Lateni.A 01/29/01 X97M.Toraja.C to O97M.Toraja.C 01/10/01 Name Changes (by Date changed): Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Mrod.5154 to ILoveDOS.5154 01/29/01 Mrod.5154 (2) to ILoveDOS.5154 (2) 01/29/01 Mrod.5154 (3) to ILoveDOS.5154 (3) 01/29/01 Mrod.5154 (4) to ILoveDOS.5154 (4) 01/29/01 W97M.Latenit.A to W97M.Lateni.A 01/29/01 W32.Demiurg.16354 to W32.Demig.16354 01/22/01 W32.Demiurg.dr to W32.Demig.dr 01/22/01 VBS.Fonts to VBS.Sorry.C 01/15/01 VBS.Fonts.B to VBS.Sorry.B 01/15/01 VBS.Fonts.C to VBS.Sorry.D 01/15/01 IRC.DMSetup.G@m to IRC.DMSetup.G 01/10/01 X97M.Toraja.C to O97M.Toraja.C 01/10/01 Deletions (by Virus Name): Virus Name Infection Type Date removed ---------- -------------- ------------ EICAR Test String.68 File infector 01/10/01 Year 1992 File infector 01/22/01 Deletions (by Date removed): Virus Name Infection Type Date removed ---------- -------------- ------------ Year 1992 File infector 01/22/01 EICAR Test String.68 File infector 01/10/01 ********************************************************************** ** Enabling Scanning Features ** ********************************************************************** Several scanning features can be enabled through the use of an INF configuration file. For NAV for Windows 95/NT version 4.x and later, or NAV for OS/2, this configuration file should be called NAVEX15.INF and should be placed in the directory where NAV is installed (i.e., C:\Program Files\Norton AntiVirus). For NAV for Netware version 4.x, the file should be called NAVEX15.INF and should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). For NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x, the file should be named NAVEX.INF and should be placed in the directory where NAV is installed (i.e., C:\NAV). If this configuration file does not exist, create one in the appropriate directory if you want to change the default settings. To enable a scanning feature for a particular component, one or more entries need to be added to the configuration file under the correct section. For each platform there is a corresponding section that is used in the INF file. Below is a table of section names and platforms. Section Name Platform ------------ -------- NAVW32 Windows 95/98/NT NAVAP Windows 95/98/NT Auto-Protect NAVDX DOS NAVNLM Netware NAVWIN Windows 3.1 NAVOS2 OS/2 NAVAIX AIX NAVSOL Solaris Entries are case insensitive. Below is a description of possible entries. 1. Files can be excluded from scans by the NAVEX engine. To exclude a specific file from the NAVEX engine scan, add an entry with the full path and file name. This is case insensitive. No wildcards are allowed. To exclude multiple files, add a separate entry for each file. To exclude a file, add an entry like the one below where is the full path and file name. ExcludeFile = 2. Files within a directory can be excluded from scans by the NAVEX engine. To exclude all files within a directory, add an entry with the full directory path. This is case insensitive. No wildcards are allowed. This does not exclude files located in subdirectories of the specified directory. To exclude multiple directories, add a separate entry for each directory. To exclude a directory, add an entry like the one below where is the full path. ExcludeDirectory = The following example of an INF configuration file excludes two files, NOSCAN.EXE and BIGFILE.DOC, from NAVEX scans for the Windows 95/98/NT scanner. It excludes the D:\PRIVATE directory from Windows 95/98/NT Auto-Protect. [NAVW32] ExcludeFile = C:\PROGRAM FILES\NOSCAN.EXE ExcludeFile = C:\TEMP\BIGFILE.DOC [NAVAP] ExcludeDirectory = D:\PRIVATE ********************************************************************** ** Additional Information ** ********************************************************************** Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.