21A12.TXT - Description file for 21A12.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group October 1, 1993 ****************************************************************** [The NAV definition update installation instructions are also available on this disk in French, German, Italian, Swedish, and Spanish. Please reference the appropriate file.] Loading New Definitions To update NAV 2.1 with the new virus definition you have just received, do the following: Note: Each definition set completely replaces the current set so only the latest is required. From DOS: 1) At the DOS prompt, type "NAV" then . 2) Select the "Cancel" button (ALT-C) to bypass scanning at this time. 3) Select the Definitions menu (ALT-D), then select the "Load from file" item (L). You will now see the "Load from file" dialog box. 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) In the FILE field, type "A:*.DEF " ("B:*.DEF" if applicable) then . 6) The definition file on the disk should now appear in the "Files" box. 7) Select the "Files" box (ALT-L). Note: the filename is normally loaded into the "File" line automatically as it is usually the only file available. If this is not the case, use the TAB key to highlight the file then press the spacebar. 8) Select "OK" (ALT-O) to load the new definition set. 9) After loading, press "ESC", exit NAV, and reboot the machine. 10) NAV will now use the new definitions to scan for viruses. From Windows: 1) Activate NAV by double-clicking on its icon. 2) Click on "CANCEL" in the "Scan Drives" window to bypass scanning at this time. 3) From the "Definitions" menu choose "Load from file". 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) Type "A:*.DEF" ("B:*.DEF" if applicable) in the "File" field, then press the Enter key. 6) The latest definition file should now appear in the "Files" box. 7) Double-Click on the filename inside the "Files" box. 8) The file should begin to load. If not, click the "OK" button to load the new definition set. 9) After loading, exit NAV, exit Windows, then reboot the machine. 10) NAV will now use the new definitions to scan for viruses. ****************************************************************** Note for users who are not updated through Corporate Channels: After updating your definitions, if every file is identified as being infected with "MtE", don't panic. You probably do not have a virus. Please download the patch file, PTCH1A.ZIP (available through CompuServe and the Symantec BBS), unzip the file, follow the instructions included in the readme file, and then load these definitions again. If you are unable to download this patch file, or are still experiencing problems after using it, please contact Symantec Technical Support. ****************************************************************** ARCV.Slim ARCV.Slim is an encrypted, memory-resident, stealth virus that infects COM files as they are run or opened. The virus contains the encrypted strings "I Love You Joanna, Apache.." and "Looking Good Slimline Joanna" followed by author and copyright information. The text strings are not displayed. A file can be infected by ARCV.Slim more than once. Each infection will increase the file size by 900 (911) bytes. ----- Idiot This virus is an encrypting, memory-resident EXE file infector. Idiot targets WIN.COM by overwriting the first 300 bytes. The following string can be found decrypted in WIN.COM, and encrypted in other infected files: "You've been caught, you DWI! Infected files will grow by approximately 1100 (1051) bytes with the virus located at the end of the file. ----- Swiss Phoenix This virus is a memory-resident COM and EXE infector. It will infect COMMAND.COM. Once in memory, Swiss Phoenix will infect files when they are executed or opened. The virus is 1000 (1041) bytes and is appended to the end of the file. When an infected file is executed on Friday the 13th, tracks zero through fourteen of the hard drive will be overwritten with random data. After the overwrite occurs the string "Ph”nix" will be displayed and the system will hang. The string "Ph”nix" is encrypted within the body of the virus and will not be apparent. Infected files can be repaired by NAV. ----- (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)