20a08.TXT - Description file for 20a08.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group September 01, 1992 ****************************************************************** Instructions for Loading Definitions 1) Run Virus Clinic by typing NAV at the DOS prompt. 2) Press to accept the Welcome screen. 3) Press to bypass the "Scan Drives" Screen. 4) Press to pull down the "Definitions" menu. 5) Press to select "Load from File..." 6) If the name of the drive and directory to which you loaded the definition file does not appear on the "Directory:" line, type the proper drive and directory name and press . The name of the definition file should appear in the "Files" window. 7) Enter the name of the definition file and press . 8) Press to exit from the "Load Definition File Results" screen. 9) Press to bring up the "Exit Norton AntiVirus" box. 10) Press to exit the program. 11) Reboot your computer to activate the new definitions. ****************************************************************** Overview: 4870 Overwriting This is a non-memory resident, overwriting virus targeting both COM & EXE files including COMMAND.COM. The virus overwrites the first 4870 bytes of the file; thus the name. Infected programs may fail to execute and may cause the system to hang. Since this virus overwrites a portion of the file, it is not possible to repair files infected by 4870 Overwriting. Athens Athens is a memory resident virus targeting both COM & EXE files. COMMAND.COM may also get infected. This virus uses what is known as "stealth" techniques to hide itself while it is in memory. Athens operates on files when they are opened or when they are executed. Infected file may change in size by 1,500 (1463) bytes. However, there will be no changes in the files' date and time. Programs infected with Athens may not run properly and may cause the system to hang. Eight Tunes The new definition for Eight Tunes virus is an enhancement to existing definition. NAV is now able to detect and repair more strains of this virus. Eight Tunes is a memory resident virus targeting both COM and EXE programs. It may also infect COMMAND.COM. Files are infected upon execution while the virus is in memory. Files infected by this virus may have a change in file size by 2000 (1971) bytes. What distinguished this virus from others is that, while it is in memory, it play different tunes which can be very annoying. Dir-2/Creeping Death: The new definition for this virus is an enhancement to the existing one. NAV is now capable of detecting and repairing more strains of this virus. This virus does not alter the files on the system in anyway. What it does is copy itself to an unused cluster on the disk (hard or floppy), then, redirect all the pointers in the FAT to point to itself. Also, it encrypt the original files' pointers. When a program is executed, the virus is executed first. After the virus is memory resident, it loads the target file. While the virus is in memory, an attempt to read/write to a floppy may cause it to become infected. 566 The 566 virus is a memory resident virus targeting EXE file. Infected file may have an increase in file length by 566 bytes, thus the name. The viral code can be found at the end of the infected file. Files infected by 566 can be repaired using NAV. BloodLust BloodLust is a non-resident, overwriting virus targeting COM files. Since it is an overwriting virus, repair is not possible for files infected by this virus. Exodus: Exodus is a memory resident, boot sector infector. NAV is able to repair systems infected by Exodus. (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)