21A13.TXT - Description file for 21A13.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group November 1, 1993 ****************************************************************** [The NAV definition update installation instructions are also available on this disk in French, German, Italian, Swedish, and Spanish. Please reference the appropriate file.] Loading New Definitions To update NAV 2.1 with the new virus definition you have just received, do the following: Note: Each definition set completely replaces the current set so only the latest is required. From DOS: 1) At the DOS prompt, type "NAV" then . 2) Select the "Cancel" button (ALT-C) to bypass scanning at this time. 3) Select the Definitions menu (ALT-D), then select the "Load from file" item (L). You will now see the "Load from file" dialog box. 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) In the FILE field, type "A:*.DEF " ("B:*.DEF" if applicable) then . 6) The definition file on the disk should now appear in the "Files" box. 7) Select the "Files" box (ALT-L). Note: the filename is normally loaded into the "File" line automatically as it is usually the only file available. If this is not the case, use the TAB key to highlight the file then press the spacebar. 8) Select "OK" (ALT-O) to load the new definition set. 9) After loading, press "ESC", exit NAV, and reboot the machine. 10) NAV will now use the new definitions to scan for viruses. From Windows: 1) Activate NAV by double-clicking on its icon. 2) Click on "CANCEL" in the "Scan Drives" window to bypass scanning at this time. 3) From the "Definitions" menu choose "Load from file". 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) Type "A:*.DEF" ("B:*.DEF" if applicable) in the "File" field, then press the Enter key. 6) The latest definition file should now appear in the "Files" box. 7) Double-Click on the filename inside the "Files" box. 8) The file should begin to load. If not, click the "OK" button to load the new definition set. 9) After loading, exit NAV, exit Windows, then reboot the machine. 10) NAV will now use the new definitions to scan for viruses. ****************************************************************** Note for users who are not updated through Corporate Channels: After updating your definitions, if every file is identified as being infected with "MtE", don't panic. You probably do not have a virus. Please download the patch file, PTCH1A.ZIP (available through CompuServe and the Symantec BBS), unzip the file, follow the instructions included in the readme file, and then load these definitions again. If you are unable to download this patch file, or are still experiencing problems after using it, please contact Symantec Technical Support. ****************************************************************** Future NAV 2.1 definition updates are scheduled for the months of December 1993, February 1994, May 1994, and August 1994. There will be one final NAV 2.1 definition update after that. ****************************************************************** In addition to the virus listed below, new strains have been found for two existing viruses. Improved signatures have been added to complement the existing NAV 2.1 signatures for Parity Boot and Swiss Phoenix. ----- Athens (Trojector) Athens (Trojector) is an encrypting memory-resident COM and EXE file infector. Execution of an infected file will place the virus in memory and infect COMMAND.COM in the root directory of the current drive. Once in memory, any file that is executed will become infected. The virus contains the encrypted message "TROJECTOR ]I[,(c) Armagedon Utilities, Athens 1992, Greetings to Vesselin". The message is not displayed. Infected files will grow by approximately 1500 (1561) bytes. However, if the virus is active in memory this change will not be visible in a directory listing. ----- (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)