Please note that these updates do not work with Virex v7.0.
Thank you for using Virex, the fastest, most accurate virus detection and repair solution available for the Macintosh. This file contains important information regarding this release. We strongly recommend that you read the entire document.
WHAT'S IN THIS FILE?
- What Is a Virus Update File?
- New Features
- Installation
- Using eUpdate to install virus update files
- Installing Virus Update Files Directly
- Additional Information
- Autostart Worms
- New Viruses Detected and Removed
- Generic Detection and Cleaning
- Understanding Virus Names
- Prefix
- Infix
- Suffix
- Documentation
- Contacting McAfee and Network Associates
- Copyright and Trademark Attributions
- Trademarks
- License Agreement
WHAT IS A VIRUS UPDATE FILE?
Virus Update files contain up-to-date virus signatures and other information for Virex to use to protect your computer against the thousands of computer viruses in circulation and against the hundreds of new viruses that emerge between updates. Network Associates releases new Virus Update files each month. To protect yourself against these virus threats, download and install the latest Virus Update file every month.
NEW FEATURES
The v4161 engine update includes this enhancement and new feature:
- Support for PDF 5.0 files
The engine can now detect virus infections
in embedded objects within Adobe Acrobat
PDF 5.0 files.
INSTALLATION
Network Associates distributes Virus Update files as StuffIt archives. These come in two forms: a BinHexed VX030601.HQX file, and as VX030601.UPD, a straight archive file suitable for use with the eUpdate feature in Virex anti-virus software v6.0 and v6.1.
• USING EUPDATE TO INSTALL VIRUS UPDATE FILES •
If you use the eUpdate feature in the Virex v6.0 or v6.1 software, the software itself will download, extract, and install the Virus Update file. Although this works quite well for individual Macintosh computers, Network Associates recommends a different approach for medium and large networks.
With this method, you use a web browser or FTP client software to download the VX030601.UPD file directly from the Network Associates FTP site. You then post the file to a central server on your network and configure all of your client computers to download the VX030601.UPD file from that central server via FTP or AppleTalk, depending on your preference or your network configuration.
This allows you to control when all updates occur, to reduce network traffic on your servers, to reduce your security risks from outside your network, and to take best advantage of Network Associates server bandwidth. For more details, see the Virex User's Guide stored on the Virex CD or disc image.
• INSTALLING VIRUS UPDATE FILES DIRECTLY •
To install Virus Update files directly on to each of your client Macintosh computers, download the VX030601.HQX file from the Network Associates website or FTP site, then extract the files for installation. To do so, you'll need a copy of StuffIt Expander, StuffIt Lite, or another utility that can read and process files saved in StuffIt format.
You can download the utilities you need from most electronic services. Most browser software also includes a plug-in version of StuffIt Expander that can extract the files automatically, as soon as you download them.
NOTE: If you have Virex anti-virus software v6.0 or
v6.1 installed, you can use its eUpdate feature to
download and install new Virus Update files
automatically. To learn how to do so, see the
Virex User's Guide.
To install the Virus Update file, download or copy the compressed file to your Macintosh desktop or to a temporary folder on your hard disk. Next, follow these steps:
1. Start your compression application, then use it to open
and extract the Virus Definitions 2003-06-01.sit file.
If you have a copy of StuffIt Expander on your desktop,
you can simply drag the Virus Definitions file on top of
StuffIt Expander to have the file extract automatically.
2. The extracted file will appear on your hard disk with the
name Virus Definitions 2003-06-01. Double-click this file
to start Virex.
Virex will ask you to confirm that you want to update your
Virus Definitions file.
3. Click Update to continue.
Virex will tell you when it has finished updating your file.
4. Click OK to return to the Virex application's main window,
where you can immediately start a new scan operation.
In the lower left corner of its main window, the Virex application displays the legend Virus Definitions, followed by a date. This date marks the day Network Associates produced or designated this update file for release. For the June 1, 2003 Virus Update, this date is 06/01/03. The specific format of the date shown will depend on how you have your computer set to display dates.
ADDITIONAL INFORMATION
• AUTOSTART WORMS •
If Virex detects an AutoStart worm on your computer, we strongly recommend that you restart your system with extensions disabled, then start a scan operation with the Virex application.
To disable your extensions, press the Shift key on your keyboard as you restart your computer. Continue to hold the Shift key until you see the message Extensions Disabled. This prevents the AutoStart worm from loading into your computer's memory and allows Virex to remove it from your system. If you do not disable your extensions, the worm will load into memory and can continue to spread even after you remove its original files from your system.
As an alternative, follow these steps:
1. Choose Virex Control Panel from the Apple menu to
open the control panel window.
2. Click Preferences.
3. Select the General icon at the left of the Preferences
dialog box, then choose either First or Alphabetically from the Load Control Panel menu.
4. Select the File Access icon at the left of the
Preferences dialog box.
5. Verify that the Scan Files When Opened checkbox is
selected.
6. Click Save to save your settings and return to the
Virex Control Panel window.
7. Close the Control Panel window, then restart your
computer.
Virex will load into your computer's memory first and will remove the worm as it tries to launch at startup.
To prevent the AutoStart worm from reappearing on your computer or infecting other computers, use Virex to scan all disks that you might have used with an infected computer. If you have the Scan Files When Opened option activated in the Virex Control Panel, you can safely mount infected disks for scanning.
If you need to enable additional extensions in order to mount some disk types, you should disable the AutoPlay option in the QuickTime Settings control panel before you restart your computer. Follow these steps:
1. Choose QuickTime Settings from the Apple menu to
open the control panel window.
2. Choose AutoPlay from the menu at the top of the
control panel window.
3. Verify that the Enable Audio CD AutoPlay and the
Enable CD-ROM AutoPlay checkboxes are clear.
4. Close the control panel window.
5. Use Extensions Manager or an extensions manager
utility to enable the extensions you need, then
restart your computer.
NEW VIRUSES DETECTED AND REMOVED
Hundreds of new viruses and variants appear each month. Those which are detected and cleaned by AVERT's generic methods are added to the total virus count but they are not listed separately here.
• IMPORTANT NOTE •
This Virus Update file functions only with Virex v5.9.0, v6.0 or v6.1. You cannot use this Virus Update file with earlier Virex versions or with Virex 7.0. This Virus Update file detects these 7 new viruses:
A97M/BARAMA
W97M/ETHAN.BAT
W97M/MUMBA
W97M/OPEY.BG.BAT
W97M/STENIC
X97M/NITKRIPT
X97M/TORAJA
GENERIC DETECTION AND CLEANING
AVERT has developed a Generic Detection and Cleaning technique, which means that although our documentation may indicate that the number of new viruses added each release is falling, we are in fact dealing with more viruses and Trojans than ever before. This generic detection is being constantly updated, so users will still need to download regular updates as before.
With the development of the generic techniques in our scanner, we reached a situation when the great majority of new macro viruses, script viruses, worms and Trojans are detected and cleaned before we receive the sample and even before they are written.
For example, in January 2001, users of all currently supported engines (4.0.70 or later) have benefited from VBA generic capabilities delivered in the Virex updates. So users of these engines benefit from automatic detection and cleaning of over 90% of new and not yet known macro viruses.
That is why the number of macro viruses added to the monthly updates (reported in the appropriate section of the README.TXT file) has gone down. We want to assure you that AVERT researchers process every single virus that we receive and make sure we detect everything worth detecting.
UNDERSTANDING VIRUS NAMES
Network Associates anti-virus software typically follows industry-wide naming conventions to identify the viruses that it detects and cleans. Occasionally, some virus names deviate from strict industry standards.
The first virus with a given set of characteristics that mark it as a distinctly new entity receives a "family" name. Virus researchers draw the family name from some identifying quirk in the virus--a text string, perhaps, or a payload effect.
Names for variants of that first virus consist of the family name and a suffix--<VIRUS>.A, for example. The suffix designations continue in alphabetical order until they reach .Z. At that point, they begin again with .AA and continue until they reach .AZ. Still later variants receive the suffix .BA through .BZ, and so forth, until the suffix designations reach .ZZ. If yet another variant appears after that, it would get the suffix .AAA.
As new virus strains appeared, industry naming conventions evolved to include more information. Some names, for instance, include parts that identify the platform on which the virus originated or can run. Macro viruses, the most prevalent of the virus types, can have a complex names that consists of a number of parts. Although the virus name might identify the platform of origin, most macro viruses are cross-platform and can run in a number of different environments. The effects of a virus infection can vary between platforms, but in a networked environment, what might have no effect on one platform can do severe damage in another.
Among anti-virus vendors, virus names can include:
• PREFIX •
The prefix designates the type of file that the virus infects or the platform on which it can run. Network Associates virus names can include these prefixes:
A97M/ Macro virus. Infects Microsoft Access 97 files
HLL/ File-infector or boot-sector virus. Written in
a high-level programming language
HTML/ Script virus. Infects HTML files
IRC/ Internet Relay Chat script virus. This virus
type can use early versions of the mIRC
client software to distribute a virus or
payload
JS/ JavaScript virus or Trojan horse program
O2KM/ Macro virus. Infects Microsoft Office 2000
files
PP97M/ Macro virus. Infects Microsoft PowerPoint 97
files
VBS/ Script virus. Infects Visual Basic scripts
W32/ File-infector or boot-sector virus. Runs in
32-bit Windows environments (Windows 95,
Windows 98 or Windows NT)
WIN/ File-infector virus. Runs in 16-bit and 32-bit
Windows environments (Windows 3.1x, Windows 95,
Windows 98, or Windows NT)
W95/ File-infector or boot-sector virus. Runs in
Windows 95 and Windows 98 environments
W97M/ Macro virus. Infects Microsoft Word 97 files
WM/ Macro virus. Infects Microsoft Word 95 files
X97F/ Macro virus. Infects Microsoft Excel 97 via
Excel formulas
X97M/ Macro virus. Infects Microsoft Excel 97 files
XF/ Macro virus. Infects Microsoft Excel 95 or 97
via Excel formulas
XM/ Macro virus. Infects Microsoft Excel 95 files
• INFIX •
These designations usually appear in the middle of a virus name. Network Associates assigns these designations, which will differ from industry conventions.
.CMP. Companion file. This designates a companion
file that the virus adds to an existing
executable file. Network Associates
software deletes the companion file to
prevent later infections
.MP. Multi-partite virus. A Network Associates
designation
.OW. Overwritten. This identifies a file
irreparably corrupted when a virus
overwrote data within it. This file must
be deleted.
• SUFFIX •
These designations usually appear as the last part of a virus name. A virus name can have more than one suffix. One might designate a variant, for example, while others give additional information. Network Associates assigns many of these designations, which can differ from industry conventions.
@MM Mass mailing distribution. This virus might
use standard techniques to propagate itself,
but it will also, or in some cases primarily,
use an e-mail system to spread
.A to .ZZZ Virus variant designation
.APP Appended viruses. This designates a virus that
appends its code to the file it infects, but
that fails to provide for correct replication.
Network Associates software detects these
files in order to prevent false virus
identifications
.CAV Cavity virus. This designates a virus that
copies itself into "cavities" (areas of all
zeroes) in a program file.
.CLI Client-side component of an Internet Trojan-horse
program.
.DAM Damaged file. This designates a file damaged
or corrupted by an infection
.DR Dropper file. This file introduces the virus
into the host program
.GEN Generic detection. Native routines in Network
Associates software detect this virus without
using specific code strings
.GR Generic detection and removal. Native routines
in Network Associates software detect and
remove this virus without using specific code
strings
.INTD "Intended" virus. This designates a virus that
has most of the usual virus characteristics,
but cannot replicate correctly. Anti-virus
software will detect it in order to prevent
false identifications of active viruses
.SVR Server-side component of an Internet Trojan-horse
program.
DOCUMENTATION
This update includes the following documentation set:
- The Virus Update Read Me file that installs within the Virex folder.
A README.TXT version of the Virus Update Read Me file is available from the McAfee DAT File Updates site. See "Contacting McAfee and Network Associates" for the URL.
(c) 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call +1-972-308-9960.
TRADEMARKS
Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, CNX, CNX Certification Certified Network Expert and design, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, Enterprise SecureCast, Enterprise SecureCast (in Katakana), Event Orchestrator, EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HomeGuard, Hunter, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, Net Tools, Net Tools (in Katakana), NetCrypto, NetScan, NetShield, NetStalker, Network Associates, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PrimeSupport, Recoverkey, Recoverkey - International, Registry Wizard, ReportMagic, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), Stalker, SupportMagic, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
LICENSE AGREEMENT
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES, INC. OR THE PLACE OF PURCHASE FOR A FULL REFUND.