********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) November 18, 1999 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling/Disabling PowerPoint Scanning * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W97M.Class 2 XM.Laroux 3 O97M.Tristate 4 W95.CIH 5 Happy99.Worm 6 WM.Cap 7 W97M.ColdApe 8 W97M.Ethan 9 W97M.Melissa 10 Worm.ExploreZip ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/12/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** New virus definitions: Virus Name Infection Type Week added ---------- -------------- ---------- Abaddon Trojan File infector 10/12/99 AntiCad.4096 File infector 10/12/99 AOL.Trojan.Click File infector 11/08/99 AOL.Trojan.Click (2) File infector 11/08/99 AOL.Trojan.Click (3) File infector 11/08/99 AOL.Trojan.Click (4) File infector 11/08/99 Backdoor.Subs.1.9 (2) File infector 11/15/99 Backdoor.Subs.1.9 (3) File infector 11/15/99 Backdoor.Subs.1.9 (4) File infector 11/15/99 Backdoor.Subs.1.9 (5) File infector 11/15/99 Backdoor.Subseven.1.9 File infector 11/15/99 BAT.Chantal File infector 10/18/99 Bebe.Dropper File infector 10/12/99 Bebe.Dropper (2) File infector 10/12/99 Best Wishes.1024.A(x) File infector 10/12/99 Best Wishes.1024.A(x2) File infector 10/12/99 Best Wishes.Dropper File infector 10/12/99 Best Wishes.Dropper(2) File infector 10/12/99 Burglar.1150.Dr File infector 10/12/99 Burglar.1150.Dr (2) File infector 10/12/99 Carioca.Dropper File infector 10/12/99 Carioca.Dropper (2) File infector 10/12/99 CVirus.Trojan File infector 11/15/99 DarkAvenger.1745 File infector 10/12/99 DarkAvenger.1745 (2) File infector 10/12/99 DataLock.Dropper File infector 10/12/99 Doom II.1504.B File infector 10/12/99 Doom II.1504.B(2) File infector 10/12/99 Doom II.Dropper File infector 10/12/99 Doom II.Dropper (2) File infector 10/12/99 Falopa.548 File infector 10/12/99 Flip.2365 File and Boot infector 11/15/99 Gill.765 File infector 10/25/99 Grade.956 File infector 11/08/99 Grade.956 (x) File infector 11/08/99 HLLC.5355 File infector 11/15/99 HLLC.5355 (2) File infector 11/15/99 HLLC.5355 (unp) File infector 11/15/99 HLLC.5355 (unp2) File infector 11/15/99 HLLC.Odani.11184 File infector 11/15/99 HLLC.Odani.11184 (2) File infector 11/15/99 HLLO.DPOG.4224 File infector 11/15/99 HLLO.DPOG.4224 (2) File infector 11/15/99 HLLP.10932 File infector 11/15/99 HLLP.21356 File infector 11/15/99 HLLP.21356 (2) File infector 11/15/99 HLLP.Dexter.5296 File infector 11/15/99 HLLP.Dexter.5296 (2) File infector 11/15/99 HLLT.7909 File infector 10/18/99 HLLT.7909(2) File infector 10/18/99 ICQ2000 File infector 11/01/99 ICQPass File infector 11/01/99 Jerusalem.1682 File infector 10/25/99 KVS.1942 File infector 11/01/99 KVS.1942 (x) File infector 11/01/99 Marzia.2048.E File and Boot infector 11/08/99 Marzia.2048.E (2) File and Boot infector 11/08/99 Marzia.2048.E (b) Boot infector 11/08/99 Marzia.2048.E (x) File infector 11/08/99 Marzia.B File and Boot infector 11/08/99 Marzia.C File and Boot infector 11/08/99 Marzia.D File and Boot infector 11/08/99 menem.1372 File infector 11/18/99 Necropolis.Dropper File infector 10/12/99 Necropolis.Dropper(2) File infector 10/12/99 Number 1.12032.B File infector 10/12/99 Number 1.12032.B (2) File infector 10/12/99 O97M.Tristate.R File infector 11/01/99 Overwriter.124 File infector 10/12/99 Overwriter.124 (2) File infector 10/12/99 P98M.Corner.A File infector 11/08/99 RedAlert (b) Boot infector 10/18/99 RingZero.Trojan File infector 10/25/99 Ruff.4859 (G1) File infector 10/18/99 Serb.Dropper File infector 10/12/99 Striker.461 File infector 10/12/99 Striker.461 (2) File infector 10/12/99 SubSeven 2.0 File infector 11/15/99 Suleiman.708 File infector 10/12/99 Suleiman.708 (2) File infector 10/12/99 Terror.1085.B File infector 10/12/99 Terror.1085.B (2) File infector 10/12/99 Time.Y2K File infector 11/15/99 TraceBack.Dropper File infector 10/12/99 TraceBack.Dropper (2) File infector 10/12/99 Trivial.104 File infector 11/15/99 Trivial.115 File infector 11/15/99 Trivial.115 (2) File infector 11/15/99 Trivial.54.d File infector 11/15/99 Trivial.61.c File infector 11/15/99 Trivial.61.c (2) File infector 11/15/99 Trivial.69.b File infector 11/15/99 Trivial.69.b (2) File infector 11/15/99 Trojan.Bugshell File infector 11/15/99 Trojan.Revenge File infector 10/25/99 Trojan.Test2000 File infector 11/15/99 Trojan.Test2000 (2) File infector 11/15/99 Trojan.Test2000 (3) File infector 11/15/99 Trojan.Test2000 (scr) File infector 11/15/99 Trojan.Test2000 (x) File infector 11/15/99 Trojan.Test2000 (x2) File infector 11/15/99 Trojan.Test2000 (x3) File infector 11/15/99 Tumen.1092.Dr File infector 10/12/99 Tumen.1092.Dr (2) File infector 10/12/99 Tumen.1663.Dr File infector 10/12/99 Tumen.1663.Dr (2) File infector 10/12/99 VBasic.C File infector 10/12/99 VBasic.C (2) File infector 10/12/99 VBS.BubbleBoy File infector 11/08/99 VBS.BubbleBoy(2) File infector 11/15/99 VBS.BubbleBoy(3) File infector 11/15/99 VBS.BubbleBoy(4) File infector 11/15/99 VBS.BubbleBoy.B File infector 11/15/99 VBS.BubbleBoy.B(2) File infector 11/15/99 VBS.BubbleBoy.B(3) File infector 11/15/99 VBS.Chantal File infector 10/18/99 VBS.TripleSix File infector 11/01/99 VCL.BEv (2) File infector 11/08/99 VCL.BEv (3) File infector 11/08/99 Vien.Hybryd.Dr File infector 10/12/99 Vien.Hybryd.Dr (2) File infector 10/12/99 Vien.Viol.Dr File infector 10/12/99 Vien.Viol.Dr (2) File infector 10/12/99 Virogen.Asexual (1) File infector 10/12/99 W32.Aldebara File infector 10/25/99 W32.Anap.16384 File infector 10/12/99 W32.Autoworm.3072 File infector 10/12/99 W32.Autoworm.3072 File infector 10/25/99 W32.Azaco.8192.A File infector 10/25/99 W32.Badass.24576 File infector 10/11/99 W32.Badass.24576(2) File infector 10/11/99 W32.Benny.3219 File infector 11/01/99 W32.Bogus.4096 File infector 10/12/99 W32.Bolzano.K (scr) File infector 10/25/99 W32.Bolzano.K (scr2) File infector 10/25/99 W32.Cargo.Int File infector 10/12/99 W32.Drol.5337.A File infector 10/12/99 W32.Drol.5337.B File infector 10/12/99 W32.Esperanto (2) File infector 10/18/99 W32.Eva.4096 File infector 11/08/99 W32.FunLove.4099 File infector 11/08/99 W32.Gift.32768 File infector 11/01/99 W32.Gift.35561 File infector 10/25/99 W32.Haless.1127 File infector 10/12/99 W32.Harrier.G1 File infector 10/12/99 W32.HLLC.Ext File infector 10/12/99 W32.HLLO.XINF.18432 File infector 11/08/99 W32.HLLO.ZMK.50000 File infector 10/12/99 W32.HLLP.Crystal File infector 10/18/99 W32.HLLP.Crystal.B File infector 11/08/99 W32.HLLP.VB.14336.B File infector 10/18/99 W32.HLLP.YAI File infector 10/18/99 W32.Magic.7045.Int File infector 10/12/99 W32.Magic.8192.Int File infector 10/12/99 W32.Morgoth.2560 File infector 11/01/99 W32.Prizm File infector 10/25/99 W32.Sysclock File infector 10/12/99 W95.Companion.4096.A File infector 10/25/99 W95.Companion.4096.D File infector 10/25/99 W95.Dupator.1503 File infector 11/08/99 W95.Fabi.15978 File infector 11/08/99 W95.Fabi.9608 File infector 10/18/99 W95.Jacky.G1 File infector 10/12/99 W95.Molly.725 File infector 10/12/99 W95.Orez.6291 File infector 11/08/99 W95.Poshkill File infector 10/12/99 W95.Regikx.8192 File infector 10/12/99 W95.Regikx.8192.G1 File infector 10/12/99 W95.Rekoj.940 File infector 10/12/99 W95.Rinim.431 File infector 11/01/99 W95.Spaces.1245 File infector 10/12/99 W95.SV.2332 File infector 10/12/99 W95.Tip File infector 11/01/99 W95.Vlades.29696 File infector 10/12/99 W95.Yoyo.651.Int File infector 10/18/99 W97M.Aleja5.B File infector 10/25/99 W97M.AntiSocial.F File infector 11/08/99 W97M.AntiSocial.G File infector 11/08/99 W97M.Arbeit.A File infector 10/12/99 W97M.Astia.Y File infector 11/08/99 W97M.Automat.P File infector 11/01/99 W97M.Automat.Q File infector 11/01/99 W97M.Automat.R File infector 11/08/99 W97M.Automat.T File infector 11/08/99 W97M.Automat.U File infector 11/15/99 W97M.Automat.W File infector 11/15/99 W97M.Bribagi File infector 10/25/99 W97M.Candle File infector 10/18/99 W97M.Cobra.Family File infector 10/12/99 W97M.Combossa.A File infector 10/18/99 W97M.FF File infector 11/15/99 W97M.Groov.E File infector 11/08/99 W97M.IIS.P File infector 11/15/99 W97M.Internal.A File infector 11/15/99 W97M.Melissa.M.var File infector 11/15/99 W97M.Melissa.U File infector 10/18/99 W97M.Melissa.U (Gen1) File infector 10/14/99 W97M.Melissa.V File infector 10/25/99 W97M.Melissa.X File infector 11/08/99 W97M.Melissa.Y File infector 10/25/99 W97M.Melissa.Z File infector 10/25/99 W97M.Meltdown.Troj File infector 11/15/99 W97M.Michael.A File infector 10/12/99 W97M.Panther File infector 10/25/99 W97M.Starsend File infector 11/15/99 W97M.Story File infector 11/01/99 W97M.Taro File infector 10/12/99 W97M.Thus File infector 10/25/99 W97M.Tolose File infector 11/15/99 W97M.VMPCK1.CM File infector 10/25/99 W97M.VMPCK1.CM.DROP File infector 10/25/99 W97M.Wazzu.DL File infector 10/12/99 W97M.Wazzu.DN File infector 10/12/99 W97M.Wazzu.FD File infector 10/12/99 W97M.Wazzu.FP File infector 10/12/99 W97M.Wazzu.HF File infector 10/12/99 W98.Bagamot (gen1) File infector 11/15/99 W98.Bagamot.8192 File infector 11/15/99 W98.Levi.3205 File infector 11/08/99 W98.Yobe.24576 File infector 11/08/99 WM.Attention.A File infector 10/12/99 WM.TH41 File infector 11/08/99 X97M.Base.A File infector 11/15/99 X97M.Laroux.JO File infector 11/08/99 X97M.Laroux.JP File infector 11/08/99 X97M.Laroux.KU File infector 10/12/99 X97M.PTH.variant File infector 10/25/99 X97M.VCX.Variant File infector 10/12/99 XM.Automat.S File infector 11/08/99 XM.Diablos File infector 11/08/99 XM.PTH.variant File infector 10/25/99 Name Changes: Old Virus Name New Virus Name Date changed -------------- -------------- ------------ P97M.Vic.A to PP97M.Vic.A 11/01/99 VCL.BEv to VCL.BEv (1) 11/08/99 W32.Apparition to W32.Apparition.A 10/18/99 W32.Beast.A to W32.Beast.41472 10/18/99 W32.Beast.B to W32.Beast.56230 10/18/99 W32.Bolzano.4096.a/b/c to W32.Bolzano.4096 10/18/99 W32.Bolzano.Dropper to W32.Bolzano.G1 10/18/99 W32.Giri.Dropper to W32.Giri.G1 11/01/99 W32.HLLO.17408 to W32.HLLO.XINF.17408 11/08/99 W32.HLLP.Crystal to W32.HLLP.Crystal.A 11/08/99 W32.Magic.8192.Int to W32.Staro.8192.Int 10/18/99 W32.VB to W32.HLLP.VB.14336.A 10/18/99 W32/W97M.Fabi.15930 to W97M.Fabi.15930 10/18/99 W95.CIH.Killer to W95.CIHKiller 10/18/99 W95.CrazyPunk to Crazypunk 10/18/99 W95.Fabi to W95.Fabi.15930.A 10/18/99 W95.Highway to W32.Highway.A 10/18/99 W95.HLLO.ZMK to W95.HLLO.ZMK.22184 10/18/99 W95.HLLP.Mtv to W32.HLLP.Mtv 11/01/99 W95.Libertine to W95.Libertine.B 10/18/99 W95.Lisa.27136.a to W32.Lisa.27136.A 10/18/99 W95.SAB to W95.Sab.512.B 10/18/99 W97M.Automat.R to W97M.Titch.A 11/15/99 W97M.Fabi.15930 to W97M.Fabi.15930 G1 10/18/99 W97M.LMN.A to W97M.Brenda.A 11/01/99 Win.Apparition.B to W32.Apparition.B 10/18/99 Deletions: Virus Name Infection Type Date removed ---------- -------------- ------------ BW.Snowbird.1272 (1) File infector 11/01/99 BW.Snowbird.1272 (2) File infector 11/01/99 DA.Oliver (Gen1) File infector 10/25/99 Ebone.5824 File infector 10/12/99 HLL.Weed File infector 11/08/99 HLL.Weed(2) File infector 11/08/99 KVS.1942 File infector 10/25/99 LZ File infector 11/01/99 Marzia.2048.E File infector 10/12/99 Marzia.B File and Boot infector 10/12/99 Marzia.C File and Boot infector 10/12/99 Marzia.D File and Boot infector 10/12/99 ONE.3577 File infector 10/12/99 Rush Hour File infector 10/12/99 Silly Willy.2258 File infector 10/12/99 Trojan.Test2000 (x) File infector 11/17/99 Trojan.Test2000 (x2) File infector 11/17/99 Trojan.Test2000 (x3) File infector 11/17/99 VBS.Avm (2) File infector 10/25/99 Virus-90 (d) File infector 10/25/99 W32.Autoworm.3072 File infector 10/13/99 W95.I13.8192 File infector 10/18/99 W95.Roma File infector 09/22/99 ********************************************************************** ** Enabling/Disabling PowerPoint Scanning ** ********************************************************************** PowerPoint Scanning is now enabled by default and can be optionally disabled. However, you may want to verify that files with PowerPoint extensions will be scanned by making sure that your NAV options have both ".PPT" and ".POT" in the list of extensions to scan. To disable PowerPoint scanning in NAV for Windows 95/NT version 4.x or NAV for OS/2, a text file named NAVEX15.INF should be placed in the directory where NAV 4.x or NAV 5.x is installed (i.e., C:\Program Files\Norton AntiVirus). To disable PowerPoint scanning in NAV for Netware version 4.x, a text file named NAVEX15.INF should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). To disable PowerPoint scanning in NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x a text file named NAVEX.INF should be placed in the directory where NAV is installed (i.e., C:\NAV). The contents of the text file, NAVEX15.INF or NAVEX.INF, determine which components of NAV have PowerPoint scanning disabled. To disable PowerPoint scanning for a particular component, use the following table to determine the lines to add to the text file. PowerPoint scanning can be disabled for more than one component if needed by adding the required lines for the desired components. +---------------------+--------------------------+--------------------+ |Windows 95/NT scanner|Windows 95/NT auto-protect|DOS scanner | +---------------------+--------------------------+--------------------+ |[NAVW32] |[NAVAP] |[NAVDX] | |PowerPointScanning=0 |PowerPointScanning=0 |PowerPointScanning=0| +---------------------+--------------------------+--------------------+ +----------------------+--------------------+--------------------+ |Windows 3.1 scanner/AP|Netware scanner |OS/2 scanner/AP | +----------------------+--------------------+--------------------+ |[NAVWIN] |[NAVNLM] |[NAVOS2] | |PowerPointScanning=0 |PowerPointScanning=0|PowerPointScanning=0| +----------------------+--------------------+--------------------+ To enable PowerPoint scanning for a component, delete the lines added for that component from the NAVEX15.INF or NAVEX.INF file. ********************************************************************** ** Additional Information ** ********************************************************************** SARC has equipped Norton AntiVirus with a new feature called "Infestation Mode." If a large number of new or unknown viruses is found on the system during a scan, Norton AntiVirus will automatically enable its highest level of detection. This gives users the most comprehensive protection in cases where a viral infestation may have been detected. If you would like to disable this feature, you can do so by following these instructions: 1. Create a text File called NAVEX15.INF in your Norton AntiVirus directory,e.g., C:\Program Files\Norton AntiVirus. If this file already exist go to step two. 2. Place the following lines in this File on the left-hand margin: [NAVW32] infestmode=0 [NAVDX] infestmode=0 3. Save the File. Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.