What's New in VirusScan for Windows 3.1x v3.1.4 (3011) Copyright 1994-1997 by McAfee Associates, Inc. All Rights Reserved. Thank you for using McAfee's VirusScan for Windows 3.1x. This What's New file contains important information regarding the current version of this product. It is highly recommended that you read the entire document. McAfee welcomes your comments and suggestions. Please use the information provided in this file to contact us. ___________________ WHAT'S IN THIS FILE - New Features - Known Issues - Installation - Documentation - Frequently Asked Questions - Contact McAfee ____________ NEW FEATURES 1. VirusScan detects unknown macro viruses by using heuristic scanning technology. Unknown macro viruses are reported as "PROBABLE MACRO VIRUSES." 2. VirusScan is able to detect and clean macro virus infections in password-protected Microsoft Excel 95 files without disturbing passwords. 3. VirusScan now has the ability to detect macro virus infections in password-protected German, French, Dutch, Italian, and Japanese Microsoft Word 95 (Word 7.0) files. 4. If a password-protected Word 7.0 (Word for Office 95) file is infected by a virus that can plant its own password, VirusScan now cleans the file and removes the password. If a password-protected Word 7.0 or (Word for Office 95) file is infected by a virus that cannot plant its own password, VirusScan now cleans the file without disturbing the password. * NEW VIRUSES DETECTED * This DAT file, 3011, is compatible with VirusScan's v3.x engines only. This DAT file is not intended for use with VirusScan v2.x products. * NEW VIRUSES DETECTED * This DAT file detects the following 135 new viruses. Locations that have experienced particular problems with specific viruses are also identified. ALIA ALLIANCE.C ALLIANCE.D ALLIANCE.E ANXIETY.POPPY Europe, Internet APPDER.K APPDER.L APPDER.M APRIL.BOO BOMB_ACK_TROJAN CAP.BB CAP.BC CAP.BD CAP.BE CAP.BF CAP.BG CAP.BH CAP.BI CAP.BJ CAP.BK CAP.BL CAP.BM CAP.BN CAP.BO CNTV COLORS.BU COLORS.BV COLORS.BW CREMA.A DWMVCK1.A EASY.B EBOLA EMT.B ENFK:KIT ERASER.S:TW ETERNITY.566 FROGGIE_TROJAN GEE_ZEE.464 Pakistan GOODNIGHT.H GOODNIGHT.I HOLIDAY.3000 HORN.A HYBRID.L HYBRID.M INEXIST.A IRISH.R IRISH.S JERM.A United Kingdom JOHNNY.P KILLLUF.A KILLLUF.B LAMAH.A:BR LORD.A The Netherlands MARKT.1548 MDMA.AC MDMA.AD MG.A MG.B MUCK.Y MUCK.Z MUCK.AA MUCK.AB MUCK.AC MUCK.AD MUCK.AE MUCK.AF MUCK.AG MUCK.AH MUCK.AI NJ-WMDLK1-INTENDED NO_VA.A Brazil NPAD.DU NPAD.DV NPAD.DW NPAD.DX NPAD.DY NPAD.DZ NPAD.EA NPAD.EB NPAD.EC NPAD.ED NPAD.EE NPAD.EF NPAD.EG NPAD.EH NPAD.EI NPAD.EJ NPAD.EK NPAD.EL NPAD.EM NPAD.EN PAYCHECK.H PITER.529 DROPPER (CORRUPTED) PLUSHAD.A RAMSES.A RAPI.AN2 RAPI.AO RAPI.AO1 RAPI.AO2 SAILOR.1107/1113 SAVER.B:DE SCHUMANN.D:DE SHADOW.A SHEK_TROJAN SHOWOFF.CJ SHOWOFF.CK SHOWOFF.CL SPANSKA.4250 Internet SPYVIR.181 SPYVIR.DROPPER SWITCHER.I TAMAGO.A Brazil, very widespread TARAZONA.985 TEMPLE.J TOTEN.B:DE Germany TWOLINES.S TWOLINES.S1 UGUR.1297 UGUR.1320 UKA.A Indonesia VENENO.B:ES WAZZU.DG WAZZU.DH WAZZU.DI WPCB.2793 WPCB.3207 X97M/IMPORT.A The Netherlands XM/LAROUX.P XM/LAROUX.U XM/LAROUX.V XM/LAROUX.W Latvia XM/LAROUX.AA XM/LAROUX.AC XM/NINJA.A Japan YAKA.A Indonesia * NEW VIRUSES CLEANED * This DAT file cleans the following 122 new viruses. Locations that have experienced particular problems with specific viruses are also identified. ALLIANCE.C ALLIANCE.D ALLIANCE.E APPDER.K APPDER.L APPDER.M APRIL.BOO CAP.BB CAP.BC CAP.BD CAP.BE CAP.BF CAP.BG CAP.BH CAP.BI CAP.BJ CAP.BK CAP.BL CAP.BM CAP.BN CAP.BO COLORS.BU COLORS.BV COLORS.BW CREMA.A DWMVCK1.A EASY.B EMT.B ENFK:KIT ERASER.S:TW GEE_ZEE.464 GOODNIGHT.H GOODNIGHT.I HOLIDAY.3000 HORN.A HYBRID.L HYBRID.M INEXIST.A IRISH.R IRISH.S JERM.A JOHNNY.P KILLLUF.A KILLLUF.B LORD.A MARKT.1548 MDMA.AC MDMA.AD MG.A MG.B MUCK.Y MUCK.Z MUCK.AA MUCK.AB MUCK.AC MUCK.AD MUCK.AE MUCK.AF MUCK.AG MUCK.AH MUCK.AI NJ-WMDLK1-INTENDED NO_VA.A Brazil NPAD.DU NPAD.DV NPAD.DW NPAD.DX NPAD.DY NPAD.DZ NPAD.EA NPAD.EB NPAD.EC NPAD.ED NPAD.EE NPAD.EF NPAD.EG NPAD.EH NPAD.EI NPAD.EJ NPAD.EK NPAD.EL NPAD.EM NPAD.EN PAYCHECK.H PLUSHAD.A RAMSES.A RAPI.AN2 RAPI.AO RAPI.AO1 RAPI.AO2 SAVER.B:DE SCHUMANN.D:DE SHADOW.A SHOWOFF.CJ SHOWOFF.CK SHOWOFF.CL SPANSKA.4250 Internet SPYVIR.181 SWITCHER.I TAMAGO.A Brazil, very widespread TARAZONA.985 TEMPLE.J TOTEN.B:DE TWOLINES.S TWOLINES.S1 UGUR.1297 UGUR.1320 UKA.A VENENO.B:ES WAZZU.DG WAZZU.DH WAZZU.DI WPCB.2793 WPCB.3207 X97M/IMPORT.A XM/LAROUX.U XM/LAROUX.V XM/LAROUX.W XM/LAROUX.AA XM/LAROUX.AB XM/NINJA.A Japan YAKA.A ____________ KNOWN ISSUES 1. When creating an Emergency Disk, in some cases, additional drivers must be loaded in order to access a driver specific hard drive (i.e. a compressed drive). Before modifying the Emergency Disk, please refer to your hard disk documentation for additional information on creating a boot disk. 2. If password protection is set for VShield or any scan task, when an associated program is launched, you will be prompted to verify the password. You must use the mouse to click in the text field to enter the password or click Cancel to exit. Keyboard strokes are not functional. This is a Microsoft issue as stated in Microsoft's Knowledge Base Article ID #Q84133. 3. If Move Infected File is selected on the Actions page, infected files will be moved to the directory specified. If the Windows Copy command fails during this procedure, a zero byte file size stamp may be left in the destin- ation directory when carrying out the Copy command. 4. The CTRL+C and CTRL+BREAK option to break out of DOS applications in a DOS window is disabled when you install VirusScan. This is to prevent a host of issues that would be caused by CTRL+C and CTRL+BREAK interfer- ing with VShield activity. Consequently, if a DIR command is executed in a DOS window, and then a CTRL+C or a CTRL+BREAK is executed, the DIR display will not be canceled and an incorrect DIR display may result. 5. If VShield detects an infected file that is decompress- ing in a DOS session and the DOS session is terminated, VShield as well as Pkunzip and any other program being run from the DOS window will be discontinued. Although the VShield icon will still be displayed in the Taskbar, VShield will be disabled. VShield must be re-enabled by restarting Windows to maintain maximum virus protection. 6. If the product is uninstalled while VirusScan (Scan16.exe) or the VirusScan Console (AVConsol.exe) are open, some files may not be removed (i.e. Scan16.exe, Mcscan16.dll, Mcgui16.dll, AVConsol.exe). If you try to delete the McAfee\Viruscan directory before restarting Windows, error messages will appear stating that the files are being used by Windows. Close all VirusScan related programs, excluding VShield, before uninstalling VirusScan. 7. The conversion utility preserves the scan targets but does not preserve the command-line parameters. When custom profiles include command-line parameters, the resulting task (.VSC file) will have one or more invalid scan items that will need to be manually updated. Command-line parameters in scan tasks must be manually added. Pre-existing profiles (.PRF files) will be moved to the target installation directory for reference purposes. 8. When scheduling multiple scan tasks through the VirusScan console, ensure that task schedules do not overlap. If the schedules overlap, only the first task will be implemented and tasks scheduled thereafter will be ignored. 9. If the AVCONSOLE.INI file is deleted and then recreated upon launching the AV Console, the default Scan16 task will change from "Scan Drive C" and "All Drives" to "VirusScan." 10. If you experience difficulties cleaning infected files with VirusScan for Windows, exit Windows and use SCAN.EXE or SCANPM.EXE, which are included in this product. ____________ INSTALLATION * INSTALLING THE PRODUCT * 1. Take one of the following steps: - If you are installing from diskette or compact disc, insert the VirusScan for Windows 3.1x installation diskette or the CD-ROM. - If you are installing from files downloaded from a BBS or the McAfee website, decompress the zipped files into a directory on your local drive or the network. 2. Select Run from the File menu. 3. If you are installing from diskette, type: x:\SETUP.EXE (where x is the drive that contains the diskette). Click OK. If you are installing from compact disc, type: x:\win3x\SETUP.EXE (where x is the drive that contains the CD-ROM). Click OK. If you are installing from downloaded files, type: x:\path\SETUP.EXE (where x:\path is the location of the files). Click OK. 4. Follow the on-screen installation instructions to complete VirusScan installation. * PERFORMING A SILENT INSTALLATION * To perform a "silent" installation of this product, with minimal user interaction and with all default or "Typical" installation settings, add -s (i.e., SETUP.EXE -s) to the setup command when you install the product. Network administrators can customize the silent installation feature by following these steps: 1. Check the Windows directory to ensure that a file named SETUP.ISS does not already exist. If one does, rename it, back it up, or delete it. 2. Run SETUP.EXE with the -r switch, (i.e., SETUP.EXE -r). 3. Select the components you want to install during the silent installation. Your choices will be recorded. 4. Finish the installation. Result: A SETUP.ISS file is created in the Windows directory that has your installation options recorded. Use this file to install all product files to the same installation directory on every client machine. The .ISS file specifies the installation directory under the [SdSetupType-0] header, szDir parameter, which was recorded in step 3. This overrides the default installation directory on each client machine, which might vary according to operating system. Having the same directory name on every client helps to ease administration in the future; for example, you might assign all client machines the directory C:\ANTIVIRUS. Note: If, however, you want to allow SETUP.EXE to determine where to locate the installed files, modify the SETUP.ISS file so that the target machine will disregard the szDir, as follows: A. Locate the section [SdSetupType-0] in the SETUP.ISS file and go to the line: Result = xxx. The actual value will most likely be 301, 302, or 303, depending on what options you selected during the ISS file creation process. B. Add 100 to this number so that, for example, 301 becomes 401. This tells each target machine to disregard the szDir and assign a directory according to its own particular operating system. 5. Copy the installation files onto a local or mapped drive; then rename, back up, or delete the SETUP.ISS file. Note: You cannot perform a silent install from multiple media because the silent operation will be compromised when the install prompts the user for more media. 6. Copy the new SETUP.ISS from the Windows directory to the location of the installation files. Note: The file used for the silent installation, SETUP.ISS, is product-specific. For example, you cannot use a SETUP.ISS file created by a VirusScan for Windows 95 installation for a VirusScan for Windows NT installation. 7. Run SETUP.EXE with the -s switch (i.e., SETUP.EXE -s). Note: If you do not specify a "recorded" answer for all dialog boxes during the initial installation, the silent installation will fail. 8. When the silent installation is complete, the machine reboots automatically. * PRIMARY PROGRAM FILES FOR VIRUSSCAN FOR WINDOWS 3.1x * Files located in the Install directory: ======================================= 1. Installed for VShield/DOS/VirusScan: README.1ST = License and registration information CLEAN.DAT = Virus clean definition data NAMES.DAT = Virus names definition data SCAN.DAT = Virus scan definition data VALIDATE.EXE = McAfee file validation program WCMDR.EXE = Windows Commander program MCFDU.EXE = McAfee floppy disk utility (for Zenith machines only) PRF2VSC.EXE = Conversion utility program CONFIG.EXE = VirusScan configuration program SETBROWS.EXE = Set browser program INETWH16.DLL = Library files INETWH32.DLL = Library files MCGUI16.DLL = VirusScan Console library file WCMDR.INI = Windows Commander configuration settings WCMDRSIL.INI = unInstallShield helper configuration DEISL1.ISU = Uninstall file PACKING.LST = Packing list WHATSNEW.TXT = What's New document RESELLER.TXT = McAfee authorized agents 2. Installed for VShield: MCKRNL16.DLL = Tools library MCUTIL16.DLL = Run-time support library CONFIG.EXE = VShield Configuration Manager VSHWIN.EXE = VShield on-access engine CHKVXD.EXE = VShield virtual device driver checking utility UNVSHVXD.EXE = Virtual device driver UNVSHVXD.INI = Initialization file DEFAULT.VSH = Default VSH settings 3. Installed for DOS: EDISK.EXE = Emergency Disk creation utility EDISK.SCR = Emergency Disk file EDAT.1 = Emergency Disk data file EDAT.2 = Emergency Disk data file EDAT.3 = Emergency Disk data file EDAT.4 = Emergency Disk data file EDAT.5 = Emergency Disk data file EDAT.6 = Emergency Disk data file EMCLEAN.DAT = Emergency Disk virus clean definition data EMNAMES.DAT = Emergency Disk virus names definition data EMSCAN.DAT = Emergency Disk virus scan definition data GETREPLY.EXE = Emergency diskette program component SCAN.EXE = MS-DOS scan program SCANPM.EXE = Protected mode scanner 4. Installed for VirusScan: AVCONSOL.EXE = VirusScan console program SCAN16.EXE = VirusScan for Windows 3.1x on-demand scanner VIRLST16.EXE = Virus List program MCSCAN16.DLL = Library files SCAN16.HLP = VirusScan for Windows 3.1x online help AVCONSOL.HLP = VirusScan Console online help AVCONSOL.INI = VirusScan console configuration file DEFAULT.VSC = Default VSC settings INETWH16.DLL = Internet library help file INETWH32.DLL = Internet library help file Files located in WINDOWS\SYSTEM directory: ========================================== 1. Installed for VShield/VirusScan: CTL3D.DLL = 16-bit 3D Windows controls library (*) CTL3DV2.DLL = 32-bit 3D Windows controls library (*) (*) File will be installed upon installation of VirusScan if it does not already exist, or if an older version is found. 2. Installed for VShield: MCFSHOOK.386 = File system hook MCKRNL.386 = Scan engine device driver MCSCAN32.386 = Scan engine device driver MCUTIL.386 = Utility device driver VSHIELD.386 = VShield device driver * TESTING YOUR INSTALLATION * The Eicar Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to come up with one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file and name it EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* When done, you will have a 69- or 70-byte file. When VirusScan is applied to this file, it will report finding the EICAR-STANDARD-AV-TEST-FILE virus. It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that their installations function correctly. The anti-virus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need. Please delete the file when installation testing is completed so unsuspecting users are not unnecessarily alarmed. * MANUALLY UNINSTALLING VIRUSSCAN * McAfee recommends using VirusScan's uninstall program provided. You can access the McAfee Uninstall icon from the McAfee VirusScan program group. If, however, the uninstall program (WCMDR.EXE) is not present on your system, follow the instructions outlined below to manually uninstall VirusScan. 1. Edit the AUTOEXEC.BAT file: 1. From the File menu, select Run and type SYSEDIT in the space provided. Click Okay. 2. Remove VirusScan from the path statement. The default path is C:\MCAFEE\VIRUSCAN. 2. In the SYSTEM.INI file, remove the following lines: device=MCSCAN32.386 device=MCUTIL.386 device=MCKRNL.386 device=MCFSHOOK.386 device=VSHIELD.386 3. Remove the following lines from the WIN.INI file: 1. After LOAD =, remove all references to VirusScan. The default line is C:\MCAFEE\VIRUSCAN\VSHWIN.EXE. 2. Remove [VIRUSCAN] WSCAN=C:\McAfee\VIRUSCAN\ SCAN16.EXE. 3. Delete VirusScan icons and the McAfee VirusScan program group from Windows in the Program Manager. 4. Exit Windows and reboot your system. 5. When Windows comes back up, open the File Manager and delete the McAfee directory. _____________ DOCUMENTATION For more information, refer to the User's Guide, included on the CD-ROM versions of this program or available from McAfee's BBS and FTP site. This file is in Adobe Acrobat Portable Document Format (.PDF) and can be viewed using Adobe Acrobat Reader. This form of electronic documentation includes hypertext links and easy navigation to assist you in finding answers to questions about your McAfee product. Adobe Acrobat Reader is available on CD-ROM in the ACROREAD subdirectory. Adobe Acrobat Reader also can be downloaded from the World Wide Web at: http://www.adobe.com/Acrobat/readstep.html VirusScan documentation can be downloaded from McAfee's BBS or the World Wide Web at: http://www.mcafee.com For more information on viruses and virus prevention, see the McAfee Virus Information Library, included on the CD-ROM version of this product or available from McAfee's BBS and FTP site. A ViaGraphix Interactive Anti-virus Training program also is available on the CD-ROM version, or can be purchased from the McAfee website. __________________________ FREQUENTLY ASKED QUESTIONS Regularly updated lists of frequently asked questions about McAfee products also are available on McAfee's BBS, website, and CompuServe and AOL forums. Q: I am installing new software and the instructions say that I need to disable my anti-virus software. How do I disable VShield without uninstalling it? A: Right click on the VShield icon, then click disable. This will disable VShield until you enable it or restart Windows. Q: What is the Parameters field of the Task Properties page used for? A: The field is provided to take advantage of command-line parameters for programs other than VirusScan. For example, a NotePad.exe task could be set to open a file by entering the filename (i.e., Whatsnew.txt) in the parameter field. Q: How can I create an Emergency Disk after VirusScan installation? A: You can create an Emergency Disk after installation by double-clicking the Emergency Disk Creation Utility icon in your McAfee VirusScan program group. Q: When I have an infected file, why does the infected counter increase by increments greater than one? A: The file system will typically access a file more than once. On each access, VirusScan scans the file and detects the infection. Q: Can I continue to use VirusScan for Windows 3.1x on my system after upgrading to Windows 95? A: VirusScan for Windows 3.1x can run on a Windows 95 system; however, many key components, including VShield, will not be functional. If you upgrade your system to Windows 95, you should also upgrade your VirusScan software to VirusScan for Windows 95. As a licensed VirusScan user, you can upgrade your software for free. See your license agreement or contact your Network Administrator for details. Q: Can I update VirusScan's data files to detect new viruses? A: Yes. If you have Internet access, you can download updated VirusScan data files from the McAfee website, BBS, or other online resources. To download from the McAfee Web Site, follow these steps: 1. Go to the McAfee website (http://www.mcafee.com). 2. Select Update DAT File in the left column or frame. 3. Scroll down and click Download DAT File - FREE to update your virus definition files. 4. Data file updates are stored in a compressed form to reduce transmission time. Unzip the files into a temporary directory, then copy the files to the appropriate directory, replacing your old files. 5. Before performing any scans, shut down your computer, wait a few seconds, and turn it on again. Q: How do I scan compressed files? A: To scan compressed files with VirusScan: Prior to starting your scan, select Compressed Files from the VirusScan Main Window. To scan compressed files with VShield: Open the VShield Configuration Manager, click the Detection tab and click Compressed files. VirusScan and VShield are able to scan LZexe and PKLite. Files with *.zip, *.lzh, and other compressed formats are not scanned. Q: Is VShield TSR still enabled when I am in Windows? A: No. If VirusScan for Windows 3.1x is installed, the VShield TSR is disabled during Windows sessions. If you need additional assistance with downloading, contact McAfee Download Support at (408) 988-3832. ______________ CONTACT McAFEE * FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS * Contact McAfee's Customer Care department: 1. Corporate-licensed customers, call (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time Retail-licensed customers, call (972) 278-6100 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III fax 3. Fax-back automated response system (408) 988-3034 24-hour fax Send correspondence to any of the following McAfee locations. McAfee Corporate Headquarters 2805 Bowers Avenue Santa Clara, CA 95051-0963 McAfee Canada 139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 McAfee Europe B.V. Gatwickstraat 25 1043 GL Amsterdam The Netherlands McAfee (UK) Ltd. Hayley House, London Road Bracknell, Berkshire RG12 2TH United Kingdom McAfee France S.A. 50 rue de Londres 75008 Paris France McAfee Deutschland GmbH Industriestrasse 1 D-82110 Germering Germany McAfee Japan Co, Ltd. Toranomon 33 Mori Bldg. 3-8-21 Toranomon Minato-Ku, Tokyo 105 Japan McAfee Korea 135-090, 18th Fl., Kyoung Am Bldg. 157-27 Samsung-Dong, Kangnam-Ku Seoul, Korea McAfee South East Asia 7 Temasek Boulevard The Penthouse #44-01, Suntec Tower One Singapore 038987 McAfee Australia Level 1, 500 Pacific Highway St. Leonards, NSW 2065 Australia McAfee Latin America 150 South Pine Island Road, Suite 205 Plantation, FL 33324 USA Or, you can receive online assistance through any of the following resources: 1. Bulletin Board System: (408) 988-4004 24-hour US Robotics HST DS 2. Internet e-mail: support@mcafee.com 3. Internet FTP: ftp.mcafee.com 4. World Wide Web: http://www.mcafee.com 5. America Online: keyword MCAFEE 6. CompuServe: GO MCAFEE Before contacting McAfee, please make note of the following information. When sending correspondence, please include the same details. - Program name and version number - Type and brand of your computer, hard drive, and any peripherals - Operating system type and version - Network name, operating system, and version - Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN script - Microsoft service pack, where applicable - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers/applications and version number, where applicable - Problem - Specific scenario where problem occurs - Conditions required to reproduce problem - Statement of whether problem is reproducible on demand - Your contact information: voice, fax, and e-mail Other general feedback is also appreciated. Documentation feedback is welcome. Send e-mail to documentation@cc.mcafee.com. * FOR ON-SITE TRAINING INFORMATION * Contact McAfee Customer Service at (800) 338-8754. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use McAfee's products, we have established a Reseller program to provide service, sales, and support for our products worldwide. For a listing of McAfee resellers near you, click Contact McAfee under the Information section on the McAfee website or see the RESELLER.TXT file included with this product.