********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) January 31, 2000 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling/Disabling PowerPoint Scanning * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W97M.Class 2 XM.Laroux 3 O97M.Tristate 4 W95.CIH 5 Happy99.Worm 6 WM.Cap 7 W97M.ColdApe 8 W97M.Ethan 9 W97M.Melissa 10 Worm.ExploreZip ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/12/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** New virus definitions: Virus Name Infection Type Week added ---------- -------------- ---------- AOL 79316.Trojan File infector 01/24/00 Backdoor.Netget.A File infector 01/03/00 Backdoor.Sockets23 File infector 01/24/00 Backdoor.TheThing-1.2 File infector 01/31/00 Bloodhound.W32 File infector 01/15/00 Deltree Trojan #5 File infector 01/31/00 Divine.Trojan File infector 01/31/00 DMsetup242.IRC.Trojan File infector 01/15/00 DonaldD.Trojan.a File infector 01/15/00 Eek (b) Boot infector 01/31/00 Hellfire File infector 01/10/00 Hellfire (2) File infector 01/10/00 Hellfire (3) File infector 01/10/00 HLP.Demo File infector 01/31/00 I-Worm.NewApt.c File infector 01/10/00 Kill98.Trojan File infector 01/03/00 Marzia.2048.ww.c File and boot infector 01/03/00 Marzia.2048.ww.c (2) File and boot infector 01/03/00 Marzia.2048.ww.c (b) File and boot infector 01/03/00 Opera File infector 01/24/00 Orifice.dr File infector 01/03/00 PieGates.Demo.Trojan File infector 01/31/00 Snob.IRCworm File infector 01/31/00 Trojan.77254 File infector 01/24/00 Trojan.78609 File infector 01/31/00 Trojan.Boom File infector 01/31/00 Trojan.Coced File infector 01/24/00 Trojan.Gas File infector 01/24/00 Trojan.MSREXE.b File infector 01/24/00 Trojan.MSREXE.b File infector 01/31/00 Trojan.Skism.a File infector 01/10/00 Trojan.Watcher File infector 01/03/00 VBS.Illen.B File infector 01/24/00 VBS.Lucky File infector 01/03/00 VBS.Mix.1852.A File infector 01/03/00 Vienna.457 File infector 01/15/00 W2K.Installer.1676 File infector 01/10/00 W2K.Installer.1688 File infector 01/10/00 W32.Cabanas (gen1) File infector 01/10/00 W32.Crypto File infector 01/03/00 W32.ExploreZip.D.Worm File infector 01/24/00 W32.I13.8192.B File infector 01/24/00 W32.IhSix.3048 File infector 01/03/00 W32.IhSix.Wsock File infector 01/03/00 W32.Legacy File infector 01/03/00 W32.Mix.1852 File infector 01/03/00 W32.Mix.1852.dr File infector 01/03/00 W32.NewApt.C2.Worm File infector 01/10/00 W32.NewApt.D.Worm File infector 01/10/00 W32.NewApt.E.Worm File infector 01/31/00 W32.NewApt.F.Worm File infector 01/31/00 W32.Plage.Worm File infector 01/14/00 W32.Resure.29696 File infector 01/10/00 W32.Stupid.B File infector 01/03/00 W32.Winext.Worm File infector 01/24/00 W95.Caw.1457 File infector 01/31/00 W95.CIH (int) File infector 01/10/00 W95.Enumiacs File infector 01/24/00 W95.Fiasko.2500 File infector 01/10/00 W95.Filth.1030 File infector 01/24/00 W95.Horn.1862 File infector 01/24/00 W95.I13.8192 File infector 01/10/00 W95.Mmort.1340 File infector 01/10/00 W95.Murkry.399 File infector 01/03/00 W95.Nathan.3792 File infector 01/10/00 W95.SK File infector 01/03/00 W95.SK (com) File infector 01/31/00 W95.SK (HLP) File infector 01/31/00 W95.Spawn.4608 File infector 01/10/00 W95.WG.12288 File infector 01/03/00 W97M.Armagid.A File infector 01/03/00 W97M.Astia.Z File infector 01/10/00 W97M.Drawbridge File infector 01/15/00 W97M.Figura.A File infector 01/10/00 W97M.JuneFill.A File infector 01/10/00 W97M.Melissa.AL File infector 01/31/00 W97M.Mxfile.B File infector 01/24/00 W97M.Myna.C File infector 01/24/00 W97M.Opey.M File infector 01/03/00 W97M.Patricia.A File infector 01/15/00 W97M.Plain.Int File infector 01/31/00 W97M.Pull.A File infector 01/10/00 W97M.Rgade File infector 01/24/00 W97M.Shepmah File infector 01/10/00 W97M.Thus.B File infector 01/24/00 W97M.Thus.F File infector 01/10/00 W97M.Thus.G File infector 01/15/00 W97M.Thus.H File infector 01/31/00 W97M.VMPCK1.DF File infector 01/15/00 W97M.VMPCK1.DG File infector 01/24/00 WinSKC.Trojan File infector 01/10/00 WM.TH.A File infector 01/15/00 WM.TH.B File infector 01/24/00 X97M.Automat.AA File infector 01/31/00 XM.Laroux.LZ File infector 01/31/00 YAI.Trojan File infector 01/24/00 Zelu File infector 01/03/00 Name Changes: Old Virus Name New Virus Name Date changed -------------- -------------- ------------ W32.Passion.27648(2) to Backdoor.VHM 01/24/00 W32.Stupid to W32.Stupid.A 01/03/00 W95.Caw to W95.Caw.1416 01/31/00 W95.Nathan to W95.Nathan.3520 01/10/00 W97M.Aleja to W97M.Aleja.B 01/24/00 W97M.Aleja5 to W97M.Aleja.A 01/24/00 W97M.Aleja5.B to W97M.Aleja.C 01/24/00 W97M.Aleja5.C to W97M.Aleja.E 01/24/00 W97M.Aleja5.D to W97M.Aleja.I 01/24/00 W97M.Aleja5.E to W97M.Aleja.D 01/24/00 W97M.AntiSocial to W97M.AntiSocial.A/B 01/24/00 W97M.AntiSocial.F to W97M.AntiSocial.F,H 01/24/00 W97M.Appder.O to W97M.Appder.S 01/24/00 W97M.Bablas to W97M.Bablas.Family 01/24/00 W97M.BADTEMP.A to W97M.Smac.B 01/24/00 W97M.Bellingham to W97M.Metys.A 01/24/00 W97M.Biolord to W97M.Nid.A 01/24/00 W97M.Cali.A to W97M.Caligula.A 01/24/00 W97M.Carrier.D to W97M.Sin.A.intd 01/24/00 W97M.Cartman.B to W97M.VMPCK1.F 01/24/00 W97M.Cartman.C to W97M.VMPCK1.T 01/24/00 W97M.Cartman.D to W97M.VMPCK1.U 01/24/00 W97M.Cartman.E to W97M.VMPCK1.CX 01/24/00 W97M.CHACK.I to W97M.Chack.K 01/24/00 W97M.CHACK.J to W97M.Chack.AR 01/24/00 W97M.Class.BD to W97M.Class.AZ/BD/EA 01/24/00 W97M.Class.BE to W97M.Class.AY 01/24/00 W97M.Class.BP to W97M.Class.BH 01/24/00 W97M.Class.BT to W97M.Class.BV 01/24/00 W97M.Class.D to W97M.Jerk.A 01/24/00 W97M.Class.S to W97M.Class.I.var 01/24/00 W97M.ColdApe.B to W97M.ColdApe.C 01/24/00 W97M.ColdApe.C to W97M.ColdApe.B 01/24/00 W97M.CopyTemp.intd to W97M.Buendi.A 01/24/00 W97M.Counter.D to W97M.Counter.E 01/24/00 W97M.Creeper to W97M.Magnetic.A 01/24/00 W97M.Daydream.A to W97M.Lys.E 01/24/00 W97M.Derroche to W97M.DWMVCK1.F 01/24/00 W97M.Destro to W97M.Class.BV(2) 01/24/00 W97M.Drawbridge to W97M.Opey.O 01/24/00 W97M.DWMVCK1.C to W97M.PassBox.C 01/24/00 W97M.DWMVCK1.F to W97M.Ozwer.A 01/24/00 W97M.DWMVCK1.G to W97M.VMPCK1.CZ 01/24/00 W97M.DWMVCK1.H to W97M.Ozwer.C 01/24/00 W97M.Footprint to W97M.Footer.B 01/24/00 W97M.Furby to W97M.Class.BA/BB 01/24/00 W97M.Hark.B to W97M.Nottice.Y 01/24/00 W97M.India.C to W97M.Marker.AB 01/24/00 W97M.IRCJack.A to W97M.Story.A 01/24/00 W97M.ITSC to W97M.Osm 01/24/00 W97M.Jedi.G to W97M.Jedi.J 01/24/00 W97M.Joy to W97M.Class.W 01/24/00 W97M.JuneFill.A to W97M.Marker.BN 01/24/00 W97M.Passbox.C to W97M.Passbox.D 01/24/00 W97M.Passbox.D to W97M.Passbox.D(2) 01/24/00 W97M.VMPCK1.F to W97M.Remplace.E 01/24/00 Deletions: Virus Name Infection Type Date removed ---------- -------------- ------------ Oscar File infector 01/31/00 ********************************************************************** ** Enabling/Disabling PowerPoint Scanning ** ********************************************************************** PowerPoint Scanning is now enabled by default and can be optionally disabled. However, you may want to verify that files with PowerPoint extensions will be scanned by making sure that your NAV options have both ".PPT" and ".POT" in the list of extensions to scan. To disable PowerPoint scanning in NAV for Windows 95/NT version 4.x or NAV for OS/2, a text file named NAVEX15.INF should be placed in the directory where NAV 4.x or NAV 5.x is installed (i.e., C:\Program Files\Norton AntiVirus). To disable PowerPoint scanning in NAV for Netware version 4.x, a text file named NAVEX15.INF should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). To disable PowerPoint scanning in NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x a text file named NAVEX.INF should be placed in the directory where NAV is installed (i.e., C:\NAV). The contents of the text file, NAVEX15.INF or NAVEX.INF, determine which components of NAV have PowerPoint scanning disabled. To disable PowerPoint scanning for a particular component, use the following table to determine the lines to add to the text file. PowerPoint scanning can be disabled for more than one component if needed by adding the required lines for the desired components. +---------------------+--------------------------+--------------------+ |Windows 95/NT scanner|Windows 95/NT auto-protect|DOS scanner | +---------------------+--------------------------+--------------------+ |[NAVW32] |[NAVAP] |[NAVDX] | |PowerPointScanning=0 |PowerPointScanning=0 |PowerPointScanning=0| +---------------------+--------------------------+--------------------+ +----------------------+--------------------+--------------------+ |Windows 3.1 scanner/AP|Netware scanner |OS/2 scanner/AP | +----------------------+--------------------+--------------------+ |[NAVWIN] |[NAVNLM] |[NAVOS2] | |PowerPointScanning=0 |PowerPointScanning=0|PowerPointScanning=0| +----------------------+--------------------+--------------------+ To enable PowerPoint scanning for a component, delete the lines added for that component from the NAVEX15.INF or NAVEX.INF file. ********************************************************************** ** Additional Information ** ********************************************************************** SARC has equipped Norton AntiVirus with a new feature called "Infestation Mode." If a large number of new or unknown viruses is found on the system during a scan, Norton AntiVirus will automatically enable its highest level of detection. This gives users the most comprehensive protection in cases where a viral infestation may have been detected. If you would like to disable this feature, you can do so by following these instructions: 1. Create a text File called NAVEX15.INF in your Norton AntiVirus directory,e.g., C:\Program Files\Norton AntiVirus. If this file already exist go to step two. 2. Place the following lines in this File on the left-hand margin: [NAVW32] infestmode=0 [NAVDX] infestmode=0 3. Save the File. Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.