********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec AntiVirus Research Center (SARC) March 27 ,2000 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling Scanning Features * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W97M.Class 2 XM.Laroux 3 O97M.Tristate 4 W95.CIH 5 Happy99.Worm 6 WM.Cap 7 W97M.ColdApe 8 W97M.Ethan 9 W97M.Melissa 10 Worm.ExploreZip ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 8/19/98 * Excel heuristics which detect and repair new and unknown macro viruses in Excel 95 & 97 documents. 9/16/98 * Added repair for encrypted Excel 97 documents. 10/21/98 * Heuristics to detect AOL Password Stealer Trojans. * WORD Heuristics improvement to increase detection rate. 12/17/98 * Macro Exclusion Engine to speed up the scanning for Word and Excel documents. * PowerPoint engine to scan PowerPoint related viruses. To enable this technology please read "Enabling/Disabling PowerPoint Scanning" section later in this document. 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/12/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). 02/10/00 * Added support for scanning of UNIX executables. * Added detection for infected Visio documents. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** New virus definitions: Virus Name Infection Type Week added ---------- -------------- ---------- Backdoor.BladeRunner File infector 03/27/00 Backdoor.BrainSpy File infector 03/06/00 Backdoor.Grab File infector 03/27/00 Backdoor.Komut File infector 03/17/00 Backdoor.Krass File infector 03/27/00 Backdoor.NetMetro File infector 02/29/00 Backdoor.Nightmare.a File infector 02/29/00 Backdoor.NssKill File infector 03/06/00 Backdoor.SBD File infector 03/13/00 Backdoor.Senna File infector 03/27/00 Backdoor.SubSeven21 File infector 02/29/00 Backdoor.TapiTroj File infector 03/06/00 Bloodhound.Test File infector 02/29/00 Giggles.Trojan File infector 03/27/00 Infector.Trojan File infector 03/17/00 IRC.Worm.Overnuke File infector 02/29/00 Istanbul.1349 File infector 03/13/00 Istanbul.1397 File infector 03/13/00 Istanbul.1397 (x) File infector 03/13/00 Jokiev.1918 File infector 02/29/00 Jokiev.1918 (m) File infector 02/29/00 Js.JudgeDay File infector 03/06/00 Linux.Backdoor.IN File infector 03/17/00 Linux.Bliss.A File infector 03/17/00 Linux.Bliss.B File infector 03/17/00 Linux.Silv5444 File infector 03/17/00 Movie.Pif.Worm File infector 03/17/00 NTMonitor.Trojan File infector 03/13/00 O97M.Exceller.A File infector 03/27/00 Opera (VXD) File infector 02/29/00 Shifter.1295 File infector 03/27/00 Shifter.1295 (x) File infector 03/27/00 Solaris.DoS.stacheld.s File infector 03/17/00 SSR.19071 File infector 03/13/00 SubSeven.Dropper File infector 03/13/00 Termite.9100 File infector 02/29/00 Trojan.Bat.Erase File infector 03/06/00 Trojan.Bat.HDKill File infector 03/27/00 Trojan.FreeLinkX File infector 03/06/00 Trojan.Masterlock File infector 03/13/00 Trojan.Win32.Nukem File infector 02/29/00 Unix.Bash File infector 03/17/00 Unix.Dumb.A File infector 03/17/00 Unix.Dumb.B File infector 03/17/00 Unix.Gift File infector 03/17/00 Unix.Jaded File infector 03/17/00 Unix.ls File infector 03/17/00 Unix.Penguin File infector 03/17/00 Unix.PSite File infector 03/17/00 VBS.Orochi File infector 03/17/00 VBS.Story File infector 03/13/00 W2K.Infis.4608 File infector 02/22/00 W32.AOC.3650 File infector 03/13/00 W32.AOC.3676 File infector 03/27/00 W32.Azaco.B.Worm File infector 03/06/00 W32.Bolzano.5396.G1 File infector 03/13/00 W32.Cabdrop.4096 File infector 03/13/00 W32.Cholera.B.Worm File infector 03/27/00 W32.Cholera.C.Worm File infector 03/27/00 W32.CTX.7017 File infector 03/13/00 W32.ExploreZip.E.Worm File infector 03/13/00 W32.HLLO.29128 File infector 03/13/00 W32.HLLP.Bora.11264 File infector 03/27/00 W32.HLLP.Bora.Mirc File infector 03/27/00 W32.HLLP.Semisoft.G File infector 03/13/00 W32.IIS.Worm File infector 03/13/00 W32.Inrar.B File infector 03/27/00 W32.Jane.Worm File infector 03/06/00 W32.Lunatik.Worm File infector 03/06/00 W32.Melting.Worm File infector 03/13/00 W32.Nazka.Int File infector 03/13/00 W32.Orochi.5420 File infector 03/27/00 W32.Orochi.5420 (mIRC) File infector 03/17/00 W32.PrettyPark.E.Worm File infector 03/06/00 W32.PrettyPark.F.Worm File infector 03/06/00 W32.PrettyPark.G.Worm File infector 03/06/00 W32.PrettyPark.Gen File infector 03/13/00 W32.PrettyPark.H.Worm File infector 03/13/00 W32.PrettyPark.I.Worm File infector 03/13/00 W32.Refer.2939 File infector 03/27/00 W32.Spit.B File infector 03/27/00 W32.Teddybear.Worm File infector 03/13/00 W32.Unicle.A.Worm File infector 03/06/00 W32.Unicle.B.Worm File infector 03/06/00 W32.WinExt.B.Worm File infector 03/13/00 W95.Arianne.1022 File infector 03/06/00 W95.Arianne.1022.Int File infector 03/13/00 W95.Boza.2220.Int File infector 03/27/00 W95.DoS.Trinoo File infector 02/22/00 W95.Fosoforo.Int File infector 03/06/00 W95.Invir File infector 03/13/00 W95.Matrix.3597 File infector 03/27/00 W95.Matrix.3597.TR File infector 03/27/00 W95.Matrix.3597.TR (2) File infector 03/27/00 W95.Merinos.1763 File infector 03/13/00 W95.Mmorf.1348 File infector 03/06/00 W95.Orez.6287 File infector 03/06/00 W95.Priest.1454 File infector 03/27/00 W95.Priest.1486 File infector 03/27/00 W95.Priest.1495 File infector 03/27/00 W95.Priest.1521 File infector 03/06/00 W95.Score.B File infector 03/13/00 W95.Sexy.156 File infector 03/13/00 W95.Shoerec.9216 File infector 03/06/00 W95.Shoerec.9216.Tr File infector 03/06/00 W95.SillyW.431 File infector 03/13/00 W95.SK (com) File infector 03/27/00 W95.SK (com2) File infector 03/13/00 W95.SK.380 File infector 03/13/00 W95.SK.428 File infector 03/13/00 W95.Tecata.1761 File infector 03/27/00 W95.VIP.4309.B File infector 03/27/00 W95.Weird.C File infector 03/27/00 W95.Weird.C.Backdoor File infector 03/27/00 W95.Ylang.1536 File infector 03/13/00 W95.Ylang.1536.A File infector 03/27/00 W95.Yurn.1652.Int File infector 03/06/00 W97M.Bablas.G File infector 03/27/00 W97M.Bablas.N File infector 03/27/00 W97M.Bablas.Q File infector 03/06/00 W97M.Bablas.R File infector 03/06/00 W97M.Bablas.S File infector 03/13/00 W97M.Cakes File infector 02/29/00 W97M.Ciao.A File infector 03/27/00 W97M.Class.EJ File infector 03/27/00 W97M.Claudio File infector 03/17/00 W97M.Eight941.E File infector 02/29/00 W97M.FS.B.Ru File infector 03/17/00 W97M.IJK File infector 03/17/00 W97M.Invkay File infector 03/06/00 W97M.KAPSYAW File infector 03/27/00 W97M.Killer File infector 03/06/00 W97M.Lenni.A File infector 03/27/00 W97M.Lupi.B File infector 03/13/00 W97M.MARKER.BQ File infector 03/13/00 W97M.MARKER.BV File infector 03/13/00 W97M.Marker.BW File infector 03/27/00 W97M.Marker.CH File infector 02/29/00 W97M.Melissa.M.Var2 File infector 02/29/00 W97M.Michael.B File infector 03/06/00 W97M.Nidoc File infector 03/13/00 W97M.Ocard File infector 02/29/00 W97M.Opey.P File infector 03/27/00 W97M.SMAC.D File infector 03/13/00 W97M.Stun File infector 03/17/00 W97M.Thus.N File infector 02/29/00 W97M.Thus.O File infector 03/13/00 W97M.Thus.Q File infector 03/27/00 W97M.Titch File infector 02/29/00 W97M.Titch.E File infector 03/27/00 W97M.Verlor.E File infector 03/27/00 W97M.Wrench.E File infector 03/27/00 W98.Matyas.664 File infector 03/06/00 Win.Pada.2290 File infector 02/29/00 WM.Inexist.C File infector 03/13/00 X97M.Automat.AE File infector 03/17/00 X97M.Base.B File infector 03/06/00 X97M.BMV File infector 03/13/00 X97M.DIVI.E File infector 03/17/00 X97M.Manalo File infector 03/06/00 X97M.Tegrat.A File infector 03/27/00 Name Changes: Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Bloodhound.Test to Nutcracker.Ab2 (sys) 03/13/00 REU.1367 to Istanbul.1367 03/13/00 REU.1367 Gen ( 1 ) to Istanbul.1367 ( x ) 03/13/00 W32.AOC.3650 to W32.AOC.3649 03/17/00 W95.Ylang.1536 to W95.Ylang.1536.B 03/17/00 W97M.Class.Ej to W97M.Panther.Family 03/13/00 W97M.Marker.CE to W97M.Marker.BY 03/13/00 W97M.Thus to W97M.Thus.Variant 03/13/00 W97M.THUS.J to W97M.THUS.M 03/13/00 W97M.Thus.L to W97M.Thus.P 03/13/00 W97M.THUS.M to W97M.THUS.J 03/13/00 W97M.Titch to W97M.Titch.D 03/13/00 W97M.Wrench.A to W97M.Wrench.C 03/13/00 X97M.Shan to X97M.Jini.intd 03/13/00 Deletions: Virus Name Infection Type Date removed ---------- -------------- ------------ Istanbul.1349 File infector 03/13/00 Virus-101 (Gen1) File and Boot infector 02/29/00 WuChing.Boot.Dropper Boot infector 03/06/00 ********************************************************************** ** Enabling Scanning Features ** ********************************************************************** Several scanning features can be enabled through the use of an INF configuration file. For NAV for Windows 95/NT version 4.x and later, or NAV for OS/2, this configuration file should be called NAVEX15.INF and should be placed in the directory where NAV is installed (i.e., C:\Program Files\Norton AntiVirus). For NAV for Netware version 4.x, the file should be called NAVEX15.INF and should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). For NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x, the file should be named NAVEX.INF and should be placed in the directory where NAV is installed (i.e., C:\NAV). If this configuration file does not exist, create one in the appropriate directory if you want to change the default settings. To enable a scanning feature for a particular component, one or more entries need to be added to the configuration file under the correct section. For each platform there is a corresponding section that is used in the INF file. Below is a table of section names and platforms. Section Name Platform ------------ -------- NAVW32 Windows 95/98/NT NAVAP Windows 95/98/NT Auto-Protect NAVDX DOS NAVNLM Netware NAVWIN Windows 3.1 NAVOS2 OS/2 NAVAIX AIX NAVSOL Solaris Entries are case insensitive. Below is a description of possible entries. 1. Files can be excluded from scans by the NAVEX engine. To exclude a specific file from the NAVEX engine scan, add an entry with the full path and file name. This is case insensitive. No wildcards are allowed. To exclude multiple files, add a separate entry for each file. To exclude a file, add an entry like the one below where is the full path and file name. ExcludeFile = 2. Files within a directory can be excluded from scans by the NAVEX engine. To exclude all files within a directory, add an entry with the full directory path. This is case insensitive. No wildcards are allowed. This does not exclude files located in subdirectories of the specified directory. To exclude multiple directories, add a separate entry for each directory. To exclude a directory, add an entry like the one below where is the full path. ExcludeDirectory = The following example of an INF configuration file excludes two files, NOSCAN.EXE and BIGFILE.DOC, from NAVEX scans for the Windows 95/98/NT scanner. It excludes the D:\PRIVATE directory from Windows 95/98/NT Auto-Protect. [NAVW32] ExcludeFile = C:\PROGRAM FILES\NOSCAN.EXE ExcludeFile = C:\TEMP\BIGFILE.DOC [NAVAP] ExcludeDirectory = D:\PRIVATE ********************************************************************** ** Additional Information ** ********************************************************************** Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.