********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec Security Response February 06, 2002 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling Scanning Features * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W95.Hybris.worm 2 W95.MTX 3 Wscript.KakWorm 4 W32.HLLW.Bymer 5 W32.Magistr.24876@mm 6 W32.Badtrans.13312@mm 7 W32.Navidad.16896 8 Happy99.Worm 9 VBS.LoveLetter 10 W32.HLLW.Qaz ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/15/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). 02/10/00 * Added support for scanning of UNIX executables. * Added detection for infected Visio documents. 12/18/00 * Added heuristics for for 32-bit Windows viruses. * Added a script scanner which increases our capabilities for detecting script based threats. 08/02/01 * Engine Update 08/02/01 * All products that use the NAVEX 1.5 architecture (in other words, most major Symantec products released over the last 3 - 4 years) will receive the new functionality. * This enhanced technology provides improved script scanning as well as more proactive detection of unknown script-based threats. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** DATE ---- New virus definitions (sorted by Virus Name): Virus Name Infection Type Date added ---------- -------------- --------- AnniVCS.807 File infector 02/06/02 Armagedon.501 File infector 01/31/02 Bin.Auto.ASL File infector 01/31/02 Bin.Auto.ASM File infector 01/31/02 Bin.Auto.ASN File infector 01/31/02 Bin.Auto.ASO File infector 01/31/02 Bin.Auto.ASP File infector 01/31/02 Bin.Auto.ASQ File infector 01/31/02 Bin.Auto.ASR File infector 01/31/02 Bin.Auto.ASS File infector 01/31/02 Bin.Auto.AST File infector 01/31/02 Bin.Auto.ASU File infector 01/31/02 Bin.Auto.ASV File infector 01/31/02 Bin.Auto.ASW File infector 01/31/02 Bin.Auto.ASX File infector 01/31/02 Bin.Auto.ASY File infector 01/31/02 Bin.Auto.ASZ File infector 01/31/02 Bin.Auto.ATA File infector 01/31/02 Bin.Auto.ATB File infector 01/31/02 Bin.Auto.ATC File infector 01/31/02 Bin.Auto.ATD File infector 01/31/02 Bin.Auto.ATE File infector 01/31/02 Bin.Auto.ATF File infector 01/31/02 Bin.Auto.ATG File infector 01/31/02 Bin.Auto.ATH File infector 01/31/02 Bin.Auto.ATI File infector 01/31/02 Bin.Auto.ATJ File infector 01/31/02 Bin.Auto.ATK File infector 01/31/02 Bin.Auto.ATL File infector 01/31/02 Bin.Auto.ATM File infector 01/31/02 Bin.Auto.ATN File infector 01/31/02 Bin.Auto.ATO File infector 01/31/02 Bin.Auto.ATP File infector 01/31/02 Bin.Auto.ATQ File infector 01/31/02 Bin.Auto.ATR File infector 01/31/02 Bin.Auto.ATS File infector 01/31/02 Bin.Auto.ATT File infector 01/31/02 Bin.Auto.ATU File infector 01/31/02 Bin.Auto.ATV File infector 01/31/02 Bin.Auto.ATW File infector 01/31/02 Bin.Auto.ATX File infector 01/31/02 Bin.Auto.ATY File infector 02/01/02 Bin.Auto.ATZ File infector 02/01/02 Bin.Auto.AUA File infector 02/01/02 Bin.Auto.AUB File infector 02/01/02 Bin.Auto.AUC File infector 02/01/02 Bin.Auto.AUD File infector 02/01/02 Bin.Auto.AUE File infector 02/01/02 Bin.Auto.AUF File infector 02/01/02 Bin.Auto.AUG File infector 02/01/02 Bin.Auto.AUH File infector 02/01/02 Bin.Auto.AUI File infector 02/01/02 Bin.Auto.AUJ File infector 02/01/02 Bin.Auto.AUK File infector 02/01/02 Bin.Auto.AUL File infector 02/01/02 Bin.Auto.AUM File infector 02/01/02 Bin.Auto.AUN File infector 02/01/02 Bin.Auto.AUO File infector 02/01/02 Bin.Auto.AUP File infector 02/01/02 Bin.Auto.AUQ File infector 02/01/02 Bin.Auto.AUR File infector 02/01/02 Bin.Auto.AUS File infector 02/01/02 Bombole.400 File infector 01/31/02 ByRen.1006 File infector 01/31/02 Clonewar.215 File infector 02/06/02 Goma.1370 File infector 02/06/02 HLLP.Simbrisk.11472 File infector 02/06/02 Kara.gen File infector 02/01/02 Loch.1804 File infector 02/06/02 Manzon.gen File infector 02/01/02 Mia.9000 File infector 02/06/02 SEEG.gen File infector 02/06/02 Slowly.1917 File infector 02/04/02 VBS.Comical@mm File infector 02/04/02 W32.Badtrans@mm.enc File infector 02/01/02 W32.Collo File infector 02/06/02 W32.Comical@mm File infector 02/04/02 W32.Dexter File infector 02/04/02 W32.Foxma File infector 02/06/02 W32.Girls.Irc File infector 02/04/02 W32.HLLW.Asper File infector 02/04/02 W32.HLLW.Setex File infector 02/04/02 W32.Lindo File infector 02/04/02 W32.Nimda.I@mm File infector 02/06/02 W32.Nosys File infector 02/06/02 W32.Rexli.A@mm File infector 02/06/02 W32.Secup File infector 02/04/02 W97M.Automat.AGN File infector 02/04/02 W97M.Comical@mm File infector 02/04/02 W97M.DebilByte (dr) File infector 02/06/02 W97M.DebilByte.A File infector 02/06/02 W97M.Nomed.A File infector 02/04/02 W97M.Sux.A File infector 02/06/02 WM.Automat.AGM File infector 02/01/02 Wintermute.1052.B File infector 02/06/02 X97M.Automat.AGO File infector 02/06/02 X97M.Laroux.SI File infector 02/06/02 Zver.gen File infector 01/31/02 New virus definitions (sorted by Date added): Virus Name Infection Type Date added ---------- -------------- ---------- AnniVCS.807 File infector 02/06/02 Clonewar.215 File infector 02/06/02 Goma.1370 File infector 02/06/02 HLLP.Simbrisk.11472 File infector 02/06/02 Loch.1804 File infector 02/06/02 Mia.9000 File infector 02/06/02 SEEG.gen File infector 02/06/02 W32.Collo File infector 02/06/02 W32.Foxma File infector 02/06/02 W32.Nimda.I@mm File infector 02/06/02 W32.Nosys File infector 02/06/02 W32.Rexli.A@mm File infector 02/06/02 W97M.DebilByte (dr) File infector 02/06/02 W97M.DebilByte.A File infector 02/06/02 W97M.Sux.A File infector 02/06/02 Wintermute.1052.B File infector 02/06/02 X97M.Automat.AGO File infector 02/06/02 X97M.Laroux.SI File infector 02/06/02 Slowly.1917 File infector 02/04/02 VBS.Comical@mm File infector 02/04/02 W32.Comical@mm File infector 02/04/02 W32.Dexter File infector 02/04/02 W32.Girls.Irc File infector 02/04/02 W32.HLLW.Asper File infector 02/04/02 W32.HLLW.Setex File infector 02/04/02 W32.Lindo File infector 02/04/02 W32.Secup File infector 02/04/02 W97M.Automat.AGN File infector 02/04/02 W97M.Comical@mm File infector 02/04/02 W97M.Nomed.A File infector 02/04/02 Bin.Auto.ATY File infector 02/01/02 Bin.Auto.ATZ File infector 02/01/02 Bin.Auto.AUA File infector 02/01/02 Bin.Auto.AUB File infector 02/01/02 Bin.Auto.AUC File infector 02/01/02 Bin.Auto.AUD File infector 02/01/02 Bin.Auto.AUE File infector 02/01/02 Bin.Auto.AUF File infector 02/01/02 Bin.Auto.AUG File infector 02/01/02 Bin.Auto.AUH File infector 02/01/02 Bin.Auto.AUI File infector 02/01/02 Bin.Auto.AUJ File infector 02/01/02 Bin.Auto.AUK File infector 02/01/02 Bin.Auto.AUL File infector 02/01/02 Bin.Auto.AUM File infector 02/01/02 Bin.Auto.AUN File infector 02/01/02 Bin.Auto.AUO File infector 02/01/02 Bin.Auto.AUP File infector 02/01/02 Bin.Auto.AUQ File infector 02/01/02 Bin.Auto.AUR File infector 02/01/02 Bin.Auto.AUS File infector 02/01/02 Kara.gen File infector 02/01/02 Manzon.gen File infector 02/01/02 W32.Badtrans@mm.enc File infector 02/01/02 WM.Automat.AGM File infector 02/01/02 Zver.gen File infector 01/31/02 Armagedon.501 File infector 01/31/02 Bombole.400 File infector 01/31/02 ByRen.1006 File infector 01/31/02 Bin.Auto.ASL File infector 01/31/02 Bin.Auto.ASM File infector 01/31/02 Bin.Auto.ASN File infector 01/31/02 Bin.Auto.ASO File infector 01/31/02 Bin.Auto.ASP File infector 01/31/02 Bin.Auto.ASQ File infector 01/31/02 Bin.Auto.ASR File infector 01/31/02 Bin.Auto.ASS File infector 01/31/02 Bin.Auto.AST File infector 01/31/02 Bin.Auto.ASU File infector 01/31/02 Bin.Auto.ASV File infector 01/31/02 Bin.Auto.ASW File infector 01/31/02 Bin.Auto.ASX File infector 01/31/02 Bin.Auto.ASY File infector 01/31/02 Bin.Auto.ASZ File infector 01/31/02 Bin.Auto.ATA File infector 01/31/02 Bin.Auto.ATB File infector 01/31/02 Bin.Auto.ATC File infector 01/31/02 Bin.Auto.ATD File infector 01/31/02 Bin.Auto.ATE File infector 01/31/02 Bin.Auto.ATF File infector 01/31/02 Bin.Auto.ATG File infector 01/31/02 Bin.Auto.ATH File infector 01/31/02 Bin.Auto.ATI File infector 01/31/02 Bin.Auto.ATJ File infector 01/31/02 Bin.Auto.ATK File infector 01/31/02 Bin.Auto.ATL File infector 01/31/02 Bin.Auto.ATM File infector 01/31/02 Bin.Auto.ATN File infector 01/31/02 Bin.Auto.ATO File infector 01/31/02 Bin.Auto.ATP File infector 01/31/02 Bin.Auto.ATQ File infector 01/31/02 Bin.Auto.ATR File infector 01/31/02 Bin.Auto.ATS File infector 01/31/02 Bin.Auto.ATT File infector 01/31/02 Bin.Auto.ATU File infector 01/31/02 Bin.Auto.ATV File infector 01/31/02 Bin.Auto.ATW File infector 01/31/02 Bin.Auto.ATX File infector 01/31/02 Name Changes (sorted by Old Virus Name): Old Virus Name New Virus Name Date changed -------------- -------------- ------------ ACTS.LHM.926 to ACTS.LFM.926 01/10/02 Backdoor.Litmus.B to Backdoor.Litmus.Gen 01/04/02 Bin.Auto.ARO to SillyC.507 02/06/02 Bin.Auto.ARQ to Trivial.Elben.110.a 02/06/02 Bin.Auto.ARR to Trivial.Elben.110.b 02/06/02 Bin.Auto.ATC to Elite.212 02/06/02 Bloodhound.JS.ExcExp to JS.Exception.Exploit.B 01/17/02 StarShip (2) to Starship.2570 01/11/02 VBS.Evolution@mm to VBS.Haptime.C@mm 01/17/02 VBS.HTMWord to VBS.Droto 01/23/02 VBS.ObjFunc to VBS.Funcess 01/23/02 VBS.Stertor to VBS.Salim 02/06/02 W32.Badtrans@mm.enc to W32.Badtrans@mm.enc.dr 02/01/02 W32.ElKern.B to W32.ElKern.3587 01/17/02 W32.ShakeWorld@mm to W32.Shatrix@mm 01/07/02 W32.Steatopygous@mm to W32.Toget@mm 01/09/02 W32.Sucha@mm to VBS.Rosegun@mm 01/08/02 W32.Suns to W32.Sinus 01/22/02 W32.TempX.A@m to W32.Enviar.gen 01/25/02 W32.TempX.A@mm to W32.TempX.A@m 01/17/02 W97M.Automat.AGL to W97M.MTrue.D 02/06/02 W97M.Gesture.D.Gen to W97M.Wrench.S.gen 02/02/02 W97M.Jedi.O to W97M.Jedi.O.gen 02/06/02 W97M.Marker.damaged to W97M.Marker.KC.gen 02/06/02 W97M.Stibium to W97M.Doccopy.D 02/06/02 X97M.BDoc2 to X97M.Anis 02/06/02 X97M.Gene.A to X97M.Manalo.L 02/06/02 X97M.KLF to X97M.Ellar.C 01/22/02 Name Changes (sorted by Date changed): Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Bin.Auto.ARO to SillyC.507 02/06/02 Bin.Auto.ARQ to Trivial.Elben.110.a 02/06/02 Bin.Auto.ARR to Trivial.Elben.110.b 02/06/02 Bin.Auto.ATC to Elite.212 02/06/02 VBS.Stertor to VBS.Salim 02/06/02 W97M.Automat.AGL to W97M.MTrue.D 02/06/02 W97M.Gesture.D.Gen to W97M.Wrench.S.gen 02/02/02 W97M.Jedi.O to W97M.Jedi.O.gen 02/06/02 W97M.Marker.damaged to W97M.Marker.KC.gen 02/06/02 W97M.Stibium to W97M.Doccopy.D 02/06/02 X97M.BDoc2 to X97M.Anis 02/06/02 X97M.Gene.A to X97M.Manalo.L 02/06/02 W32.Badtrans@mm.enc to W32.Badtrans@mm.enc.dr 02/01/02 W32.TempX.A@m to W32.Enviar.gen 01/25/02 VBS.HTMWord to VBS.Droto 01/23/02 VBS.ObjFunc to VBS.Funcess 01/23/02 W32.Suns to W32.Sinus 01/22/02 X97M.KLF to X97M.Ellar.C 01/22/02 Bloodhound.JS.ExcExp to JS.Exception.Exploit.B 01/17/02 VBS.Evolution@mm to VBS.Haptime.C@mm 01/17/02 W32.ElKern.B to W32.ElKern.3587 01/17/02 W32.TempX.A@mm to W32.TempX.A@m 01/17/02 StarShip (2) to Starship.2570 01/11/02 ACTS.LHM.926 to ACTS.LFM.926 01/10/02 W32.Steatopygous@mm to W32.Toget@mm 01/09/02 W32.Sucha@mm to VBS.Rosegun@mm 01/08/02 W32.ShakeWorld@mm to W32.Shatrix@mm 01/07/02 Backdoor.Litmus.B to Backdoor.Litmus.Gen 01/04/02 Deletions (sorted by Virus Name): Virus Name Infection Type Date removed ---------- -------------- ------------ AirCop Dropper Boot infector 11/13/01 Boot Dropper Boot infector 01/22/02 Denzuk Dropper Boot infector 11/13/01 Ghostmail.Spammer File infector 12/03/01 Gold Bug (1) File and Boot infector 12/12/01 HLLO.Picked.4505 File infector 11/20/01 ICQ.Junta.Trojan File infector 11/20/01 JS.Zacker.A File infector 12/20/01 Logon.scr File infector 12/10/01 Pojer File infector 12/13/01 Ruw (2) File infector 12/10/01 StarShip (4) File and Boot infector 01/11/02 VBS.Zacker.A File infector 12/20/01 Vacsina.Mut.1744 (1) File infector 01/22/02 W32.DlDer.Trojan File infector 01/04/02 W32.Swag@mm File infector 01/30/02 W97M.Galero.A File infector 11/20/01 W97M.Marker.NW File infector 11/20/01 Worm.Automat.AGJ File infector 12/24/01 Wyx.boot File infector 12/21/01 Deletions (sorted by Date removed): Virus Name Infection Type Date removed ---------- -------------- ------------ W32.Swag@mm File infector 01/30/02 Boot Dropper Boot infector 01/22/02 Vacsina.Mut.1744 (1) File infector 01/22/02 StarShip (4) File and Boot infector 01/11/02 W32.DlDer.Trojan File infector 01/04/02 Worm.Automat.AGJ File infector 12/24/01 Wyx.boot File infector 12/21/01 JS.Zacker.A File infector 12/20/01 VBS.Zacker.A File infector 12/20/01 Pojer File infector 12/13/01 Gold Bug (1) File and Boot infector 12/12/01 Logon.scr File infector 12/10/01 Ruw (2) File infector 12/10/01 Ghostmail.Spammer File infector 12/03/01 HLLO.Picked.4505 File infector 11/20/01 ICQ.Junta.Trojan File infector 11/20/01 W97M.Galero.A File infector 11/20/01 W97M.Marker.NW File infector 11/20/01 AirCop Dropper Boot infector 11/13/01 Denzuk Dropper Boot infector 11/13/01 ********************************************************************** ** Enabling Scanning Features ** ********************************************************************** Several scanning features can be enabled through the use of an INF configuration file. For NAV for Windows 95/NT version 4.x and later, or NAV for OS/2, this configuration file should be called NAVEX15.INF and should be placed in the directory where NAV is installed (i.e., C:\Program Files\Norton AntiVirus). For NAV for Netware version 4.x, the file should be called NAVEX15.INF and should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). For NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x, the file should be named NAVEX.INF and should be placed in the directory where NAV is installed (i.e., C:\NAV). If this configuration file does not exist, create one in the appropriate directory if you want to change the default settings. To enable a scanning feature for a particular component, one or more entries need to be added to the configuration file under the correct section. For each platform there is a corresponding section that is used in the INF file. Below is a table of section names and platforms. Section Name Platform ------------ -------- NAVW32 Windows 95/98/NT NAVAP Windows 95/98/NT Auto-Protect NAVDX DOS NAVNLM Netware NAVWIN Windows 3.1 NAVOS2 OS/2 NAVAIX AIX NAVSOL Solaris Entries are case insensitive. Below is a description of possible entries. 1. Files can be excluded from scans by the NAVEX engine. To exclude a specific file from the NAVEX engine scan, add an entry with the full path and file name. This is case insensitive. No wildcards are allowed. To exclude multiple files, add a separate entry for each file. To exclude a file, add an entry like the one below where is the full path and file name. ExcludeFile = 2. Files within a directory can be excluded from scans by the NAVEX engine. To exclude all files within a directory, add an entry with the full directory path. This is case insensitive. No wildcards are allowed. This does not exclude files located in subdirectories of the specified directory. To exclude multiple directories, add a separate entry for each directory. To exclude a directory, add an entry like the one below where is the full path. ExcludeDirectory = The following example of an INF configuration file excludes two files, NOSCAN.EXE and BIGFILE.DOC, from NAVEX scans for the Windows 95/98/NT scanner. It excludes the D:\PRIVATE directory from Windows 95/98/NT Auto-Protect. [NAVW32] ExcludeFile = C:\PROGRAM FILES\NOSCAN.EXE ExcludeFile = C:\TEMP\BIGFILE.DOC [NAVAP] ExcludeDirectory = D:\PRIVATE ********************************************************************** ** Additional Information ** ********************************************************************** Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.