********************************************************************** ** ** ** What's New in the NAV Virus Definitions Files WHATSNEW.TXT ** ** ** ** Symantec Security Response February 20, 2002 ** ** ** ********************************************************************** This document contains the following topics: * Virus Alerts * New Technologies * Changes Incorporated Into This Update * Enabling Scanning Features * Additional Information ********************************************************************** ** Virus Alerts ** ********************************************************************** The ten most commonly reported viruses, worldwide: 1 W95.Hybris.worm 2 W95.MTX 3 Wscript.KakWorm 4 W32.HLLW.Bymer 5 W32.Magistr.24876@mm 6 W32.Badtrans.13312@mm 7 W32.Navidad.16896 8 Happy99.Worm 9 VBS.LoveLetter 10 W32.HLLW.Qaz ********************************************************************** ** New Technologies ** ********************************************************************** DATE Technologies Added ---- ------------------ 02/18/99 * Detection and repair of macro viruses in Word and Excel 2000 documents. 05/15/99 * Added repair for PowerPoint viruses. * Improved heuristics to detect more WORD 97 related viruses. 06/10/99 * Menu repair technology for WORD macro viruses that change command bar customizations in NORMAL.DOT. 07/12/99 * Added support for scanning of Ichitaro 8/9 documents. (Ichitaro is a Japanese word processing program). 08/19/99 * Added detection and repair for embedded documents inside PowerPoint 97. 11/22/99 * Added detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. * Added detection for viruses which infect Microsoft Project documents (P98M.Corner.A, for example). 02/10/00 * Added support for scanning of UNIX executables. * Added detection for infected Visio documents. 12/18/00 * Added heuristics for for 32-bit Windows viruses. * Added a script scanner which increases our capabilities for detecting script based threats. 08/02/01 * Engine Update 08/02/01 * All products that use the NAVEX 1.5 architecture (in other words, most major Symantec products released over the last 3 - 4 years) will receive the new functionality. * This enhanced technology provides improved script scanning as well as more proactive detection of unknown script-based threats. ********************************************************************** ** Changes Incorporated Into This Virus Definitions Update ** ********************************************************************** DATE ---- New virus definitions (sorted by Virus Name): Virus Name Infection Type Date added ---------- -------------- --------- A97M.Hamdam.A File infector 02/19/02 A97M.Loaded File infector 02/20/02 A97M.Walla File infector 02/20/02 AnniVCS.807 File infector 02/06/02 Anti-Aznar.664 File infector 02/12/02 BAT.Tuber.trojan File infector 02/19/02 Backdoor.EggHead File infector 02/12/02 Backdoor.IISCrack.dll File infector 02/13/02 Backdoor.Infector File infector 02/20/02 Backdoor.NetDevil File infector 02/13/02 Backdoor.Subwoofer File infector 02/20/02 Backdoor.Systsec File infector 02/13/02 Bin.Auto.AUT File infector 02/07/02 Bin.Auto.AUU File infector 02/07/02 Bin.Auto.AUV File infector 02/07/02 Bin.Auto.AUW File infector 02/07/02 Bin.Auto.AUX File infector 02/07/02 Bin.Auto.AUY File infector 02/07/02 Bin.Auto.AUZ File infector 02/07/02 Bin.Auto.AVA File infector 02/07/02 Bin.Auto.AVB File infector 02/07/02 Bin.Auto.AVC File infector 02/07/02 Bin.Auto.AVD File infector 02/07/02 Bin.Auto.AVE File infector 02/08/02 Bin.Auto.AVF File infector 02/08/02 Bin.Auto.AVG File infector 02/08/02 Bin.Auto.AVH File infector 02/08/02 Bin.Auto.AVI File infector 02/08/02 Bin.Auto.AVJ File infector 02/08/02 Bin.Auto.AVK File infector 02/08/02 Bin.Auto.AVL File infector 02/08/02 Bin.Auto.AVM File infector 02/08/02 Bin.Auto.AVN File infector 02/08/02 Bin.Auto.AVO File infector 02/08/02 Bin.Auto.AVP File infector 02/08/02 Bin.Auto.AVQ File infector 02/08/02 Bin.Auto.AVR File infector 02/08/02 Bin.Auto.AVS File infector 02/08/02 CeydaDemet File infector 02/19/02 Clonewar.215 File infector 02/06/02 Construction.Kit File infector 02/19/02 Elite.212 File infector 02/07/02 Goma.1370 File infector 02/06/02 HLLP.6800 File infector 02/12/02 HLLP.Simbrisk.11472 File infector 02/06/02 HLLW.Allamer File infector 02/19/02 Hacktool.DoS File infector 02/12/02 IRC.WMVG File infector 02/13/02 IRC.Worm.Ceyda File infector 02/15/02 JS.Menger.Worm File infector 02/13/02 JS.Odyssey.602.dr File infector 02/13/02 JS.Radex.mirc File infector 02/19/02 Laminate.a.trojan File infector 02/12/02 Linux.Nuxbee.1411 File infector 02/19/02 Linux.Obsid.gen File infector 02/19/02 Loch.1804 File infector 02/06/02 PE.40 File infector 02/13/02 PHP.Qwax File infector 02/19/02 Perl.Rans File infector 02/19/02 SillyC.237 File infector 02/12/02 SillyC.512 File infector 02/08/02 SillyOC.106.C File infector 02/12/02 UNIX.comp File infector 02/19/02 VBS.Breetnee@mm File infector 02/19/02 VBS.Cidco File infector 02/20/02 VBS.Duff File infector 02/19/02 VBS.Gascript File infector 02/19/02 VBS.Indra File infector 02/20/02 VBS.Mbc File infector 02/13/02 VBS.Msnb.Worm File infector 02/19/02 VBS.Numgame@mm File infector 02/15/02 VBS.Onnet File infector 02/12/02 VBS.Overdoc File infector 02/19/02 VBS.Xxx File infector 02/19/02 W32.Alcarys@mm File infector 02/15/02 W32.Butter.4914 File infector 02/19/02 W32.HLLO.6144 File infector 02/15/02 W32.HLLO.Rozak File infector 02/19/02 W32.Kiltro.Worm File infector 02/19/02 W32.Lorie@mm File infector 02/19/02 W32.Pixo File infector 02/13/02 W32.Servese File infector 02/15/02 W32.Taripox@mm File infector 02/20/02 W32.Valcard File infector 02/15/02 W32.Yaha@mm File infector 02/15/02 W32.Yarner.A@mm File infector 02/19/02 W32.Yarner.B@mm File infector 02/19/02 W32.Yarner.gen File infector 02/20/02 W97M.Nitro File infector 02/19/02 W97M.Swatch File infector 02/08/02 W97M.Tanto File infector 02/07/02 W97M.Tips.gen File infector 02/07/02 W97M.Tulin File infector 02/07/02 W97M.Venom File infector 02/13/02 W97M.Vibisi File infector 02/13/02 WM.Twno.BB.gen File infector 02/13/02 X97M.Mspell File infector 02/20/02 X97M.Veltmar.Trojan File infector 02/08/02 XM.Momac.A File infector 02/13/02 Yerk.375 File infector 02/19/02 New virus definitions (sorted by Date added): Virus Name Infection Type Date added ---------- -------------- ---------- A97M.Loaded File infector 02/20/02 A97M.Walla File infector 02/20/02 Backdoor.Infector File infector 02/20/02 Backdoor.Subwoofer File infector 02/20/02 VBS.Cidco File infector 02/20/02 VBS.Indra File infector 02/20/02 W32.Taripox@mm File infector 02/20/02 W32.Yarner.gen File infector 02/20/02 X97M.Mspell File infector 02/20/02 A97M.Hamdam.A File infector 02/19/02 BAT.Tuber.trojan File infector 02/19/02 CeydaDemet File infector 02/19/02 Construction.Kit File infector 02/19/02 HLLW.Allamer File infector 02/19/02 JS.Radex.mirc File infector 02/19/02 Linux.Nuxbee.1411 File infector 02/19/02 Linux.Obsid.gen File infector 02/19/02 PHP.Qwax File infector 02/19/02 Perl.Rans File infector 02/19/02 UNIX.comp File infector 02/19/02 VBS.Breetnee@mm File infector 02/19/02 VBS.Duff File infector 02/19/02 VBS.Gascript File infector 02/19/02 VBS.Msnb.Worm File infector 02/19/02 VBS.Overdoc File infector 02/19/02 VBS.Xxx File infector 02/19/02 W32.Butter.4914 File infector 02/19/02 W32.HLLO.Rozak File infector 02/19/02 W32.Kiltro.Worm File infector 02/19/02 W32.Lorie@mm File infector 02/19/02 W32.Yarner.A@mm File infector 02/19/02 W32.Yarner.B@mm File infector 02/19/02 W97M.Nitro File infector 02/19/02 Yerk.375 File infector 02/19/02 IRC.Worm.Ceyda File infector 02/15/02 VBS.Numgame@mm File infector 02/15/02 W32.Alcarys@mm File infector 02/15/02 W32.HLLO.6144 File infector 02/15/02 W32.Servese File infector 02/15/02 W32.Valcard File infector 02/15/02 W32.Yaha@mm File infector 02/15/02 Backdoor.IISCrack.dll File infector 02/13/02 Backdoor.NetDevil File infector 02/13/02 Backdoor.Systsec File infector 02/13/02 IRC.WMVG File infector 02/13/02 JS.Menger.Worm File infector 02/13/02 JS.Odyssey.602.dr File infector 02/13/02 PE.40 File infector 02/13/02 VBS.Mbc File infector 02/13/02 W32.Pixo File infector 02/13/02 W97M.Venom File infector 02/13/02 W97M.Vibisi File infector 02/13/02 WM.Twno.BB.gen File infector 02/13/02 XM.Momac.A File infector 02/13/02 Anti-Aznar.664 File infector 02/12/02 Backdoor.EggHead File infector 02/12/02 HLLP.6800 File infector 02/12/02 Hacktool.DoS File infector 02/12/02 Laminate.a.trojan File infector 02/12/02 SillyC.237 File infector 02/12/02 SillyOC.106.C File infector 02/12/02 VBS.Onnet File infector 02/12/02 Bin.Auto.AVE File infector 02/08/02 Bin.Auto.AVF File infector 02/08/02 Bin.Auto.AVG File infector 02/08/02 Bin.Auto.AVH File infector 02/08/02 Bin.Auto.AVI File infector 02/08/02 Bin.Auto.AVJ File infector 02/08/02 Bin.Auto.AVK File infector 02/08/02 Bin.Auto.AVL File infector 02/08/02 Bin.Auto.AVM File infector 02/08/02 Bin.Auto.AVN File infector 02/08/02 Bin.Auto.AVO File infector 02/08/02 Bin.Auto.AVP File infector 02/08/02 Bin.Auto.AVQ File infector 02/08/02 Bin.Auto.AVR File infector 02/08/02 Bin.Auto.AVS File infector 02/08/02 SillyC.512 File infector 02/08/02 W97M.Swatch File infector 02/08/02 X97M.Veltmar.Trojan File infector 02/08/02 Bin.Auto.AUT File infector 02/07/02 Bin.Auto.AUU File infector 02/07/02 Bin.Auto.AUV File infector 02/07/02 Bin.Auto.AUW File infector 02/07/02 Bin.Auto.AUX File infector 02/07/02 Bin.Auto.AUY File infector 02/07/02 Bin.Auto.AUZ File infector 02/07/02 Bin.Auto.AVA File infector 02/07/02 Bin.Auto.AVB File infector 02/07/02 Bin.Auto.AVC File infector 02/07/02 Bin.Auto.AVD File infector 02/07/02 Elite.212 File infector 02/07/02 W97M.Tanto File infector 02/07/02 W97M.Tips.gen File infector 02/07/02 W97M.Tulin File infector 02/07/02 AnniVCS.807 File infector 02/06/02 Clonewar.215 File infector 02/06/02 Goma.1370 File infector 02/06/02 HLLP.Simbrisk.11472 File infector 02/06/02 Loch.1804 File infector 02/06/02 Name Changes (sorted by Old Virus Name): Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Bin.Auto.ARP to BW.1035 02/13/02 Bin.Auto.ARS to Trivial.Elben.159 02/11/02 Bin.Auto.ART to Trivial.Elben.161.a 02/11/02 Bin.Auto.ARU to Pixel.Hydra.368.b 02/11/02 Bin.Auto.ARV to Maf.774 02/11/02 Bin.Auto.ARW to SSS.517 02/11/02 Bin.Auto.ARX to Ahav.385 02/11/02 Bin.Auto.ARY to Bashme.4984 02/11/02 Bin.Auto.ARZ to Belka.1049 02/11/02 Bin.Auto.ASA to Bashme.6570 02/11/02 Bin.Auto.ASP to Crepuscular.325 02/15/02 Bin.Auto.ASU to Dreg.921 02/15/02 Bin.Auto.ASW to FAT.2510.B 02/15/02 Bin.Auto.ASX to Fitria.779 02/15/02 Bin.Auto.ASZ to F4ff.2089 02/15/02 Bin.Auto.ATA to Chosun.2576 02/15/02 Bin.Auto.ATD to Leealu.360 02/15/02 Bin.Auto.ATE to Febtwo.761 02/15/02 Bin.Auto.ATF to Grob.1970 02/15/02 Bin.Auto.ATG to Gula.575 02/15/02 Bin.Auto.ATH to Fitria.825 02/15/02 Bin.Auto.ATI to Int62.398 02/15/02 Bin.Auto.ATJ to Khizhnjak.542 02/15/02 Bin.Auto.ATK to Kondrat.666 02/15/02 Bin.Auto.ATL to Letran.723 02/15/02 Bin.Auto.ATM to Kufu.257 02/15/02 Bin.Auto.ATN to Khizhnjak.797 02/15/02 Bin.Auto.ATO to Anad.725.B 02/15/02 Bin.Auto.ATP to Backsu.1773 02/15/02 Bin.Auto.ATQ to Backsu.1776 02/15/02 Bin.Auto.ATR to Bcurke.928 02/15/02 Bin.Auto.AUG to VCC.379 02/13/02 Bin.Auto.AUH to VCC.380 02/13/02 Bin.Auto.AUI to VCG.1132 02/13/02 Bin.Auto.AUL to HLLC.Apocalipse.e 02/13/02 Bin.Auto.AUM to HLLP.Savage.4987 02/13/02 Bin.Auto.AUN to Belial.717 02/13/02 Bin.Auto.AUO to LoneWolf.870.A 02/13/02 Bin.Auto.AUP to HLLP.Merlin.3693 02/13/02 Bin.Auto.AUQ to HLLP.Merlin.4230 02/13/02 Bin.Auto.AUR to Murzic.1745 02/13/02 Bin.Auto.AUS to Norma.1350.A 02/13/02 Bin.Auto.AUT to SillyC.156 02/20/02 Bin.Auto.AUU to Elben.100 02/20/02 CeydaDemet to IRC.Worm.Ceyda(2) 02/20/02 VBS.Mbc to VBS.Emby.intd 02/13/02 W32.HLLW.Asper to W32.Asper 02/12/02 W32.HLLW.Setex to W32.Setex 02/12/02 W32.Secup to W32.Redesi.C@mm 02/13/02 W97M.Automat.AGN to W97M.Chameleon.H 02/13/02 Name Changes (sorted by Date changed): Old Virus Name New Virus Name Date changed -------------- -------------- ------------ Bin.Auto.AUT to SillyC.156 02/20/02 Bin.Auto.AUU to Elben.100 02/20/02 CeydaDemet to IRC.Worm.Ceyda(2) 02/20/02 Bin.Auto.ASP to Crepuscular.325 02/15/02 Bin.Auto.ASU to Dreg.921 02/15/02 Bin.Auto.ASW to FAT.2510.B 02/15/02 Bin.Auto.ASX to Fitria.779 02/15/02 Bin.Auto.ASZ to F4ff.2089 02/15/02 Bin.Auto.ATA to Chosun.2576 02/15/02 Bin.Auto.ATD to Leealu.360 02/15/02 Bin.Auto.ATE to Febtwo.761 02/15/02 Bin.Auto.ATF to Grob.1970 02/15/02 Bin.Auto.ATG to Gula.575 02/15/02 Bin.Auto.ATH to Fitria.825 02/15/02 Bin.Auto.ATI to Int62.398 02/15/02 Bin.Auto.ATJ to Khizhnjak.542 02/15/02 Bin.Auto.ATK to Kondrat.666 02/15/02 Bin.Auto.ATL to Letran.723 02/15/02 Bin.Auto.ATM to Kufu.257 02/15/02 Bin.Auto.ATN to Khizhnjak.797 02/15/02 Bin.Auto.ATO to Anad.725.B 02/15/02 Bin.Auto.ATP to Backsu.1773 02/15/02 Bin.Auto.ATQ to Backsu.1776 02/15/02 Bin.Auto.ATR to Bcurke.928 02/15/02 Bin.Auto.ARP to BW.1035 02/13/02 Bin.Auto.AUG to VCC.379 02/13/02 Bin.Auto.AUH to VCC.380 02/13/02 Bin.Auto.AUI to VCG.1132 02/13/02 Bin.Auto.AUL to HLLC.Apocalipse.e 02/13/02 Bin.Auto.AUM to HLLP.Savage.4987 02/13/02 Bin.Auto.AUN to Belial.717 02/13/02 Bin.Auto.AUO to LoneWolf.870.A 02/13/02 Bin.Auto.AUP to HLLP.Merlin.3693 02/13/02 Bin.Auto.AUQ to HLLP.Merlin.4230 02/13/02 Bin.Auto.AUR to Murzic.1745 02/13/02 Bin.Auto.AUS to Norma.1350.A 02/13/02 VBS.Mbc to VBS.Emby.intd 02/13/02 W32.Secup to W32.Redesi.C@mm 02/13/02 W97M.Automat.AGN to W97M.Chameleon.H 02/13/02 W32.HLLW.Asper to W32.Asper 02/12/02 W32.HLLW.Setex to W32.Setex 02/12/02 Bin.Auto.ARS to Trivial.Elben.159 02/11/02 Bin.Auto.ART to Trivial.Elben.161.a 02/11/02 Bin.Auto.ARU to Pixel.Hydra.368.b 02/11/02 Bin.Auto.ARV to Maf.774 02/11/02 Bin.Auto.ARW to SSS.517 02/11/02 Bin.Auto.ARX to Ahav.385 02/11/02 Bin.Auto.ARY to Bashme.4984 02/11/02 Bin.Auto.ARZ to Belka.1049 02/11/02 Bin.Auto.ASA to Bashme.6570 02/11/02 Deletions (sorted by Virus Name): Virus Name Infection Type Date removed ---------- -------------- ------------ Bin.Auto.AVD File infector 02/08/02 Boot Dropper Boot infector 01/22/02 Ghostmail.Spammer File infector 12/03/01 Gold Bug (1) File and Boot infector 12/12/01 HLLO.Picked.4505 File infector 11/20/01 ICQ.Junta.Trojan File infector 11/20/01 JS.Zacker.A File infector 12/20/01 Logon.scr File infector 12/10/01 Pojer File infector 12/13/01 Ruw (2) File infector 12/10/01 StarShip (4) File and Boot infector 01/11/02 VBS.Zacker.A File infector 12/20/01 Vacsina.Mut.1744 (1) File infector 01/22/02 W32.DlDer.Trojan File infector 01/04/02 W32.Swag@mm File infector 01/30/02 W97M.Galero.A File infector 11/20/01 W97M.Marker.NW File infector 11/20/01 Worm.Automat.AGJ File infector 12/24/01 Wyx.boot File infector 12/21/01 X97M.Laroux.SI File infector 02/08/02 Deletions (sorted by Date removed): Virus Name Infection Type Date removed ---------- -------------- ------------ Bin.Auto.AVD File infector 02/08/02 X97M.Laroux.SI File infector 02/08/02 W32.Swag@mm File infector 01/30/02 Boot Dropper Boot infector 01/22/02 Vacsina.Mut.1744 (1) File infector 01/22/02 StarShip (4) File and Boot infector 01/11/02 W32.DlDer.Trojan File infector 01/04/02 Worm.Automat.AGJ File infector 12/24/01 Wyx.boot File infector 12/21/01 JS.Zacker.A File infector 12/20/01 VBS.Zacker.A File infector 12/20/01 Pojer File infector 12/13/01 Gold Bug (1) File and Boot infector 12/12/01 Logon.scr File infector 12/10/01 Ruw (2) File infector 12/10/01 Ghostmail.Spammer File infector 12/03/01 HLLO.Picked.4505 File infector 11/20/01 ICQ.Junta.Trojan File infector 11/20/01 W97M.Galero.A File infector 11/20/01 W97M.Marker.NW File infector 11/20/01 ********************************************************************** ** Enabling Scanning Features ** ********************************************************************** Several scanning features can be enabled through the use of an INF configuration file. For NAV for Windows 95/NT version 4.x and later, or NAV for OS/2, this configuration file should be called NAVEX15.INF and should be placed in the directory where NAV is installed (i.e., C:\Program Files\Norton AntiVirus). For NAV for Netware version 4.x, the file should be called NAVEX15.INF and should be placed in the directory where NAV 4.x is installed (i.e., sys:system\navnlm). For NAV for Windows 95/NT version 2.0, NAV 4.x for Windows 3.1/DOS, NAVIEG 1.x, or NAVFW 1.x, the file should be named NAVEX.INF and should be placed in the directory where NAV is installed (i.e., C:\NAV). If this configuration file does not exist, create one in the appropriate directory if you want to change the default settings. To enable a scanning feature for a particular component, one or more entries need to be added to the configuration file under the correct section. For each platform there is a corresponding section that is used in the INF file. Below is a table of section names and platforms. Section Name Platform ------------ -------- NAVW32 Windows 95/98/NT NAVAP Windows 95/98/NT Auto-Protect NAVDX DOS NAVNLM Netware NAVWIN Windows 3.1 NAVOS2 OS/2 NAVAIX AIX NAVSOL Solaris Entries are case insensitive. Below is a description of possible entries. 1. Files can be excluded from scans by the NAVEX engine. To exclude a specific file from the NAVEX engine scan, add an entry with the full path and file name. This is case insensitive. No wildcards are allowed. To exclude multiple files, add a separate entry for each file. To exclude a file, add an entry like the one below where is the full path and file name. ExcludeFile = 2. Files within a directory can be excluded from scans by the NAVEX engine. To exclude all files within a directory, add an entry with the full directory path. This is case insensitive. No wildcards are allowed. This does not exclude files located in subdirectories of the specified directory. To exclude multiple directories, add a separate entry for each directory. To exclude a directory, add an entry like the one below where is the full path. ExcludeDirectory = The following example of an INF configuration file excludes two files, NOSCAN.EXE and BIGFILE.DOC, from NAVEX scans for the Windows 95/98/NT scanner. It excludes the D:\PRIVATE directory from Windows 95/98/NT Auto-Protect. [NAVW32] ExcludeFile = C:\PROGRAM FILES\NOSCAN.EXE ExcludeFile = C:\TEMP\BIGFILE.DOC [NAVAP] ExcludeDirectory = D:\PRIVATE ********************************************************************** ** Additional Information ** ********************************************************************** Additional information regarding this virus definitions update can be found in UPDATE.TXT and TECHNOTE.TXT.