SYMANTEC.				AntiVirus Research Center "The Sun Never Sets on SARC"
	SARC Home Page			October 2000 Newsletter
		These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month. Top Global Threats W32.HLLW.Qaz.A W95.MTX VBS.Stages.A Wscript.KakWorm W32.FunLove.4099 Happy99.Worm VBS.LoveLetter VBS.Network PrettyPark.Worm Asia Pacific Wscript.KakWorm W32.HLLW.Qaz.A W95.MTX Europe Wscript.KakWorm Backdoor.SubSeven W32.HLLW.Qaz.A Japan W32.HLLW.Qaz.A W95.MTX VBS.LoveLetter USA Wscript.KakWorm W32.HLLW.Qaz.A W95.MTX New Virus Hoaxes reported to Symantec No New Hoaxes this Month Top 20 Consolidated Global Threats By SecurityPortal Happy99.Worm (alias W32.Ska) W32.HLLW.Qaz.A (alias Troj.Qaz.A) W95.CIH VBS.LoveLetter VBS.Stages.A W32.PrettyPark W97M.Marker W32.ExploreZip VBS.KakWorm W95.MTX W97M.Melissa.BG W97M.Thursday VBS.Quatro.A W97M.Panther W95.Firkin SubSeven.Server (alias Troj.SubSeven) W97M.Stand VBS.FriendMess.A W97M.Cybernet.A W97M.Ethan.A			Welcome to the October edition of the Symantec AntiVirus Research Center Newsletter. The HTML version of this issue includes a new unsubscribe panel at the bottom of the left margin and a new colour scheme, as well as updating you on the new threats. The Palm platform has finally succumbed to the virus threat and we cover a PalmOS virus and a Trojan this month, while they both have our lowest threat rating of 1 they are interesting. W2K.Stream has also received attention in the media due to it's novel file infection method. In the July newsletter we carried an abbreviated version of Eric Chien's article on PalmOS Security. Eric has since updated this to include two other platforms, EPOC and Windows CE/Pocket PC. See below for a summary of the article in the newsletter and the full version can be read online at the SARC web site. The Association of anti-Virus Asia Researchers (AVAR) annual international conference to be held in Tokyo this year on the 28th and 29th October, speakers include Motoaki Yamamura(SARC USA), Randy Abrams(Microsoft), Shane Coursen(Wildlist) and senior research staff of various anti-virus companies and Japanese security agencies. For more information please visit their web site at http://www.aavar.org/ . W95.MTX and W32.FunLove.4099 have both been moved up to a threat level 4 due an increase in the number of 'in the wild' reports over the last month. David Banes, Editor, sarc@symantec.com
					Worms in the News Small [2] Win32
					JS/VBS.LostSoul.Worm is a worm that spreads via email. When executed, it displays a text file containing the Wobbler Hoax. The attachment in the email message is named Wobbler.txt.jse or Wobbler.txt.vbe. When opened, these attachments create and execute a temporary file containing malicious code. The worm also spreads via networks by copying itself to the root directories of shared drives. The worm originated in Argentina. As of September 8th, SARC has had no reports of this virus being in the wild. To remove the worm delete all JS/VBS.LostSoul.Worm emails and files. http://www.sarc.com/avcenter/venc/data/vbs.lostsoul.worm.html by: Neal Hindocha SARC, EMEA VBS.Funny.A Small [2] Win32 VBS.Funny.A is a worm that spreads via Microsoft Oulook. When executed, the worm opens the URL www.makeyoulaugh.com in your default Internet browser. The worm then checks for the existence of a registry key used by the United Bank of Switzerland's PIN software. If the key exists, the worm creates an executable file. This file is a Trojan horse. It logs cached passwords and keyboard input. The Trojan horse is detected as PWSteal.Trojan. Delete all files detected as VBS.Funny.A. http://www.sarc.com/avcenter/venc/data/vbs.funny.a.html by: Neal Hindocha SARC, EMEA
					Viruses in the News Minimal [1] PalmOS
					Palm.Phage.Dropper is the first virus discovered on the Palm OS based handheld platform. It was discovered on Sept 22, 2000. Symantec AntiVirus Research Center does not have any confirmed reports of users being affected by this virus and is considered a very low threat. This Palm OS virus overwrites all installed applications on a Palm OS handheld device. Norton AntiVirus can detect this program on a desktop computer before the malicious application is hot synched to the Palm OS based handheld. If Norton AntiVirus is not set to scan all files, add the .prc extension to the list of program files to scan. Delete the .prc file that Norton AntiVirus detects as Palm.Phage.Dropper from Palm Desktop backup folder. If Palm.Phage.Dropper is detected on your desktop, you should hard reset your Palm OS device and perform a hot sync. Symantec AntiVirus for Palm OS® Beta Version Now Available http://www.sarc.com/avcenter/venc/data/palm.phage.dropper.html by: Motoaki Yamamura SARC, USA W2K.Stream Minimal [1] W2K W2K.Stream virus was discovered in early September, 2000. The virus was created by Benny and Ratter of the 29A virus group. This virus is a proof of concept virus that utilizes NTFS streams and has received much attention. It is a new subclass of the traditional companion virus and is now being referred to as the "Stream Companion" virus. W2K.Stream virus will only infect files on Windows 2000 using NTFS, and only the files in the same directory. The infected files will become 3,628 bytes long regardless of the original file size because the original host file is replaced by the virus and stored in a different stream. http://www.sarc.com/avcenter/venc/data/w2k.stream.html by: Peter Szor SARC, USA
					Trojans in the News Minimal [1] PalmOS
					Palm.Vapor is the second Trojan horse program on the Palm OS based handheld platform. It was discovered on Sept 22, 2000. Symantec AntiVirus Research Center does not have any confirmed reports of users being affected by this Trojan horse and is considered a very low threat. This Palm OS Trojan marks all installed Palm OS applications as hidden applications. Norton AntiVirus can detect this program on a desktop computer before the malicious application is hot synched to the Palm OS based handheld. If Norton AntiVirus is not set to scan all files, add the .prc extension to the list of program files to scan. A hard reset and hot sync will restore the hidden icons. The .prc file that NAV detects as Palm.Vapor needs to be deleted. Symantec AntiVirus for Palm OS® Beta Version Now Available http://www.sarc.com/avcenter/venc/data/palm.vapor.html by: Motoaki Yamamura SARC, USA
					Malicious Threats to Personal Digital Assistants
		Unsubscribe First name: Last name: Email address:			PDAs are more than just an address book. Combined with technologies such as Bluetooth and WAP (wireless application protocol), the functionality of the PDA is moving towards a desktop computer combined with a Cellular phone. As corporations begin to adopt PDAs as a standard computing device within their digital infrastructure, and applications become more robust and meaningful with the standardisation of wireless computing, threats from malicious code become more serious. The linked article explores the malicious code threats on the three major PDA platforms (PalmOS, EPOC32, and Windows CE/PocketPC), it covers the hardware and software configurations and system architecture of each type of PDA. The connection mechanisms that malicious code is likely to use to install itself are discussed as well as the types of solutions that will be required to adequately protect against and recover from virus or worm infections. http://www.symantec.com/avcenter/reference/malicious.threats.to.pdas.html Eric Chien SARC, EMEA
					SARC Glossary for definitions of viruses, Trojans and worms and more.
					Contacts
					Correspondence by email to: sarc.avnews@symantec.com, no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
					This is a Symantec Corporation publication, use of requires permission in advance from the Editor. All information contained in this newsletter is accurate and valid as of the date of issue.		Copyright © 1996-2000 Symantec Corporation. All rights reserved.