SARC Home Page

The SARC AntiVirus News Update

"The sun never sets on SARC"

Volume 4 Issue 2.1 October 1999


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.

Asia Pacific





SubSeven Server



    Please note there has just been an outbreak of a new variant of Melissa called: W97M.Melissa.U(Gen1). SARC was the first anti-virus research centre to develop a definition for the virus which is now available for Norton AntiVIrus customers via LiveUpdate. SARC views this new variant as a serious threat to our customers and we recommend everyone updates their definitions as quickly as possible. More information is available at:

SARC has also recently received a sample of a new virus called W32.Oporto.3078 reported from Australia and Germany. Again, a definition is available via LiveUpdate. The trigger date for W32.Oporto.3078 is 24th September, so the virus poses no immediate threat. Another new trojan has just been reported in Japan called
SubSeven 2.0 Server, this trojan is distributed via email and is not a threat unless the attachment is opened.

I have just returned from the anti-virus industry's annual conference, VB'99, held in Vancover, Canada. Over 320 people from the anti-virus community, industry press and customers gathered to speak about hot issues relating to computer viruses. This year, predictably, saw a great deal of interest in Y2K virus related issues, Windows viruses and the reporting of viruses to the public. Resulting from enormous interest in Year 2000 threats SARC has developed a Year 2000 Awareness Center on the SARC website for all the information you'll need to protect your computer environment from Y2K virus threats. This resource can be located at: (no longer available)

AVAR (Association of AntiVirus Asia Researchers will hold it's annual conference at the end of October in Korea. This is a relatively new group set-up to share information to minimise the effects of computer viruses for enterprises and individual computer users across the Asia pacific region. I look forward to giving an update on this conference in the next issue of SARC!

David Banes,

 STOP PRESS - W97M.Melissa.U(Gen1)

Viruses in the News



        W32.Bolzano is a new virus that replicates under Windows 95 and Windows NT infecting Portable Executable applications with EXE or SCR extensions. Win32.Bolzano does not infect if the size of the host program is less than 16K. We had received 17 different variants of the virus by Sept 16. Bolzano is currently the biggest W32 virus family.

Bolzano was reported "in the wild" in France. It is a simple, direct action appending virus. It adds its code to the end of the last file section and modifies the entry-point of the program to point to the virus body (A, B and C variants). The D variant does not modify the entry point of PE files; instead, it searches for 12 possible CALL instructions inside the code section of the host and hooks the randomly selected CALLs to the entry point of the virus. The virus creates a thread in the infected process for itself and replicates in the background while it executes the host program (main thread). Therefore the user will not easily notice any delays. Several variants of Bolzano use inserting/polymorphic technique (infection without entry-point modification) and also polymorphic at the same time. This makes the detection of the virus more complicated.

Several variants of the Bolzano virus attack the Windows NT file security system. It uses a new strategy that may be used by NT viruses in the future. This attack will work on any version of Windows NT (Version 3.50 up to 4.0) with each all the service packs. The attack does not work on any Betas of Windows 2000, but it remains feasible.

The full write-up is posted on our web site at the following address;

by: Peter Szor
Trojans and Worms in the News



          VBS.Freelink is a virus discovered in July 1999, the Symantec AntiVirus Research Center has recently been receiving an increase in VBS.Freelink virus reports from our customers. To protect yourself from this virus, all Norton AntiVirus customers should ensure their virus definitions are up to date by using the LiveUpdate feature. In order to detect the VBS.Freelink virus, it is necessary to scan files with the VBS filename extension. It is recommended to use the options in NAV to scan "All files" rather than using the "Program Files" option. Please note that this may cause performance issues depending on the software, hardware and configurations you are using. Newer versions of Norton AntiVirus are shipped with scan "All files" as default configurations. If you choose only to scan "Program Files", please make sure that the configurations in Norton AntiVirus includes the "VBS" file extension as well as the following file extensions in the "Scanner" and "AutoProtect" options.
by: Abid Hussain Oonwala

DonaldD.Trojan is similar to the BackOrifice.Trojan. In a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system through a network connection. It consists of two pieces: a server and a client application. Both applications are capable of running under Windows 95, 98, and NT 4.0. The client application, running on one machine, may be used to monitor and control a second machine running the server application.

The port number through which the client controls the server is configurable. However, it does not matter whether the TCP or SPX protocol is implemented. as long as the port is blocked by a firewall, this trojan horse will not be able to infiltrate the server. There have not been any reports of this program being able to break through a firewall.

by: Cary Ng
New Virus Hoaxes




There have been some more virus hoaxes doing the rounds during the last month, as always, please ignore any messages regarding these supposed "viruses" and do not pass on any messages about them. Passing on messages about these hoaxes only serves to further propagate them.

Lump of Coal Virus Hoax
Windows will Fail on Jan 1 Hoax

Our complete list of hoaxes is kept at our web site here;

Striker32 - New Technology in Norton AntiVirus


Symantec has announced Striker32, the most advanced virus detection and repair technology engineered to combat the growing threat of complex 32-bit Windows-based viruses. Striker32 is included in all Norton AntiVirus products, the press release is
here, for a more in depth explanation Carey Nachenburg, SARC's Chief Researcher gives us the following in depth decription.

Customers can obtain this new engine by simply updating their virus definitions using the standard update process (LiveUpdate or the Intelligent Updater). The new Striker32 engine is available for all Norton AntiVirus products on all platforms, in real-time and on-demand.

The Striker32 engine is significant because it allows SARC engineers to produce detections and repairs for both simple and complex Windows viruses and worms, orders of magnitude faster than in the past. The new engine is also more efficient than NAV's previous Windows engine, improving system performance and reducing the scanner's overhead.

Striker32 uses a "sandbox-based" approach to detect complex (e.g. polymorphic) Windows viruses. This means that Striker32 has the ability to emulate Windows programs in a virtual environment or "sandbox." As a potential virus is emulated within the simulated environment, it can do no harm to the actual system, yet the virus thinks its running on an actual 32-bit Windows, Pentium-based PC. During this emulation, Windows viruses expose themselves as they try to spread, and consequently reveal their internal logic. Striker32 can then scrutinise this internal logic using standard virus signature or more complex heuristics (in future versions of Striker32) to detect the viral infection. Since emulation can be a time consuming process, Striker32 is engineered to perform extensive filtering of files before considering any file for emulation and this limits the scanner's overhead in the vast majority of cases.

In addition to dramatically improving detection, Striker32 also provides SARC engineers with a robust, programmable repair system. This system enables SARC engineers to produce repairs for even the most complex Windows viruses in minutes. These detection and repair capabilities reduce SARC's response time for the large number of new Windows viruses.

by Carey Nachenberg



          WNT.Infis.4608. Until now, Remote Explorer was the only Windows NT specific virus. Remote Explorer was developed as a native Windows NT service running in User mode. Infis is the first native Windows NT virus that has a Kernel mode driver component. The Infis virus is capable of infecting files on the fly from Kernel mode, but has to be executed by an Administrator equivalent user. Without such a right the virus is unable to replicate, because it does not have a User mode replication component.

Infis is a 32bit PE infector. When an infected PE file is executed the virus creates the HKLM\SYSTEM\CurrentControlSet\Services\inf entry in the registry and creates INF.SYS in the \WINNT\SYSTEM32\DRIVERS directory. The INF.SYS file is a native Windows NT driver and its size is 4608 bytes.

When the system is rebooted the virus driver (INF.SYS) will be loaded automatically. The virus hooks file open commands by using a non standard (and fortunately not 100% fool proof way). This way the virus will be able to replicate to accessed PE files "on the fly". The virus replicates to Portable Executable applications that run in user mode and have an EXE extension. The virus does not infect CMD.EXE and unable to infect a file which has a read-only attribute. The virus fails to infect some applications properly and not all infected files will work after the infection. This makes the virus very easy to be notice on a system.

The virus code is optimized and extremely short code. Fortunately Infis only works under Windows NT SP2 and above, it does not replicate under Windows NT 3.5x or Windows 2000. The virus driver can be stopped by using the Device Manager to stop the automatically executed driver. This way infected/corrupted files can be deleted and replaced from clean backups

by: Peter Szor
          Address all correspondence by email to: Please send virus samples to, not the newsletter address.

SARC AntiVirus News Update is published periodically by Symantec
Corporation. Copyright © 1996-1999 Symantec Corporation. All rights
reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC
WWW site at:
To Subscribe and Unsubscribe
          To be added to the subscription mailing list, please fill out the form available on the SARC website at:

To be removed from the list please use the form at this url:

Requests to subscribe or unsubscribe that are sent to the newsletter email address may not be actioned due to the volume of responses that we now receive.

SARC AntiVirus News Update is published periodically by Symantec Corporation. Copyright © 1996-1999 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.


SARC Glossary, what's the difference between a virus and a worm?

          All information contained in this newsletter is accurate and valid as of the date of issue.  

SARC Virus Hotline