AntiVirus Research Center

"The Sun Never Sets on SARC"


SARC Home Page

September 2000 Newsletter


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats

Asia Pacific





New Virus Hoaxes reported to Symantec

Lotus Notes Worm

Top 20
Global Threats

by SecurityPortal

(alias W32.Ska)
(alias Troj.Qaz.A)
(alias Troj.SubSeven)
(alias Troj.Pokey.A)


  Welcome to the September edition of the Symantec AntiVirus Research Center Newsletter. This issue includes a couple of new features as well as updating you on the new threats.

New threats covered in this months newsletter are:
W95.MTX, this is a worm/virus hybrid which we are seeing an increase in the number of submissions and have just raised the threat level from 2 to 3. An interesting new Excel virus called X97M.Jini.A and of course something on the low risk Palm.Liberty.A Trojan is also included.

Steve Trilling, Symantec's Director of Advanced Concepts has written a great article on
clean pipe solutions. We carry a short introduction here with the full article on the web site.

We are pleased to announce that we will be carrying a
Top 20 Threats list from Security Portal on a monthly basis featured in the sidebar. This is a consolidated list from many different sources of information such as independent security companies, government agencies and large corporations.

This month sees a major overhaul in the way we manage the distribution of the newsletter to accommodate a move to publishing in languages other than English. We are now offering a choice of languages along with the ability to choose between receiving either text or html versions of the newsletter when you subscribe.

If you would like to receive the newsletter in any of these languages I suggest you use the form below or go to the
subscriptions page unsubscribe from the English list, then re-subscribe in the language and format (text or html) of your choice. The html version of the newsletter will continue to be sent out in a multipart format, that is html and text combined

David Banes,





How to un-subscribe and then re-subscribe to the new SARC Newsletters




1 - Unsubscribe to this version of the newsletter by entering your email address below and clicking on the submit button, this will load your web browser to send the request.

First name:
Last name:
Email address:

2 - Fill in your name and email address below, select your preferred language from the drop down box, either text or html format for the newsletter and click on the submit button.

Language version:
First name:
Last name:
Email address:
Version: Text Only   HTML

3 - Reply to the confirmation email you get in your email program inbox as directed to confirm the new subscription.

Worms in the News

Moderate [3]


        W95.MTX has a virus component and a worm component. It infects some Win32 executables in specific directories.

The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email (using the same program).

The virus component searches for specific anti-virus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a down loader program that goes to a specific Web site ([MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8K in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the down loader run automatically every time the system is started. The downloaded is invisible in the Task List.

by: Cary Ng
 Viruses in the News

Small [2]


        X97M.Jini.A infects Excel spreadsheets. The corrupted versions of X97M.Jini.A contain no p-code or source code, but they can replicate.

When an infected Excel spreadsheet is opened, the worm creates a file called Shn.xls in the Excel startup directory (usually called XLSTART). Whenever Excel starts after this, Shn.xls loads and control is passed to the worm.

The worm infects workbooks as they are opened by copying the sheets to itself, then overwriting the original file.

The payload activates 30 days after the initial infection and displays a message on the screen.

Norton AntiVirus detects this worm under the name X97M.Ninja.A1. The name will soon be changed to W97M.Jini.
by: Peter Ferrie
SARC, Asia Pacific
and Motoaki Yamamura
 Trojans in the News

Minimal [1]


          Palm.Liberty.A is the first Trojan horse program on the PalmOS-based handheld platform. It was discovered late Aug 2000. As of Aug 31, 2000, Symantec AntiVirus Research Center does not have any confirmed reports of users being affected by this Trojan horse.

This program was released as a patch for a PalmOS-based application called Liberty, but it is actually a malicious program that deletes applications.

Norton AntiVirus can detect this program on a desktop computer before the malicious application is hot synch'd to the PalmOS-based handheld and we have also just announced the availability of a native
PalmOS version of the product. If Norton AntiVirus is not set to scan all files, add the .prc extension to the list of program files to scan.
by: Motoaki Yamamura
Understanding Clean Pipe Solutions

As the Internet becomes more ubiquitous, we are seeing a greater threat from malicious programs spreading very quickly to computers around the globe. The outbreaks of LoveLetter and its variants are the most recent examples. Increasingly, Internet companies are seeing the need to provide improved security as part of their service in order to protect all of their users from any potential attack.

A clean pipe is a communications pipeline that has been sanitized of both malicious code and undesirable content. With clean pipe solutions, the Internet company (such as an ISP), rather than the customer, deals with all the issues of signature updates, scanning, and cleaning, resulting in a steady flow of clean information to the user. By the time content reaches its destination (e.g. an end-user's computer or an entire corporate network) it has been "cleansed".
Two primary types of cleansing are discussed in the full article linked to below:

  • Cleansing of all malicious programs(viruses, worms, Trojan Horses etc.).
  • Filtering of inappropriate Web content.

Today, most Internet customers still use a traditional computer as their access device. However, in the future, we will see both consumers and businesses moving to much more portable access devices such as PDAs, phones and pagers. It is entirely possible that we will also see completely new types of malicious computer threats, able to spread through wireless means very quickly over the Internet. Because the Internet is a relatively open, very connected system, all users and providers share responsibility for protecting it. Clean pipe solutions deployed throughout the infrastructure of the Internet will go a long way towards making this environment safer for all users.

For the full article go here;

By Stephen Trilling
Director of Advanced Concepts
Symantec Corporation


SARC Glossary for definitions of viruses, Trojans and worms and more.

        Correspondence by email to:, no unsubscribe or support emails please.
Send virus samples to:
Newsletter Archive:



This is a Symantec Corporation publication, use of requires permission in advance from the Editor.
All information contained in this newsletter is accurate and valid as of the date of issue.


Copyright © 1996-2000 Symantec Corporation. All rights reserved.