Volume 1, Issue 1 - September 1, 1996
The Symantec AntiVirus Research Center (SARC) is committed
to providing swift, global responses to computer virus
threats, proactively researching and developing
technologies that eliminate such threats and educating the
public on safe computing practices.
The following is a list of the currently shipping Symantec
AntiVirus products and their most recent revision numbers.
Current AntiVirus Products
- NAV 3.0 (DOS/Windows 3.1), revision 3.09
- NAV 95 (Windows 95), revision 95.0a
- NAV Scanner (Windows NT), revision NT.0a
- NAV NetWare (Novell), revision 2.02
- NAV Internet (Netscape), revision 1.0
- SAM (Macintosh/Power Macintosh), revision 4.0.8
Users can obtain the latest updates through several means.
They are available for free download from any of the
Symantec supported online services, including CompuServe,
Microsoft Network, America Online, and the Symantec World
Wide Web site, FTP or BBS. If you do not have electronic
access, you can contact our Customer Service at (800)
441-7234 and order a disk set for $12 (to cover shipping
and handling only).
First Excel Macro Virus Discovered, Detected and Repaired
On August 8, 1996 SARC proudly announced the first
complete solution for the XM.Laroux Excel macro virus.
Well, it finally happened. Someone created the first macro
virus that works under MS Excel. It is officially called
XM.Laroux (alias ExcelMacro/Laroux). SARC first received a
sample late Thursday, July 25, and a public detection was
posted to all of our supported online services the next day, July 26.
The first complete solution was posted to the SARC Web
site the evening of August 8. Any NAV user could download a
free Norton AntiVirus definition set (08NAV96B.EXE) that
granted detection and repair for this latest virus threat.
The repair is seamlessly integrated into the existing
Norton AntiVirus product line.
Repair is implemented across all of the popular PC
platforms, including DOS, Windows 3.1, Windows 95, and
Windows NT. This detection and repair also applies to the
real-time protection afforded by our NAVEX-enabled
Auto-Protect background monitoring systems. Please note
that this detection and repair is included in all
subsequent virus definition set releases (since August 8,
Complete technical and download information can be found
at the SARC web site:
For NAV (all versions and platforms) to detect and repair
the XM.Laroux virus, users must add ".XL?" to the
program files extension list. Without this addition, NAV
will ignore all Excel spreadsheets and not report
infections. Detailed instructions on making the additions
to the program files extension list are available in the
user's guides. See the chapters regarding customizing
Norton AntiVirus options.
This addition need only be done once. All future revisions
of the Norton AntiVirus product line will have .XL? as part
of the default program file set.
Norton AntiVirus for Windows 95 and NetWare Win Top Honors
Norton AntiVirus for Windows 95 and Norton AntiVirus for
NetWare have been awarded the coveted Editor's Choice award
from PC Magazine. In the May 1996 issue, Norton AntiVirus
for Windows 95 was the product of choice among Windows 95
anti-virus products, while Norton AntiVirus for NetWare won
top honors among network anti-virus solutions. The Symantec
products were the only anti-virus products to receive the
seal of approval.
"I could not be more pleased, because, in my opinion,
PC Magazine remains the Cadillac offering and the
definitive source of technical information. Users are now
assured that they made the right decision when they
purchased Norton AntiVirus," said Mary Engstrom,
general manager of the Symantec AntiVirus Business Unit.
In The Wild
Within each issue of the SARC AntiVirus News Update, we
profile a few viruses known to be in free distribution
among the general public ("in the wild").
Aliases: Euthanasia, HDEuthanasia, Krsna
Infection Length: 7610 bytes
Area of Infection: .COM and .EXE files, master boot record and floppy boot
Region Reported: United States, Canada, United Kingdom, Switzerland, South
Africa, Russia, New Zealand
Keys: Wild, Multi-partite, Polymorphic, Encrypting, Trigger,
The Hare.7610 virus was first detected in general
distribution in New Zealand in early July 1996. Within two
weeks, it was also reported in Canada and South Africa.
Thereafter, it quickly spread to various countries in
Europe and the United States.
Hare.7610 is a polymorphic, multipartite virus that
infects .COM and .EXE files as well as master boot records
on hard drives and boot sectors of floppy disks. Upon
execution, the virus infects the master boot record and go
resident, infecting any .COM or .EXE file that is executed.
Hare's polymorphism is uniquely capable of generating a
very large set of instructions. It is a slow polymorphic:
It does not generate a different decryptor from infection
to infection. Rather it generates a set of instructions
upon initial infection of the system. Whether this is a bug
on the part of the virus writer is unknown. When an
infected file is executed, the virus looks at a certain
sector of the hard disk for it's "footprint." If
it finds the value "ØxCCDD" at the
beginning of this sector, it does not generate a new set of
data for its polymorphic engine.
Hare also encrypts the master boot record and boot sector
with the polymorphic engine (although it uses a much
smaller set of instructions than with the file infections).
For Hare to tell whether the master boot record is already
infected, it looks for another "footprint" that
it leaves: It subtracts the word at offset
"Øx1ØØ" in the master boot
record for the word at offset
"Øx1Ø2." If this value is equal to
"ØxCCFF," then it assumes the master boot
record is already infected and does not re-infect.
The virus triggers on August 22nd and September 22nd. On either of those days, if the virus is active, it
displays the following message:
"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
It then overwrites all the hard disks on the system,
destroying all the data.
Aliases: ExcelMacro/Laroux, Excel.Laroux, Laroux
Infection Length: 2 macros
Area of Infection: Excel Spreadsheets
Region Reported: Africa, United States (Alaska)
Keys: Wild, Macro
First discovered in July 1996 in Africa and Alaska,
XM.Laroux is the first working Excel Macro Virus to be
found in general circulation. The actual virus code
consists of two macros called "Auto_Open" and
"Check_Files," which are stored in a hidden
datasheet named "laroux."
In infected spreadsheet files (Excel workbooks), the
"laroux" datasheet is not readily visible; it is
hidden. When an infected spreadsheet is first opened on a
system, the Auto_Open macro is run automatically by Excel,
which in turn runs the Check_Files macro. This process
repeats each time a worksheet is activated.
The Check_Files macro then copies the worksheet with the
virus code into a spreadsheet file stored in the Excel
startup directory named "Personal.xls" (by
default, this directory is \MSOffice\Excel\XLStart).
Personal.xls is the global macro spreadsheet: Macros stored
here are automatically available to all other Excel
spreadsheets on the system. Copying these macros to
Personal.xls enables the infection of all other
spreadsheets opened or created on the infected system in
XM.Laroux contains no deliberately destructive payloads;
it exists only to replicate. Please also note that it only
activates on Microsoft Windows operating systems using
Excel version 5 and 7. It does NOT function in the
Written in English.
Users can access the complete Joe Wells' Wild List on the
SARC Web site at:
SARC on the Web
SARC is Information Central
SARC has the best resource for virus information on the
World Wide Web. You can read about the latest virus
outbreaks from around the world or your neighborhood, the
Top 10 viruses worldwide, download the latest in virus
protection, brush up on the latest technical information,
download the latest virus definition updates, and much
more! Stop by and check us out:
Internet Discussion Groups
Announcing the Norton AntiVirus Discussion Group! These
discussion groups provide a forum for you to ask questions
about Norton AntiVirus and specific computer viruses. The
support forums are in Usenet newsgroup (Internet news)
format. These support newsgroups are electronic bulletin
boards where you can post a message and then return later
to read the answer.
You can find the discussion group off the Symantec Web
Or from the "Contacting Symantec" link on the
SARC Web site (listed above).
A Web browser that supports newsgroup reading is required
(for example, Netscape Navigator or Microsoft Internet
Symantec currently offers electronic (message board)
support for Symantec products on CompuServe, America
Online, and the Microsoft Network and the Symantec BBS. We
provide technical support using direct mail for the
Symantec Macintosh development tool products (programming
resources) only. Please do not post technical inquiries for
other Symantec products to the Macintosh development tools
e-mail address. Online support is available in our public
message areas on:
|The Microsoft Network
go to SYMANTEC (Windows 95 products only)
|Symantec BBS (28.8 BPS)
New or Unknown Virus Submission Procedures
If you suspect your system has been infected by an
unknown virus, complete the requested information
on the form below. Then follow the procedure to
create a "virus sample" floppy disk. Send
the form and the disk to the Symantec address at
the end of this newsletter. The engineers at SARC
will analyze your disk and inform you of the
results. This is a free service provided to Norton
AntiVirus customers as part of Symantec's
commitment to virus-free computing.
Virus Submission Form
| Do not write "Contains Live Virus"
on the envelope or disk mailer (this upsets the
post office). All disks become property of
Symantec and will be destroyed.
Please provide the following information:
Potential virus observed in which environments:
Have you loaded the most recent virus
___Yes, date of VIRSCAN.DAT file:
___No, date of VIRSCAN.DAT file:
Has any other scanner identified a virus?
___Yes, name and version of scanner:
City, State and Zip/Postal Code:
Daytime phone number:
Creating a Virus Sample Floppy Disk
If Norton AntiVirus reports that a file may be
infected with an unknown virus of that
inoculation data changed (for no legitimate
reason), you may be infected with an unknown
For inoculation changes:
- Did you install a new version of the
- Does the program modify its executable files
- Is it possible that the file was upgraded
automatically on a network?
For unknown virus alerts:
- Have you updated your virus definitions file
to the most recent version? See
"Updating virus definitions" in
your Norton AntiVirus User's Guide for
directions to receive the most recent virus
definitions file. Then scan again.
If you still think you have an unknown virus
infection, use the following procedure to create
a "virus sample" floppy disk. The
engineers at SARC will analyze your disk and
inform you of the results. This is a free service
provided to Norton AntiVirus users.
These instructions will work for both a standard
DOS and Windows 95 operating systems. These
procedures should be performed by a technician
(if available) from the infected computer.
To create a virus sample floppy disk:
1 Start the potentially infected system from its
own hard drive.
- For MS-DOS, you must be at a DOS prompt.
- For Windows 3.x, exit Windows completely to
- For Windows 95, start the computer in MS-DOS
2 Format a diskette with the potentially infected
From the DOS prompt, type
FORMAT A: /S
and press Enter.
NOTE: All media submitted to the AntiVirus Research
Center becomes property of Symantec. All infected
media received will be held in a secure area. All
submissions will be kept on record for one year.
3 Copy standard executables to the diskette.
For MS-DOS operating systems, copy the following
files to the diskette from the \DOS directory:
For Windows 95 operating systems, copy the
following files to the diskette from the
From the \WINDOWS directory:
4 Type A: and press Enter.
You are logged to the A drive.
5 Type PATH; and press Enter (don't forget the
This will temporarily disable your path
6 Run the programs (ignore any screen messages).
The engineers will be able to determine if they
For example, type:
MEM and press Enter
MODE and press Enter
7 Copy any files whose inoculation data has
changed without legitimate reason to the diskette
(as related by NAV).
8 Copy any other programs that you suspect are
infected to the diskette.
9 Label the diskette with your name, address,
telephone number and today's date. Write
"Potential Virus" on the diskette
Send all submissions to:
AntiVirus Research Center
2500 Broadway Suite, 200
Santa Monica, CA 90404 USA
Do not write "Contains Live Virus" on the
envelope or diskette mailer (this upsets the post
office and may prevent delivery).
| Editor: Alex Haddox, Product Manager,
Symantec AntiVirus Research Center
Address all correspondence to:
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
SARC AntiVirus News Update is published monthly by Symantec
Corporation. No Reprint without Permission
in writing, in advance.
Information in this newsletter is compiled
from a number of sources, including the
Symantec BBS and the Symantec Home Page on
the Internet, as well as the major online
services - all of which are available and