Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec




Webmaster
Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 1, Issue 1 - September 1, 1996
The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global responses to computer virus threats, proactively researching and developing technologies that eliminate such threats and educating the public on safe computing practices.

Highlights Table of Contents


Current AntiVirus Products

The following is a list of the currently shipping Symantec AntiVirus products and their most recent revision numbers.
  • NAV 3.0 (DOS/Windows 3.1), revision 3.09
  • NAV 95 (Windows 95), revision 95.0a
  • NAV Scanner (Windows NT), revision NT.0a
  • NAV NetWare (Novell), revision 2.02
  • NAV Internet (Netscape), revision 1.0
  • SAM (Macintosh/Power Macintosh), revision 4.0.8

Users can obtain the latest updates through several means. They are available for free download from any of the Symantec supported online services, including CompuServe, Microsoft Network, America Online, and the Symantec World Wide Web site, FTP or BBS. If you do not have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).


NAV News

First Excel Macro Virus Discovered, Detected and Repaired

On August 8, 1996 SARC proudly announced the first complete solution for the XM.Laroux Excel macro virus.

Well, it finally happened. Someone created the first macro virus that works under MS Excel. It is officially called XM.Laroux (alias ExcelMacro/Laroux). SARC first received a sample late Thursday, July 25, and a public detection was posted to all of our supported online services the next day, July 26.

The first complete solution was posted to the SARC Web site the evening of August 8. Any NAV user could download a free Norton AntiVirus definition set (08NAV96B.EXE) that granted detection and repair for this latest virus threat. The repair is seamlessly integrated into the existing Norton AntiVirus product line.

Repair is implemented across all of the popular PC platforms, including DOS, Windows 3.1, Windows 95, and Windows NT. This detection and repair also applies to the real-time protection afforded by our NAVEX-enabled Auto-Protect background monitoring systems. Please note that this detection and repair is included in all subsequent virus definition set releases (since August 8, 1996).

Complete technical and download information can be found at the SARC web site:

http://www.symantec.com/avcenter/data/xmlaroux.html

For NAV (all versions and platforms) to detect and repair the XM.Laroux virus, users must add ".XL?" to the program files extension list. Without this addition, NAV will ignore all Excel spreadsheets and not report infections. Detailed instructions on making the additions to the program files extension list are available in the user's guides. See the chapters regarding customizing Norton AntiVirus options.

This addition need only be done once. All future revisions of the Norton AntiVirus product line will have .XL? as part of the default program file set.

Norton AntiVirus for Windows 95 and NetWare Win Top Honors

Norton AntiVirus for Windows 95 and Norton AntiVirus for NetWare have been awarded the coveted Editor's Choice award from PC Magazine. In the May 1996 issue, Norton AntiVirus for Windows 95 was the product of choice among Windows 95 anti-virus products, while Norton AntiVirus for NetWare won top honors among network anti-virus solutions. The Symantec products were the only anti-virus products to receive the seal of approval.

"I could not be more pleased, because, in my opinion, PC Magazine remains the Cadillac offering and the definitive source of technical information. Users are now assured that they made the right decision when they purchased Norton AntiVirus," said Mary Engstrom, general manager of the Symantec AntiVirus Business Unit.


In The Wild

Within each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild").

Hare

Aliases: Euthanasia, HDEuthanasia, Krsna
Infection Length: 7610 bytes
Area of Infection: .COM and .EXE files, master boot record and floppy boot sectors
Likelihood: Common
Region Reported: United States, Canada, United Kingdom, Switzerland, South Africa, Russia, New Zealand
Keys: Wild, Multi-partite, Polymorphic, Encrypting, Trigger, Stealth

Technical Notes:

The Hare.7610 virus was first detected in general distribution in New Zealand in early July 1996. Within two weeks, it was also reported in Canada and South Africa. Thereafter, it quickly spread to various countries in Europe and the United States.

Hare.7610 is a polymorphic, multipartite virus that infects .COM and .EXE files as well as master boot records on hard drives and boot sectors of floppy disks. Upon execution, the virus infects the master boot record and go resident, infecting any .COM or .EXE file that is executed.

Hare's polymorphism is uniquely capable of generating a very large set of instructions. It is a slow polymorphic: It does not generate a different decryptor from infection to infection. Rather it generates a set of instructions upon initial infection of the system. Whether this is a bug on the part of the virus writer is unknown. When an infected file is executed, the virus looks at a certain sector of the hard disk for it's "footprint." If it finds the value "ØxCCDD" at the beginning of this sector, it does not generate a new set of data for its polymorphic engine.

Hare also encrypts the master boot record and boot sector with the polymorphic engine (although it uses a much smaller set of instructions than with the file infections). For Hare to tell whether the master boot record is already infected, it looks for another "footprint" that it leaves: It subtracts the word at offset "Øx1ØØ" in the master boot record for the word at offset "Øx1Ø2." If this value is equal to "ØxCCFF," then it assumes the master boot record is already infected and does not re-infect.

The virus triggers on August 22nd and September 22nd. On either of those days, if the virus is active, it displays the following message:

"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
                   
                   

It then overwrites all the hard disks on the system, destroying all the data.

XM.Laroux

Aliases: ExcelMacro/Laroux, Excel.Laroux, Laroux
Infection Length: 2 macros
Area of Infection: Excel Spreadsheets
Likelihood: Rare
Region Reported: Africa, United States (Alaska)
Keys: Wild, Macro

Technical Notes:

First discovered in July 1996 in Africa and Alaska, XM.Laroux is the first working Excel Macro Virus to be found in general circulation. The actual virus code consists of two macros called "Auto_Open" and "Check_Files," which are stored in a hidden datasheet named "laroux."

In infected spreadsheet files (Excel workbooks), the "laroux" datasheet is not readily visible; it is hidden. When an infected spreadsheet is first opened on a system, the Auto_Open macro is run automatically by Excel, which in turn runs the Check_Files macro. This process repeats each time a worksheet is activated.

The Check_Files macro then copies the worksheet with the virus code into a spreadsheet file stored in the Excel startup directory named "Personal.xls" (by default, this directory is \MSOffice\Excel\XLStart). Personal.xls is the global macro spreadsheet: Macros stored here are automatically available to all other Excel spreadsheets on the system. Copying these macros to Personal.xls enables the infection of all other spreadsheets opened or created on the infected system in the future.

XM.Laroux contains no deliberately destructive payloads; it exists only to replicate. Please also note that it only activates on Microsoft Windows operating systems using Excel version 5 and 7. It does NOT function in the Macintosh environment.

Written in English.

Users can access the complete Joe Wells' Wild List on the SARC Web site at:

http://www.symantec.com/avcenter/wild/wl.html


SARC is Information Central

SARC on the Web

SARC has the best resource for virus information on the World Wide Web. You can read about the latest virus outbreaks from around the world or your neighborhood, the Top 10 viruses worldwide, download the latest in virus protection, brush up on the latest technical information, download the latest virus definition updates, and much more! Stop by and check us out:

http://www.symantec.com/avcenter

Internet Discussion Groups

Announcing the Norton AntiVirus Discussion Group! These discussion groups provide a forum for you to ask questions about Norton AntiVirus and specific computer viruses. The support forums are in Usenet newsgroup (Internet news) format. These support newsgroups are electronic bulletin boards where you can post a message and then return later to read the answer.

You can find the discussion group off the Symantec Web site at:

http://www.symantec.com/techsupp/news

Or from the "Contacting Symantec" link on the SARC Web site (listed above).

A Web browser that supports newsgroup reading is required (for example, Netscape Navigator or Microsoft Internet Explorer).

Electronic Support

Symantec currently offers electronic (message board) support for Symantec products on CompuServe, America Online, and the Microsoft Network and the Symantec BBS. We provide technical support using direct mail for the Symantec Macintosh development tool products (programming resources) only. Please do not post technical inquiries for other Symantec products to the Macintosh development tools e-mail address. Online support is available in our public message areas on:

Online Service Access
CompuServe go SYMANTEC
America Online keyword SYMANTEC
The Microsoft Network go to SYMANTEC (Windows 95 products only)
Symantec BBS (28.8 BPS) (541) 484-6669

New or Unknown Virus Submission Procedures

If you suspect your system has been infected by an unknown virus, complete the requested information on the form below. Then follow the procedure to create a "virus sample" floppy disk. Send the form and the disk to the Symantec address at the end of this newsletter. The engineers at SARC will analyze your disk and inform you of the results. This is a free service provided to Norton AntiVirus customers as part of Symantec's commitment to virus-free computing.

Virus Submission Form

Do not write "Contains Live Virus" on the envelope or disk mailer (this upsets the post office). All disks become property of Symantec and will be destroyed.

Please provide the following information:

Working environments:

___DOS, version:
___Windows 3.x
___Windows 95

Potential virus observed in which environments:

___DOS version:
___Windows 3.x
___Windows 95

Have you loaded the most recent virus definitions"

___Yes, date of VIRSCAN.DAT file:
___No, date of VIRSCAN.DAT file:

Has any other scanner identified a virus?

___Yes, name and version of scanner:
Virus reported:

___No

Your name:

Company name:

Address:

City, State and Zip/Postal Code:

Country:

Daytime phone number:

Creating a Virus Sample Floppy Disk

If Norton AntiVirus reports that a file may be infected with an unknown virus of that inoculation data changed (for no legitimate reason), you may be infected with an unknown virus.

For inoculation changes:

  • Did you install a new version of the application?
  • Does the program modify its executable files with configuration?
  • Is it possible that the file was upgraded automatically on a network?

For unknown virus alerts:

  • Have you updated your virus definitions file to the most recent version? See "Updating virus definitions" in your Norton AntiVirus User's Guide for directions to receive the most recent virus definitions file. Then scan again.

If you still think you have an unknown virus infection, use the following procedure to create a "virus sample" floppy disk. The engineers at SARC will analyze your disk and inform you of the results. This is a free service provided to Norton AntiVirus users.

These instructions will work for both a standard DOS and Windows 95 operating systems. These procedures should be performed by a technician (if available) from the infected computer.

To create a virus sample floppy disk:

1 Start the potentially infected system from its own hard drive.

  • For MS-DOS, you must be at a DOS prompt.
  • For Windows 3.x, exit Windows completely to DOS.
  • For Windows 95, start the computer in MS-DOS SAFE mode.

2 Format a diskette with the potentially infected operating system.

From the DOS prompt, type

FORMAT A: /S 
                             
                             
and press Enter.

NOTE: All media submitted to the AntiVirus Research Center becomes property of Symantec. All infected media received will be held in a secure area. All submissions will be kept on record for one year.

3 Copy standard executables to the diskette.

For MS-DOS operating systems, copy the following files to the diskette from the \DOS directory:

MEM.EXE
MODE.COM
PRINT.COM
TREE.COM

For Windows 95 operating systems, copy the following files to the diskette from the \WINDOWS\COMMAND folder.

MODE.COM
MEM.EXE
KEYB.COM
XCOPY.EXE

From the \WINDOWS directory:

WIN.COM

4 Type A: and press Enter.

You are logged to the A drive.

5 Type PATH; and press Enter (don't forget the semicolon).

This will temporarily disable your path statement.

6 Run the programs (ignore any screen messages). The engineers will be able to determine if they become infected.

For example, type:

MEM and press Enter
MODE and press Enter

7 Copy any files whose inoculation data has changed without legitimate reason to the diskette (as related by NAV).

8 Copy any other programs that you suspect are infected to the diskette.

9 Label the diskette with your name, address, telephone number and today's date. Write "Potential Virus" on the diskette label.

Send all submissions to:

Symantec Corporation
AntiVirus Research Center
2500 Broadway Suite, 200
Santa Monica, CA 90404 USA

Do not write "Contains Live Virus" on the envelope or diskette mailer (this upsets the post office and may prevent delivery).

Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA

SARC AntiVirus News Update is published monthly by Symantec Corporation. No Reprint without Permission in writing, in advance.

Information in this newsletter is compiled from a number of sources, including the Symantec BBS and the Symantec Home Page on the Internet, as well as the major online services - all of which are available and updated daily.