© 1995-2000 Symantec Corporation
All rights reserved.
Volume 1, Issue 2 - October 1, 1996
The Symantec AntiVirus Research Center (SARC) is committed
to providing swift, global responses to computer virus
threats, proactively researching and developing
technologies that eliminate such threats and educating the
public on safe computing practices.
The Symantec AntiVirus solution includes the following
line-up of currently available products:
Current AntiVirus Products
You can get the latest updates through any of these online
- DOS/Windows 3.1—NAV 3.0, revision 3.09
- Windows 95—NAV 95 1.0, revision 95.0a
- Windows 95—NAV 95 2.0, revision 2.00
- Windows NT—NAV Scanner, revision NT.0a
- Novell—NAV NetWare, revision 2.02
- Netscape—NAV Internet, revision 1.00
- Macintosh/Power Macintosh—SAM, revision 4.0.8
CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to
America Online, keyword SYMANTEC
Symantec World Wide Web site, http://www.symantec.com
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541)
If you don’t have electronic access, you can contact our
Customer Service at (800) 441-7234 and order a disk set for
$12 (to cover shipping and handling only).
Norton AntiVirus for Windows 95, version 2.0
The newest version of award-winning Norton AntiVirus (NAV)
for the Microsoft Windows 95 operating system is now
available! NAV 95 2.0 gives you the security of knowing
that you have the most complete virus protection possible,
whether you’re downloading files from the Internet, opening
attached documents, or accessing a floppy disk.
Version 2.0 integrates a variety of new enhancements that
focus on expanded Internet functionality, ease-of-use,
consistently current protection, and security. Key new
- LiveUpdate, which provides one-button access to the
latest virus definition updates
- Striker, a next generation scanning engine that scans
for the latest and most elusive polymorphic viruses
- Repair Wizard, which guides you through the sometimes
intimidating process of virus elimination
In each issue of the SARC AntiVirus News Update, we
profile a few viruses known to be in free distribution
among the general public ("in the wild"). You can access
the complete Joe Wells Wild List on the SARC Web site at:
In The Wild
Aliases: 4096, 4K, Century, IDF, Stealth
Infection Length: 4096 bytes
Area of Infection: .COM and .EXE files
Keys: Wild, Memory Resident, Stealth, Trigger
The destructive payload of the virus triggers on September
22, the birthday of Frodo and Bilbo Baggins from J.R.R.
Tolkien’s Lord of the Rings. The virus attempts to plant a
trojan horse in boot sectors and master boot records, but
the planting code has bugs and rarely works correctly. More
often than not, implanting causes the system to crash.
When successfully planted, the trojan horse displays the
following text with a moving pattern around it:
In addition, the virus slowly cross-links files, which may
The original Frodo.Frodo virus does not appear to be
compatible with DOS version 4.0 or higher.
Infection Length: 1039 bytes (files) and 512 bytes (master boot record)
Area of Infection: .COM files, floppy disk boot sectors, and master boot
Region Reported: Sweden
Keys: Wild, Multipartite, Memory-Resident, Encrypting
The Junkie virus infects .COM files, the DOS boot sector
on floppy disks, and the master boot record (MBR) on the
first physical hard disk (drive 80h, the C: drive).
The file form of the virus does not go memory-resident. It
simply checks the MBR or floppy disk boot sector, infects
the drive if the sector is not already infected, and
returns control to the infected host file. This form of the
virus also contains code to target VSafe, the antivirus TSR
shipped with MS-DOS 6.x, and remove it from memory.
The Junkie virus code is two sectors long, and it reserves
3K of memory. Thus, on a 640K computer, the MEM command
would report 637K, and the CHKDSK command would report
652,288 bytes of free memory.
The virus body is stored, encrypted, on two sectors
starting at side O, cylinder O, sector 4 on the hard disk.
When a system is booted from an infected drive, the virus
loads into upper memory and decrypts itself. From memory,
the virus infects .COM files as they are executed or
loaded. It also contains code to bypass virus-monitoring
Infected files grow by a variable length just over 1K.
Since the virus has no stealth capability, file growth is
clearly visible; file times and dates are not changed.
Junkie also contains two messages. Although encrypted and
not visible in files or disk sectors, the messages are
visible in memory as follows:
Dr White - Sweden 1994
The virus decryptor is not polymorphic. It contains four
variable data bytes consisting of two words, one
representing the location to start decryption, and one a
Junkie Virus - Written in Malmo
SARC Technology Update
Seeker: The Virus Hunter
SARC troubleshooting technology goes well beyond virus
detection and repair. We collect virus samples from all
over the world and take them apart for analysis before
they’ve even become a threat to the general public. To aid
SARC researchers in this endeavor, we developed a
sophisticated web spider called Seeker.
SARC developed Seeker entirely in JAVA, a programming
language designed specifically for the Internet. Using JAVA
allowed SARC to harness the features and capabilities of
the Internet as resources for virus sample gathering. With
the prowess of a hunter, Seeker collects virus samples for
analysis by checking known virus transmission sites and
scouring other parts of the Internet for suspect files.
SARA: Symantec AntiVirus Research Automation
Once Seeker has performed a preliminary filter process on
virus samples, it transfers the files directly into a
dedicated Symantec AntiVirus Research Automation system
(SARA). Using limited artificial intelligence, SARA has the
capability for fully automated analysis, definition
development, quality assurance, and integration into the
Norton AntiVirus product line. SARA can completely process
a virus sample in less than 15 minutes.
With over 100 new viruses located, analyzed, and cataloged
by this method each month, SARC is able to leap beyond the
standards of service and provide protection from the
threats of today and tomorrow.
Creating and implementing these utilities are only a few
of the ways we use technological resources at SARC for the
benefit of our customers.
Striker: Polymorphic Virus Detection
With complex encryption, polymorphic viruses are often
difficult to detect using conventional antivirus programs.
When you execute an infected program, the virus unencrypts
the main body of the virus and can then take over the
computer. Each time it infects a new program, the virus
encrypts itself using a different scheme.
Polymorphic viruses have infinite ways to conceal
themselves. The standard method of virus
detection—identifying a particular sequence of code
sometimes known as a "signature"— is not efficient. The
Striker technology, however, uses a revolutionary approach
to detect the chameleon-like polymorphics.
Each time NAV scans the computer, it sets up a "virtual
PC" that acts as a "clean room" in which it can safely
execute the potentially infected file without endangering
other files. If a virus is present, it executes and reveals
itself. At this point, NAV detects the virus and alerts you
to the infection. In this way, Striker provides airtight
detection and eradication of polymorphic viruses and keeps
your computer environment clean.
| Editor: Alex Haddox, Product Manager, Symantec
AntiVirus Research Center
Address all correspondence to:
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
SARC AntiVirus News Update is published monthly by Symantec Corporation. No
Reprint without Permission in writing, in advance.
Information in this newsletter is compiled from a
number of sources, including the Symantec BBS and the
Symantec Home Page on the Internet, as well as the
major online services - all of which are available
and updated daily.