Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec




Webmaster
Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 1, Issue 2 - October 1, 1996
The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global responses to computer virus threats, proactively researching and developing technologies that eliminate such threats and educating the public on safe computing practices.

Highlights Table of Contents


Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:
  • DOS/Windows 3.1—NAV 3.0, revision 3.09
  • Windows 95—NAV 95 1.0, revision 95.0a
  • Windows 95—NAV 95 2.0, revision 2.00
  • Windows NT—NAV Scanner, revision NT.0a
  • Novell—NAV NetWare, revision 2.02
  • Netscape—NAV Internet, revision 1.00
  • Macintosh/Power Macintosh—SAM, revision 4.0.8
You can get the latest updates through any of these online services:

CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to SYMANTEC
America Online, keyword SYMANTEC
Symantec World Wide Web site, http://www.symantec.com
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).


NAV News

Norton AntiVirus for Windows 95, version 2.0

The newest version of award-winning Norton AntiVirus (NAV) for the Microsoft Windows 95 operating system is now available! NAV 95 2.0 gives you the security of knowing that you have the most complete virus protection possible, whether you’re downloading files from the Internet, opening attached documents, or accessing a floppy disk.

Version 2.0 integrates a variety of new enhancements that focus on expanded Internet functionality, ease-of-use, consistently current protection, and security. Key new features include:

  • LiveUpdate, which provides one-button access to the latest virus definition updates
  • Striker, a next generation scanning engine that scans for the latest and most elusive polymorphic viruses
  • Repair Wizard, which guides you through the sometimes intimidating process of virus elimination


In The Wild

In each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild"). You can access the complete Joe Wells Wild List on the SARC Web site at:

http://www.symantec.com/avcenter/wild/wl.html

Frodo.Frodo

Aliases: 4096, 4K, Century, IDF, Stealth
Infection Length: 4096 bytes
Area of Infection: .COM and .EXE files
Likelihood: Common
Keys: Wild, Memory Resident, Stealth, Trigger

Technical Notes:

The destructive payload of the virus triggers on September 22, the birthday of Frodo and Bilbo Baggins from J.R.R. Tolkien’s Lord of the Rings. The virus attempts to plant a trojan horse in boot sectors and master boot records, but the planting code has bugs and rarely works correctly. More often than not, implanting causes the system to crash.

When successfully planted, the trojan horse displays the following text with a moving pattern around it:

FRODO LIVES
In addition, the virus slowly cross-links files, which may corrupt them.

The original Frodo.Frodo virus does not appear to be compatible with DOS version 4.0 or higher.

Junkie

Aliases: Junkie-1027
Infection Length: 1039 bytes (files) and 512 bytes (master boot record)
Area of Infection: .COM files, floppy disk boot sectors, and master boot records
Likelihood: Common
Region Reported: Sweden
Keys: Wild, Multipartite, Memory-Resident, Encrypting

Technical Notes:

The Junkie virus infects .COM files, the DOS boot sector on floppy disks, and the master boot record (MBR) on the first physical hard disk (drive 80h, the C: drive).

The file form of the virus does not go memory-resident. It simply checks the MBR or floppy disk boot sector, infects the drive if the sector is not already infected, and returns control to the infected host file. This form of the virus also contains code to target VSafe, the antivirus TSR shipped with MS-DOS 6.x, and remove it from memory.

The Junkie virus code is two sectors long, and it reserves 3K of memory. Thus, on a 640K computer, the MEM command would report 637K, and the CHKDSK command would report 652,288 bytes of free memory.

The virus body is stored, encrypted, on two sectors starting at side O, cylinder O, sector 4 on the hard disk. When a system is booted from an infected drive, the virus loads into upper memory and decrypts itself. From memory, the virus infects .COM files as they are executed or loaded. It also contains code to bypass virus-monitoring software.

Infected files grow by a variable length just over 1K. Since the virus has no stealth capability, file growth is clearly visible; file times and dates are not changed. Junkie also contains two messages. Although encrypted and not visible in files or disk sectors, the messages are visible in memory as follows:

Dr White - Sweden 1994
Junkie Virus - Written in Malmo
The virus decryptor is not polymorphic. It contains four variable data bytes consisting of two words, one representing the location to start decryption, and one a variable key.


SARC Technology Update

Seeker: The Virus Hunter

SARC troubleshooting technology goes well beyond virus detection and repair. We collect virus samples from all over the world and take them apart for analysis before they’ve even become a threat to the general public. To aid SARC researchers in this endeavor, we developed a sophisticated web spider called Seeker.

SARC developed Seeker entirely in JAVA, a programming language designed specifically for the Internet. Using JAVA allowed SARC to harness the features and capabilities of the Internet as resources for virus sample gathering. With the prowess of a hunter, Seeker collects virus samples for analysis by checking known virus transmission sites and scouring other parts of the Internet for suspect files.

SARA: Symantec AntiVirus Research Automation

Once Seeker has performed a preliminary filter process on virus samples, it transfers the files directly into a dedicated Symantec AntiVirus Research Automation system (SARA). Using limited artificial intelligence, SARA has the capability for fully automated analysis, definition development, quality assurance, and integration into the Norton AntiVirus product line. SARA can completely process a virus sample in less than 15 minutes.

With over 100 new viruses located, analyzed, and cataloged by this method each month, SARC is able to leap beyond the standards of service and provide protection from the threats of today and tomorrow.

Creating and implementing these utilities are only a few of the ways we use technological resources at SARC for the benefit of our customers.

Striker: Polymorphic Virus Detection

With complex encryption, polymorphic viruses are often difficult to detect using conventional antivirus programs. When you execute an infected program, the virus unencrypts the main body of the virus and can then take over the computer. Each time it infects a new program, the virus encrypts itself using a different scheme.

Polymorphic viruses have infinite ways to conceal themselves. The standard method of virus detection—identifying a particular sequence of code sometimes known as a "signature"— is not efficient. The Striker technology, however, uses a revolutionary approach to detect the chameleon-like polymorphics.

Each time NAV scans the computer, it sets up a "virtual PC" that acts as a "clean room" in which it can safely execute the potentially infected file without endangering other files. If a virus is present, it executes and reveals itself. At this point, NAV detects the virus and alerts you to the infection. In this way, Striker provides airtight detection and eradication of polymorphic viruses and keeps your computer environment clean.

Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA

SARC AntiVirus News Update is published monthly by Symantec Corporation. No Reprint without Permission in writing, in advance.

Information in this newsletter is compiled from a number of sources, including the Symantec BBS and the Symantec Home Page on the Internet, as well as the major online services - all of which are available and updated daily.