Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec




Webmaster
Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 1, Issue 3 - November 1, 1996
The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global responses to computer virus threats, proactively researching and developing technologies that eliminate such threats and educating the public on safe computing practices.

Highlights Table of Contents


Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:
  • DOS/Windows 3.1óNAV 3.0, revision 3.10
  • Windows 95óNAV 95 1.0, revision 95.0b
  • Windows 95óNAV 95 2.0, revision 2.00
  • Windows NTóNAV NT 2.0, revision 2.00
  • NovellóNAV NetWare, revision 2.02
  • NetscapeóNAV Internet, revision 1.00
  • Macintosh/Power MacintoshóSAM, revision 4.0.8
  • Macintosh/Power MacintoshóSAM, revision 4.50
You can get the latest updates through any of these online services:

CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to SYMANTEC
America Online, keyword SYMANTEC
Symantec World Wide Web site, http://www.symantec.com
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541) 984-5366

If you donít have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).


NAV News

Norton AntiVirus for Windows NT, version 2.0

NAV 2.0 for Windows NT is the first antivirus product from Symantec to protect both servers and workstations operating under Windows NT 4.0 and Windows NT 3.51. NAV 2.0 guards your system against computer viruses transmitted by every means possible:
  • over the Internet or through Intranets
  • attached to electronic mail
  • hidden in compressed files
  • on floppy disks, hard drives, or CD-ROMs
  • on network drives and drives shared between peer machines
"The introduction of Norton AntiVirus 2.0 for Windows NT answers customer requests for a single antivirus solution for desktops, network servers, and Web servers," said Mary Engstrom, general manager of the AntiVirus Business Unit. "In addition, the new LiveUpdate feature, combined with the resources of the Symantec AntiVirus Research Center (SARC), provides our customers the most current protection available. In a world where there are three to six new viruses per day, that current protection is vital for corporations and individuals who want to stay virus free."

NAV NT 2.0 works with Norton AntiVirus for NetWare to provide manageable, effective protection on the most common network server platforms. The software manages the setup, control, and sending of alerts by using the NT Messenger Service or by notifying Norton AntiVirus for NetWare. The Alert service logs all events to the Windows NT event logóand to the NAV Activity Log. Similarly, the software communicates virus events to Norton AntiVirus for NetWare, which logs the events on the NetWare server and notifies system administrators via NetWare messaging, e-mail, or paging. Key Features

  • Offers the first full protection for servers and workstations under both Windows NT 3.51 and Windows NT 4.0.
  • Provides one-button access to the latest software and virus definition updates with LiveUpdate.
  • Includes Striker, Symantecís patent-pending, next-generation polymorphic virus detection engine.
  • Provides industry-leading Macro virus detection and repair.
  • Runs Auto-Protect in the background, scanning local and remote files as they are downloaded, opened, created, modified, or run.
  • Backed by unparalleled support from the Symantec AntiVirus Research Center (SARC).

Healthy PC

Symantec Corporationís new program, Healthy PC, runs a complete computer maintenance routine at the click of a mouse. In less than five minutes, Healthy PC reports on antivirus activity and hard drive fragmentation, including lost clusters and disk file arrangement. The new program also handles file management after your computer crashes.

You now have a "click-and-forget" tool you can use to protect your software and valuable data like financial records. With one mouse click, Healthy PC detects and fixes small problems before they become big ones.

The program not only detects and removes viruses, but also makes your PC run faster and more efficiently. Healthy PC tunes up your hard drive by arranging files for faster access.

It also includes comprehensive online help that gives you answers to frequently-asked questions. Thereís no thick manual to read and no new jargon to learn. In fact, the "push-button" metaphor requires no learning curve at all.

"Bringing our heritage in the development of utility products to the consumer market, we created Healthy PC specifically for the new Windows 95 computer user," said Mary Engstrom, general manager of Symantecís AntiVirus Business Unit. "We believe that Healthy PC offers the essential utilities to ensure a safe and productive computing experience for novice users."

How Healthy PC Works

With the growing number of first-time PC buyers using Windows 95, many computer owners can benefit from Healthy PC. The programís unconventional oval-shaped interface provides a totally new and non-intimidating experience. If youíre uncomfortable with the more traditional software designs, such as pull-down menus and check boxes, youíll love Healthy PC.

On this intuitive user interface, scanning for viruses and optimizing the hard disk are literally as simple as clicking the Start button. The program shows you the areas that itís checking and gives a quick summary report on the "health" of your PC.

Healthy PC combines the benefits of two of Symantecís best-selling programsóNorton AntiVirus and Speed Diskóin one utility program. If Healthy PC uncovers problems it canít repair, the program points you to other resources. Healthy PC also features LiveUpdate: one button access to the latest virus definitions. In an environment where three to six new viruses are being written each day, this updated protection is vital to the health of your PC data. LiveUpdate connects you to Symantec via modem or Internet and provides you with new virus protection updates and automatic software enhancements.


In The Wild

In each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild"). You can access the complete Joe Wells Wild List on the SARC Web site at:

http://www.symantec.com/avcenter/wild/wl.html

3b Trojan

Aliases: PKZip Trojan, PKZ300B.ZIP
Infection Length: Trojan Horse
Area of Infection: Trojan Horse
Likelihood: Uncommon
Region Reported: FTP sites, Internet service providers
Characteristics: Trojan Horse
Target Platform: DOS
Trigger date: Immediate

Technical Notes:

The 3b Trojan program is a trojan horse that claims to be the latest version of PKZIP, Version 3.0g, from PKWARE Inc. The Symantec AntiVirus Research Center first received 3b Trojan in late July 1995. We integrated the definition or "fingerprint" into the August 1995 virus definition set and included it in every update since that initial release.

The 3b Trojan program is not a virus. Trojan horses do not replicate and spread themselves. Instead, they masquerade as legitimate programs, in this case, as a new release of PKZIP. You manually download these files and consciously run them. This causes the triggered event to take place. The vast majority of trojan horse programs are written with a destructive intent.

The 3b Trojan program has been distributed under the following names:

  • PKZ300B.EXE
  • PKZ300B.ZIP
  • PKZIP300.EXE
  • PKZIP300.ZIP
When 3b Trojan is triggered, it formats your hard drive. The self-extracting versions of the executable (.EXE) files for 3b Trojan and the "PKZIP" program within it both have the same trigger. Reports that 3b Trojan also affects modems of 1.44bps and higher are incorrect.

As of October 1996, only the following releases of the PKZIP program are valid:

  • 1.10
  • 1.93
  • 2.04c
  • 2.04e
  • 2.04g

In response to 3b Trojan, PKWARE Inc. has issued the following statement:

It has come to the attention of PKWARE that a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWARE and it will attempt to delete all the directories of your hard drive if you run it. If you have any information as to the creators of this trojan horse, PKWARE would be extremely interested to hear from you. If you have any other questions about this fake version, please email support@pkware.com.
You can download PKZIP 2.04g from the Symantec FTP server ( ftp://ftp.symantec.com).

Stoned.Empire.Monkey

Aliases: Monkey, Monkey 2
Infection Length: 512 bytes
Area of Infection: Floppy boot sectors and master boot records
Likelihood: Common
Region Reported: North America, South America, Europe, India, Japan, Australia/New Zealand, Taiwan, South Africa
Characteristics: Wild, Memory Resident, Encrypting
Target Platform: DOS
Trigger date: none

Technical Notes:

While currently known Stoned.Empire.Monkey virus strains cause no intentional permanent damage, the infection is a major inconvenience. If you boot from a floppy on an infected computer, the system will not find your hard drive. Carried only on diskettes, this virus can spread easily to systems without protection.

Stoned.Empire.Monkey is a memory-resident infector of the master boot record on hard disks and the boot sector on floppies. When the virus is in memory, it re-routes any boot record access to a copy of the original boot sector.

The virus encrypts the partition table (an essential part of the system area), moves the original to a different location on the hard drive, and then takes the place of the real partition table. In order for the system to read the real partition (and see the drive), the virus must be active in memory. If you boot from a clean floppy disk, thus avoiding the virus, your system cannot access the hard drive by normal means.

Stoned.Empire.Monkey occupies one K at the top of memory (640K mark). Any memory indicator will show one less K than the computer actually has. To verify that you have the virus, you can run either DOS CHKDSK or MEM. These commands will report about 638K to 639K if your system is infected.

Although the Stoned.Empire.Monkey virus is not designed to damage data (in its current incarnations), it will blindly write to any available disk, regardless of format. This will undoubtedly cause loss of data and formatting on non-DOS disks.

Although Stoned.Empire.Monkey is common worldwide, it is especially prevalent in Canada, North America, and South America.


SARC Technology Update

Keeping your virus definitions current is one of the most critical aspects of virus protection. New viruses are being discovered every day. Symantec has revolutionized the industry by offering two simple means of keeping your virus protection current: Live Update and Intelligent Updater.

Live Update

From within the Norton AntiVirus program interface, you click a button to launch Live Update. The software detects the availability of an Internet connection or modem, and automatically contacts a Symantec server. Once LiveUpdate is connected, the system downloads and installs the latest virus definitions.

You can also use LiveUpdate to install software patches or obtain product information. Added to all versions of Norton Antivirus, LiveUpdate is a patent-pending technology that will appear in many other Symantec products over the coming months. It provides a unique way for you to ensure that your software solutions are always up to date.

Intelligent Updater

If youíre running a version of Norton AntiVirus without Live Update, you get your virus definition sets on diskette, or you just prefer the manual touch, you can use the Intelligent Updater. "IU" locates all versions of Norton AntiVirus on your computer and installs new virus definition files automatically. All you have to do is run the program and then scan your disk with Norton AntiVirus. Itís so intelligent that it will even detect other Symantec programs offering antivirus protection and will update them as well. Now thatís convenient!

Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA

SARC AntiVirus News Update is published monthly by Symantec Corporation. No Reprint without Permission in writing, in advance.

Information in this newsletter is compiled from a number of sources, including the Symantec BBS and the Symantec Home Page on the Internet, as well as the major online services - all of which are available and updated daily.