© 1995-2000 Symantec Corporation
All rights reserved.
Volume 1, Issue 3 - November 1, 1996
The Symantec AntiVirus Research Center (SARC) is committed
to providing swift, global responses to computer virus
threats, proactively researching and developing
technologies that eliminate such threats and educating the
public on safe computing practices.
The Symantec AntiVirus solution includes the following
line-up of currently available products:
Current AntiVirus Products
You can get the latest updates through any of these online
- DOS/Windows 3.1óNAV 3.0, revision 3.10
- Windows 95óNAV 95 1.0, revision 95.0b
- Windows 95óNAV 95 2.0, revision 2.00
- Windows NTóNAV NT 2.0, revision 2.00
- NovellóNAV NetWare, revision 2.02
- NetscapeóNAV Internet, revision 1.00
- Macintosh/Power MacintoshóSAM, revision 4.0.8
- Macintosh/Power MacintoshóSAM, revision 4.50
CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to
America Online, keyword SYMANTEC
Symantec World Wide Web site, http://www.symantec.com
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541)
If you donít have electronic access, you can contact our
Customer Service at (800) 441-7234 and order a disk set for
$12 (to cover shipping and handling only).
Norton AntiVirus for Windows NT, version 2.0
NAV 2.0 for Windows NT is the first antivirus product from
Symantec to protect both servers and workstations operating
under Windows NT 4.0 and Windows NT 3.51. NAV 2.0 guards
your system against computer viruses transmitted by every
"The introduction of Norton AntiVirus 2.0 for Windows NT
answers customer requests for a single antivirus solution
for desktops, network servers, and Web servers," said Mary
Engstrom, general manager of the AntiVirus Business Unit.
"In addition, the new LiveUpdate feature, combined with the
resources of the Symantec AntiVirus Research Center (SARC),
provides our customers the most current protection
available. In a world where there are three to six new
viruses per day, that current protection is vital for
corporations and individuals who want to stay virus free."
- over the Internet or through Intranets
- attached to electronic mail
- hidden in compressed files
- on floppy disks, hard drives, or CD-ROMs
- on network drives and drives shared between peer
NAV NT 2.0 works with Norton AntiVirus for NetWare to
provide manageable, effective protection on the most common
network server platforms. The software manages the setup,
control, and sending of alerts by using the NT Messenger
Service or by notifying Norton AntiVirus for NetWare. The
Alert service logs all events to the Windows NT event
logóand to the NAV Activity Log. Similarly, the software
communicates virus events to Norton AntiVirus for NetWare,
which logs the events on the NetWare server and notifies
system administrators via NetWare messaging, e-mail, or
paging. Key Features
- Offers the first full protection for servers and
workstations under both Windows NT 3.51 and Windows NT
- Provides one-button access to the latest software and
virus definition updates with LiveUpdate.
- Includes Striker, Symantecís patent-pending,
next-generation polymorphic virus detection engine.
- Provides industry-leading Macro virus detection and
- Runs Auto-Protect in the background, scanning local
and remote files as they are downloaded, opened,
created, modified, or run.
- Backed by unparalleled support from the Symantec
AntiVirus Research Center (SARC).
Symantec Corporationís new program, Healthy PC, runs a
complete computer maintenance routine at the click of a
mouse. In less than five minutes, Healthy PC reports on
antivirus activity and hard drive fragmentation, including
lost clusters and disk file arrangement. The new program
also handles file management after your computer crashes.
You now have a "click-and-forget" tool you can use to
protect your software and valuable data like financial
records. With one mouse click, Healthy PC detects and fixes
small problems before they become big ones.
The program not only detects and removes viruses, but also
makes your PC run faster and more efficiently. Healthy PC
tunes up your hard drive by arranging files for faster
It also includes comprehensive online help that gives you
answers to frequently-asked questions. Thereís no thick
manual to read and no new jargon to learn. In fact, the
"push-button" metaphor requires no learning curve at all.
"Bringing our heritage in the development of utility
products to the consumer market, we created Healthy PC
specifically for the new Windows 95 computer user," said
Mary Engstrom, general manager of Symantecís AntiVirus
Business Unit. "We believe that Healthy PC offers the
essential utilities to ensure a safe and productive
computing experience for novice users."
How Healthy PC Works
With the growing number of first-time PC buyers using
Windows 95, many computer owners can benefit from Healthy
PC. The programís unconventional oval-shaped interface
provides a totally new and non-intimidating experience. If
youíre uncomfortable with the more traditional software
designs, such as pull-down menus and check boxes, youíll
love Healthy PC.
On this intuitive user interface, scanning for viruses and
optimizing the hard disk are literally as simple as
clicking the Start button. The program shows you the areas
that itís checking and gives a quick summary report on the
"health" of your PC.
Healthy PC combines the benefits of two of Symantecís
best-selling programsóNorton AntiVirus and Speed Diskóin
one utility program. If Healthy PC uncovers problems it
canít repair, the program points you to other resources.
Healthy PC also features LiveUpdate: one button access to
the latest virus definitions. In an environment where three
to six new viruses are being written each day, this updated
protection is vital to the health of your PC data.
LiveUpdate connects you to Symantec via modem or Internet
and provides you with new virus protection updates and
automatic software enhancements.
In each issue of the SARC AntiVirus News Update, we
profile a few viruses known to be in free distribution
among the general public ("in the wild"). You can access
the complete Joe Wells Wild List on the SARC Web site at:
In The Wild
Aliases: PKZip Trojan, PKZ300B.ZIP
Infection Length: Trojan Horse
Area of Infection: Trojan Horse
Region Reported: FTP sites, Internet service providers
Characteristics: Trojan Horse
Target Platform: DOS
Trigger date: Immediate
The 3b Trojan program is a trojan horse that claims to be
the latest version of PKZIP, Version 3.0g, from PKWARE Inc.
The Symantec AntiVirus Research Center first received 3b
Trojan in late July 1995. We integrated the definition or
"fingerprint" into the August 1995 virus definition set and
included it in every update since that initial release.
The 3b Trojan program is not a virus. Trojan horses do not
replicate and spread themselves. Instead, they masquerade
as legitimate programs, in this case, as a new release of
PKZIP. You manually download these files and consciously
run them. This causes the triggered event to take place.
The vast majority of trojan horse programs are written with
a destructive intent.
The 3b Trojan program has been distributed under the
When 3b Trojan is triggered, it formats your hard drive.
The self-extracting versions of the executable (.EXE) files
for 3b Trojan and the "PKZIP" program within it both have
the same trigger. Reports that 3b Trojan also affects
modems of 1.44bps and higher are incorrect.
As of October 1996, only the following releases of the
PKZIP program are valid:
In response to 3b Trojan, PKWARE Inc. has issued the
It has come to the attention of PKWARE that a fake
version of PKZIP is being distributed as PKZ300B.ZIP or
PKZ300.ZIP. It is not an official version from PKWARE and
it will attempt to delete all the directories of your hard
drive if you run it. If you have any information as to the
creators of this trojan horse, PKWARE would be extremely
interested to hear from you. If you have any other
questions about this fake version, please email
You can download PKZIP 2.04g from the Symantec FTP server
Aliases: Monkey, Monkey 2
Infection Length: 512 bytes
Area of Infection: Floppy boot sectors and master boot records
Region Reported: North America, South America, Europe, India, Japan,
Australia/New Zealand, Taiwan, South Africa
Characteristics: Wild, Memory Resident, Encrypting
Target Platform: DOS
Trigger date: none
While currently known Stoned.Empire.Monkey virus strains
cause no intentional permanent damage, the infection is a
major inconvenience. If you boot from a floppy on an
infected computer, the system will not find your hard
drive. Carried only on diskettes, this virus can spread
easily to systems without protection.
Stoned.Empire.Monkey is a memory-resident infector of the
master boot record on hard disks and the boot sector on
floppies. When the virus is in memory, it re-routes any
boot record access to a copy of the original boot sector.
The virus encrypts the partition table (an essential part
of the system area), moves the original to a different
location on the hard drive, and then takes the place of the
real partition table. In order for the system to read the
real partition (and see the drive), the virus must be
active in memory. If you boot from a clean floppy disk,
thus avoiding the virus, your system cannot access the hard
drive by normal means.
Stoned.Empire.Monkey occupies one K at the top of memory
(640K mark). Any memory indicator will show one less K than
the computer actually has. To verify that you have the
virus, you can run either DOS CHKDSK or MEM. These commands
will report about 638K to 639K if your system is infected.
Although the Stoned.Empire.Monkey virus is not designed to
damage data (in its current incarnations), it will blindly
write to any available disk, regardless of format. This
will undoubtedly cause loss of data and formatting on
Although Stoned.Empire.Monkey is common worldwide, it is
especially prevalent in Canada, North America, and South
Keeping your virus definitions current is one of the most
critical aspects of virus protection. New viruses are being
discovered every day. Symantec has revolutionized the
industry by offering two simple means of keeping your virus
protection current: Live Update and Intelligent Updater.
SARC Technology Update
From within the Norton AntiVirus program interface, you
click a button to launch Live Update. The software detects
the availability of an Internet connection or modem, and
automatically contacts a Symantec server. Once LiveUpdate
is connected, the system downloads and installs the latest
You can also use LiveUpdate to install software patches or
obtain product information. Added to all versions of Norton
Antivirus, LiveUpdate is a patent-pending technology that
will appear in many other Symantec products over the coming
months. It provides a unique way for you to ensure that
your software solutions are always up to date.
If youíre running a version of Norton AntiVirus without
Live Update, you get your virus definition sets on
diskette, or you just prefer the manual touch, you can use
the Intelligent Updater. "IU" locates all versions of
Norton AntiVirus on your computer and installs new virus
definition files automatically. All you have to do is run
the program and then scan your disk with Norton AntiVirus.
Itís so intelligent that it will even detect other Symantec
programs offering antivirus protection and will update them
as well. Now thatís convenient!
| Editor: Alex Haddox, Product Manager, Symantec
AntiVirus Research Center
Address all correspondence to:
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
SARC AntiVirus News Update is published monthly by Symantec Corporation. No
Reprint without Permission in writing, in advance.
Information in this newsletter is compiled from a
number of sources, including the Symantec BBS and the
Symantec Home Page on the Internet, as well as the
major online services - all of which are available
and updated daily.