Symantec logo
United States
Antivirus Research Center

Advanced Search

Information for You

Shop Symantec


Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec


© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 2, Issue 1 - January 1, 1997
The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global responses to computer virus threats, proactively researching and developing technologies that eliminate such threats and educating the public on safe computing practices.

Highlights Table of Contents

Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:
  • DOS/Windows 3.1—NAV 3.0, revision 3.10
  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows NT—NAV NT 2.0, revision 2.00
  • Novell—NAV 2.0 NetWare, revision 2.03
  • Netscape—NAV Internet, revision 1.00
  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.50
You can get the latest updates through any of these online services:

CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to SYMANTEC
America Online, keyword SYMANTEC
Symantec World Wide Web site,
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).

NAV News

SARC Finds New Excel Macro Virus: XM.Sofa

Specialists at the Symantec AntiVirus Research Center have identified XM.Sofa, the second virus to infect the Microsoft Excel platform. XM.Laroux, the first Excel macro virus, had a few spin-offs, but these were primarily variations of the original code. XM.Sofa, on the other hand, represents a significant new approach.

The discovery of XM.Sofa demonstrates again that the Microsoft Excel environment is a feasible host platform. Excel spreadsheets are vulnerable to macro virus infection, just as MS Word documents are. SARC encourages all MIS security personnel to consider Microsoft Excel spreadsheets as a potential threat.

Symantec received the XM.Sofa virus from a large corporate customer on the west coast of the United States. Researchers posted a publicly available solution for all Symantec AntiVirus platforms in mid-December 1996. The solution is also included with the January 1997 virus definition set for both Norton AntiVirus and Symantec AntiVirus for Macintosh.

SARC would like to stress that although this virus has been discovered "in the wild," it is not considered a significant public threat at this time. Reports have come only from a single source, and the infection is being quelled as swiftly as possible. In addition, researchers are attempting to trace the origin of the infection, although the actual creator may never be known.


Aliases: Microsofa   Description:
XM.Sofa establishes the second family of Excel macro viruses. First discovered by SARC in early December of 1996 (U.S. west coast), XM.Sofa is written in MS Visual Basic. Like other Excel macro viruses, it spreads by copying its own viral macros to other Excel spreadsheets.

However, XM.Sofa has unique features. XM.Laroux infects by creating a file called PERSONAL.XLS in the default startup directory. XM.Sofa spreads by way of a file called BOOK.XLT placed in the alternate startup directory.

XM.Sofa contains four macro functions: Auto_Open, Auto_Range, Current_Open and Auto_Close. When you open an infected file, the virus takes control and changes the caption at the top of the screen from Microsoft Excel to Microsofa Excel.

Then the virus checks to see if the system is already infected by looking in the alternate startup directory for a file named BOOK.XLT. If this directory is not defined, it looks in the default directory C:\MSOFFICE\EXCEL\XLSTART. If the file does not exist in the target directory, the virus infects the system and displays the following message:

Microsoft Excel has detected a corrupted add-in file. Click OK to repair this file.

After you click the OK button, the file BOOK.XLT is created in the target startup directory and the virus is ready to infect other spreadsheets.

NOTE: If the alternate startup directory is defined, but does not exist, the virus cannot create the BOOK.XLT file. XM.Sofa will not be infectious upon startup, and will not display the message box.

The virus creates two worksheets, one with a name of 12 blank spaces and the other with 13 blank spaces. Both worksheets contain the text of the macros. However, only one of them is specified as a Visual Basic module, while the other is defined as a normal worksheet.

XM.Sofa does not contain any deliberately harmful payloads.

Description by Chris Formulak - December 6, 1996

Infection length: 4 macros
Area of infection: Microsoft Excel spreadsheets
Likelihood: Uncommon
Region reported: USA
Characteristics: Wild, macro
Target platform: Macro
Trigger date: None

Virus Hoaxes In The Wild

Normally in this section of this newsletter, we profile a few viruses that are "in the wild," or in free distribution among the general public. However, in last month’s issue we responded to an increasing number of requests for information about viruses that do not exist. These are what we call virus hoaxes.

This month, we are continuing to look at hoaxes. December 1996 saw a unprecedented increase in the number of virus hoaxes posted around the world. Those described below have spread far and wide, from the heads of corporations to end-users. The more we can do to prevent the proliferation of these messages, the better.

SARC maintains a comprehensive list of virus hoaxes online. If you receive a virus alert message, and you have questions as to its validity, please take a few minutes to check out our hoax page before passing the message along. The URL is:

The three hoaxes described below are not virus threats at all. Please ignore any messages about these supposed "viruses" and do not share them with anyone else. Passing on messages about these hoaxes serves only to further propagate them.

Penpal Greetings

Aliases: E-mail, Good Times.Penpal_Greetings   Description:
Penpal Greetings is not a virus. It is a hoax. The “virus” does not exist. There is currently no virus that has the characteristics ascribed to Penpal Greetings.

The e-mail message describing the virus is similar to the original Good Times virus e-mail hoax. It could even be described as a virus hoax strain.

The Penpal Greetings hoax message includes the following “warning”:

This is a warning for all internet users - there is a dangerous virus propagating across the internet through an e-mail message entitled "PENPAL GREETINGS!" DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"

This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The “trojan horse” virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox!

Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Online
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax


Aliases: Death-Blaze   Description:
This "virus" does not exist.

death69 is not a virus; it is a complete hoax. There is currently no virus that has the characteristics ascribed to death69. As with most virus hoaxes, the message over-exaggerates the necessity to pass the message on to everyone the reader knows, claims that the "virus" can perform physical destruction to computer parts and quotes an authority figure in an attempt to lend more credibility to the often absurd claims.

The hoax was first discovered posted to a newsgroup on Prodigy in early December 1996.

The message includes the following "warning:"

There is a new horrible virus on the loose! created late November by elite hacker "DEATH-BLAZE." The virus is full stealth and Trojan, once thought never possible, it first formats the hard drive, then it physically eats at the materials of the drive. researchers are stunned, they say it is probably the most destructive virus ever created.

The virus's name is "death69" witch as I stated earlier was created by elite hacker "DEATH-BLAZE"

The closing statement claims that the warning was "written by the technicians at Norton AntiVirus! distribute freely." We emphasize that Symantec and the Symantec AntiVirus Research Center have never released such a notice. Please disregard it and do not pass it on.
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Online
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax

Red Alert

Aliases: none   Description:
This "virus" does not exist.

In November of 1996, a false warning was posted to several sites on the Internet that the Microsoft home page was distributing a virus. The creator of the message quoted a well known anti-virus developer, Mikko Hypponen of Data Fellows, to lend credibility to the false claims.

The following statement was issued by Mikko Hypponen:

This is a warning on a nasty hoax that has been distributed on several mailing lists and in usenet news. The hoax message is falsely attributed to me (

This false warning urges people to stay off Microsoft's home page and not to use Microsoft Internet Explorer, because the 'Microsoft home page is possibly infected by a virus'. This is nonsense.

If you have seen this warning, please pass on this message, and please do not redistribute the original warning any more.

Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: Online
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax

Happy Holidays from SARC!

Happy Holidays from SARC!

Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404

SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1997 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at: