Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec


Webmaster Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices 		spacer Volume 2, Issue 2 - February 1, 1997
The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global responses to computer virus threats, proactively researching and developing technologies that eliminate such threats and educating the public on safe computing practices.

Highlights Table of Contents


Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:
  • DOS/Windows 3.1—NAV 3.0, revision 3.10
  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows NT—NAV NT 2.0, revision 2.00
  • Novell—NAV 2.0 NetWare, revision 2.03
  • Netscape—NAV Internet, revision 1.00
  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.50
You can get the latest updates through any of these online services:

CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to SYMANTEC
America Online, keyword SYMANTEC
Symantec World Wide Web site, http://www.symantec.com
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).


In The Wild

In each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild").


Most Frequently Reported Viruses

The following is a list of the top reported viruses, as published in Joe Wells’ Wild List on December 22, 1996:
  1. Form.A
  2. WM.Concept.A
  3. One_Half.3544
  4. AntiEXE.A
  5. Empire.Monkey.B
  6. Junkie.1027
  7. Parity_Boot.B
  8. Ripper
  9. AntiCMOS.A
  10. Natas.4744
  11. NYB
  12. Die_Hard
  13. Boot-437
  14. Sampo
  15. Stoned.Angelina.A
  16. Michelangelo.A
  17. Kampana.A
  18. Stoned.No_INT.A
  19. WM.Wazzu.A
  20. Tai-Pan.438
You can access the complete Joe Wells’ Wild List from the SARC website:

http://www.symantec.com/avcenter/wild/wl.html


SARC Technology Update

SARC Announces Macro Virus Protection for Microsoft Office 97

Symantec will offer a support solution for the new file formats that ship with the Microsoft Office 97 suite. Virus detection support for Office 97 datafile structures and viruses written in the Visual Basic 5.0 macro language will be available to Symantec customers as free definitions available by March 3, 1997, on Symantec’s website and other locations.

"Office 97 is a departure from prior datafile structures," says Alex Haddox, Product Manager for the Symantec AntiVirus Research Center (SARC). "Current anti-virus technology does not understand the new file formats and, as a result, cannot detect or remove viruses from files using Office 97 technologies. Our solution includes adapting our NAVEX modular engine technology to provide the latest virus protection for Office 97, across Word, Excel and PowerPoint, along with the standard, free Norton AntiVirus and SAM definition sets available to registered users."

According to SARC, three to six new computer viruses are discovered every day. Of those, there are an alarming number of new macro viruses. Researchers have documented 210 macro viruses as of January 1997, a significant increase since August 1996, when there were only 42. Of the 210 documented macro viruses, 205 have been found in Word, while 5 have been found in Excel documents. Norton AntiVirus products give users the security of knowing they have the most complete virus protection possible, whether they are downloading files from the Internet, opening email with attached Word documents, or accessing floppy disks.

The new Office 97 support will include all Symantec anti-virus platforms, including DOS, Windows 3.1, Windows 95, Windows NT, NetWare, and Macintosh. Norton AntiVirus definitions can be easily obtained by using Intelligent Updater or LiveUpdate, which provides one-button access to the latest virus definition updates, or by accessing the Symantec website ( http://www.symantec.com), FTP site (ftp://ftp.symantec.com), BBS (541-484-6669), or Symantec forums on CompuServe, America Online and the Microsoft Network. These resources provide Symantec customers with the most up-to-date and advanced anti-virus protection available.

SARC Announces Bloodhound Technology

The Bloodhound system is an artificially intelligent web-spider that crawls through the World Wide Web searching for new and unknown viruses. Bloodhound is based on two of Symantec’s advanced technologies: the Symantec Seeker system and the new SARC Heuristic Scanner.

"It is important that our customers are protected from the latest Internet virus threats," says Enrique Salem, Chief Technical Officer of Symantec. "Using the latest in artificial intelligence and virus analysis technology, the Bloodhound system searches the Internet and helps us locate and eradicate completely new viruses before they can pose a threat to users. Most anti-virus scanners are only able to identify viruses that have been pre-analyzed by virus researchers. The Bloodhound system takes a new approach to the problem by using AI technology to analyze programs on the World Wide Web. Bloodhound scrutinizes each program’s machine language instructions and assesses the likelihood of viral infection. When Bloodhound locates a potential new virus, the offending file can then be fed into our automated analysis system for further inspection."

The Bloodhound system is largely based on SARC’s Seeker technology. The Seeker system is a Java-based web-crawler. Originally, Seeker was used to locate and retrieve samples from known virus transmission sites. Seeker can be focused on a website suspected of hosting viruses and can acquire all files from that site for automated analysis. While it acquires samples, Seeker concurrently explores other potential virus exchange sites that can be reached through web links.

Bloodhound constitutes a complete departure from traditional virus scanning technology. Traditional virus scanning software relies upon virus "signatures," or fingerprints, to detect virus infections. When an anti-virus company receives a new virus, it analyzes it and extracts a virus fingerprint. The virus is then considered "known" and can be identified by subsequent updates of the anti-virus product. Viruses that have not yet been analyzed are invisible to such anti-virus software.

Rather than using signatures, Bloodhound detects viruses by inspecting executable files for virus-like behavior. Since many viruses are finicky and only spread under ideal circumstances, the SARC heuristic system actually "coaxes" viruses into exhibiting their malicious behavior. If a program exhibits such virus-like behavior, it is passed on for further analysis by the Symantec AntiVirus Research Automation (SARA) system or a SARC virus researcher. This heuristic technology has been shown to detect up to 80% of new, unknown viruses.

Macro Virus Protection Additions

Protection for the following macro viruses have been added for the February virus definition updates:

  • WM.ABC
  • WM.Atom.E
  • WM.Atom.F
  • WM.Atom Variant
  • WM.Bandung.F
  • WM.Bandung Variant
  • WM.Chaos
  • WM.Colors.I
  • WM.Colors Variant
  • WM.Concept Variant
  • WM.Coolio
  • WM.CountTen.B
  • WM.Daniel.B
  • WM.GoodBye dropper
  • WM.GoodBye
  • WM.Hybrid
  • WM.MadDog.B
  • WM.Magnum
  • WM.MDMA.E
  • WM.MDMA Variant
  • WM.Minimal
  • WM.MisterX
  • WM.MVDK.A
  • WM.MVDK.B
  • WM.Niki:It
  • WM.NJ-WMVCK.B
  • WM.Npad.F
  • WM.Npad.G
  • WM.Npad.H
  • WM.Npad.I
  • WM.Npad.J
  • WM.Npad.K
  • WM.Npad.L
  • WM.NPAD Variant
  • WM.Nuclear Variant
  • WM.Olympic.A:Tw
  • WM.Olympic.B:Tw
  • WM.Outlaw Variant
  • WM.Rapi.D
  • WM.Rapi.D1
  • WM.Rapi.D2
  • WM.Rapi.E2
  • WM.Rapi.F
  • WM.Rapi.F1
  • WM.Rapi.F2
  • WM.Rapi Variant
  • WM.Target.A:De
  • WM.Target.B:De
  • WM.Twister
  • WM.Twno Variant
  • WM.Wazzu.AD
  • WM.Wazzu.X
  • WM.Wazzu.Q
  • WM.Wazzu.AB
  • WM.Wazzu.AA
  • WM.Wazzu.Z
  • WM.Wazzu.AE
  • WM.Wazzu Variant
  • WM.Weather.C

    • Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

    Address all correspondence to:
    Symantec Corporation
    AntiVirus Research Center
    attn.: AntiVirus News Update
    2500 Broadway, Suite 200
    Santa Monica, CA 90404
    USA

    SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1997 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

    Archives of these newsletters are available for reading on the SARC WWW site at:

    http://www.symantec.com/avcenter/refa.html