© 1995-2000 Symantec Corporation
All rights reserved.
Volume 2, Issue 2 - February 1, 1997
The Symantec AntiVirus Research Center (SARC) is committed
to providing swift, global responses to computer virus
threats, proactively researching and developing
technologies that eliminate such threats and educating the
public on safe computing practices.
The Symantec AntiVirus solution includes the following
line-up of currently available products:
Current AntiVirus Products
You can get the latest updates through any of these online
- DOS/Windows 3.1óNAV 3.0, revision 3.10
- Windows 95óNAV 95 1.0, revision 95.0b
- Windows 95óNAV 95 2.0, revision 2.01
- Windows NTóNAV NT 2.0, revision 2.00
- NovellóNAV 2.0 NetWare, revision 2.03
- NetscapeóNAV Internet, revision 1.00
- Macintosh/Power MacintoshóSAM, revision 4.0.8
- Macintosh/Power MacintoshóSAM, revision 4.50
CompuServe, go SYMANTEC
Microsoft Network (Windows 95 products only), go to SYMANTEC
America Online, keyword SYMANTEC
Symantec World Wide Web site, http://www.symantec.com
Symantec FTP or BBS (28.8 baud), (541) 484-6669 and (541)
If you donít have electronic access, you can contact our
Customer Service at (800) 441-7234 and order a disk set for
$12 (to cover shipping and handling only).
In each issue of the SARC AntiVirus News Update, we
profile a few viruses known to be in free distribution
among the general public ("in the wild").
In The Wild
The following is a list of the top reported viruses, as
published in Joe Wellsí Wild List on December 22, 1996:
Most Frequently Reported Viruses
You can access the complete Joe Wellsí Wild List from the
SARC Technology Update
SARC Announces Macro Virus Protection for Microsoft Office
Symantec will offer a support solution for the new file
formats that ship with the Microsoft Office 97 suite. Virus
detection support for Office 97 datafile structures and
viruses written in the Visual Basic 5.0 macro language will
be available to Symantec customers as free definitions
available by March 3, 1997, on Symantecís website and other
"Office 97 is a departure from prior datafile structures,"
says Alex Haddox, Product Manager for the Symantec
AntiVirus Research Center (SARC). "Current anti-virus
technology does not understand the new file formats and, as
a result, cannot detect or remove viruses from files using
Office 97 technologies. Our solution includes adapting our
NAVEX modular engine technology to provide the latest virus
protection for Office 97, across Word, Excel and
PowerPoint, along with the standard, free Norton AntiVirus
and SAM definition sets available to registered users."
According to SARC, three to six new computer viruses are
discovered every day. Of those, there are an alarming
number of new macro viruses. Researchers have documented
210 macro viruses as of January 1997, a significant
increase since August 1996, when there were only 42. Of the
210 documented macro viruses, 205 have been found in Word,
while 5 have been found in Excel documents. Norton
AntiVirus products give users the security of knowing they
have the most complete virus protection possible, whether
they are downloading files from the Internet, opening email
with attached Word documents, or accessing floppy disks.
The new Office 97 support will include all Symantec
anti-virus platforms, including DOS, Windows 3.1, Windows
95, Windows NT, NetWare, and Macintosh. Norton AntiVirus
definitions can be easily obtained by using Intelligent
Updater or LiveUpdate, which provides one-button access to
the latest virus definition updates, or by accessing the
Symantec website ( http://www.symantec.com), FTP site (ftp://ftp.symantec.com), BBS (541-484-6669), or Symantec forums on CompuServe,
America Online and the Microsoft Network. These resources
provide Symantec customers with the most up-to-date and
advanced anti-virus protection available.
SARC Announces Bloodhound Technology
The Bloodhound system is an artificially intelligent
web-spider that crawls through the World Wide Web searching
for new and unknown viruses. Bloodhound is based on two of
Symantecís advanced technologies: the Symantec Seeker
system and the new SARC Heuristic Scanner.
"It is important that our customers are protected from the
latest Internet virus threats," says Enrique Salem, Chief
Technical Officer of Symantec. "Using the latest in
artificial intelligence and virus analysis technology, the
Bloodhound system searches the Internet and helps us locate
and eradicate completely new viruses before they can pose a
threat to users. Most anti-virus scanners are only able to
identify viruses that have been pre-analyzed by virus
researchers. The Bloodhound system takes a new approach to
the problem by using AI technology to analyze programs on
the World Wide Web. Bloodhound scrutinizes each programís
machine language instructions and assesses the likelihood
of viral infection. When Bloodhound locates a potential new
virus, the offending file can then be fed into our
automated analysis system for further inspection."
The Bloodhound system is largely based on SARCís Seeker
technology. The Seeker system is a Java-based web-crawler.
Originally, Seeker was used to locate and retrieve samples
from known virus transmission sites. Seeker can be focused
on a website suspected of hosting viruses and can acquire
all files from that site for automated analysis. While it
acquires samples, Seeker concurrently explores other
potential virus exchange sites that can be reached through
Bloodhound constitutes a complete departure from
traditional virus scanning technology. Traditional virus
scanning software relies upon virus "signatures," or
fingerprints, to detect virus infections. When an
anti-virus company receives a new virus, it analyzes it and
extracts a virus fingerprint. The virus is then considered
"known" and can be identified by subsequent updates of the
anti-virus product. Viruses that have not yet been analyzed
are invisible to such anti-virus software.
Rather than using signatures, Bloodhound detects viruses
by inspecting executable files for virus-like behavior.
Since many viruses are finicky and only spread under ideal
circumstances, the SARC heuristic system actually "coaxes"
viruses into exhibiting their malicious behavior. If a
program exhibits such virus-like behavior, it is passed on
for further analysis by the Symantec AntiVirus Research
Automation (SARA) system or a SARC virus researcher. This
heuristic technology has been shown to detect up to 80% of
new, unknown viruses.
Macro Virus Protection Additions
Protection for the following macro viruses have been added
for the February virus definition updates:
| Editor: Alex Haddox, Product Manager, Symantec
AntiVirus Research Center
Address all correspondence to:
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
SARC AntiVirus News Update is published monthly by Symantec Corporation.
Copyright © 1997 Symantec Corporation. All
rights reserved. No Reprint without Permission in
writing, in advance.
Archives of these newsletters are available for
reading on the SARC WWW site at: