Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec




Webmaster
Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 2, Issue 5 - May 1, 1997

The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global response to computer virus threats, proactively researching and developing technologies that eliminate such threats, and educating the public on safe computing practices.

Highlights Table of Contents


Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:

  • DOS/Windows 3.1—NAV 3.0, revision 3.10
  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows NT—NAV NT 2.0, revision 2.01
  • Novell—NAV NetWare, revision 2.04
  • Netscape—NAV Internet, revision 1.00
  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.51

You can get the latest updates to many of these products through any of the following online services:

CompuServe: GO SYMANTEC
America Online: Keyword: SYMANTEC
Symantec World Wide Web site: http://www.symantec.com
Symantec FTP: ftp://ftp.symantec.com
BBS (28.8 baud): (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).



May Virus Update Available Now!

The May 1997 virus definition set fully supports Word and Excel for Microsoft Office 97 with detection and repair. How can you keep your software safe from the latest macro, file, and boot sector viruses? Just run 05NAV97a.EXE or click your LiveUpdate button to obtain this support.



Viruses, Trojan Horses, and Hoaxes

We’ll begin by clarifying several definitions. It is critical to understand the differences between a virus, a trojan horse, and a virus hoax.

Computer Viruses

A computer virus is a program written and designed to adversely affect your computer by altering the way it works without your knowledge or consent. The defining component of a computer virus is self-replication. In order for a program to be categorized as a virus, it must be able to move and spread from host system to host system on its own; no user action must be required once it has been introduced.

Computer viruses are classified under three broad categories, according to their infection target: file viruses (.COM, .EXE and macro files), boot sector viruses (restricted physical media of floppy disks or hard drives) and multipartite viruses (combination of files and boot sectors).

Trojan Horses

These programs have malicious behavior as their goal. Like their classical namesake, trojan horses typically masquerade as something desirable; the ability to obtain AOL access for free is one example.

Trojan horses are unable to replicate, and therefore must be manually downloaded (installed) onto your system. When a trigger (activation) event occurs, the trojan horse can display a message, destroy specific files, or erase all information on the system. In most cases, simply running a trojan horse program immediately triggers the event. Because these programs cannot replicate, they are not classified as viruses.

Computer Virus Hoaxes

A message or alert about a virus that does not exist is known as a computer virus hoax. The goal of the hoax message is to cause panic. Consider it a prank in poor taste, or the computer equivalent of the Boy Who Cried Wolf. In recent times, such false warning messages have proliferated, generally preying on the fears of inexperienced users.

Telltale signs of a virus hoax include the following descriptions:

  • Self-replication through Internet e-mail
  • Physical destruction of hardware
  • Use of odd and undocumented features in the computer or modem to spread and do damage
  • Requesting you to "send this alert to as many people as possible"

Other references:



AOL4Free

There are two issues involving AOL4Free: the first is a virus hoax, and the second is the AOL4Free trojan horse program.

The AOL4Free virus alert message is a hoax. The activities described in the alert cannot exist.

To confuse matters, a trojan horse program by the same name has been discovered in limited distribution. As explained above, a trojan horse is not a virus, but a malicious program. We are not positive at this point which came first, the hoax alert or the trojan horse, but one could easily lead to the creation of the other.

SARC has developed a way to detect the AOL4Free program. Once it is detected, you can simply delete it. The detection will be made publicly available with the May 1997 virus definition release.

AOL4Free Virus Hoax

Aliases: aol4free.com
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region reported: America Online
Characteristics: Hoax
Target platform: Hoax
Trigger date: Hoax

Description
The virus hoax is different from the AOL4Free trojan horse. No virus exists as described below; however, the trojan horse program with the same name is a real threat.

Even though there is currently no virus that has the characteristics ascribed to AOL4Free, the e-mail "warning" has been widely distributed on America Online (AOL) since March 1997.

The hoax message includes the following warning:

Anyone who receives this must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible. A few hours ago, I opened an E-mail that had the subject heading of "aol4free.com."

Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out. It ate the Anti-Virus Software that comes with the Windows 95 program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated.

Please ignore any messages regarding this supposed "virus" and do not pass the messages on. Spreading warnings about this hoax serves only to further propagate it.

AOL4Free Trojan Horse

Aliases: aol4free.com
Infection length: Trojan horse
Area of infection: Trojan horse
Likelihood: Uncommon
Region reported: America Online
Characteristics: Trojan horse
Target platform: DOS, Windows 3.1, Windows 95
Trigger date: Immediate

Description
This trojan horse program should not be confused with the AOL4Free virus hoax message, which was distributed under the same name in the same timeframe (March 1997).

The AOL4Free trojan horse program was first reported as being distributed through America Online e-mail in early March 1997. Attached to the e-mail message is an archive file named AOL4FREE.COM, which is actually converted from a batch file using the DOS utility BAT2EXEC version 1.5. This utility is commonly used for converting large batch files to enhance speed.

The trojan horse first searches for the DOS program DELTREE.EXE in various directories, and then uses DELTREE.EXE to delete all files from your C drive. After deleting your files, it produces the DOS error message "Bad Command or file name" and continuously displays an obscene message. AOL4FREE can’t delete your files if it is unable to find DELTREE.EXE, but the obscene message will always display.

This works on both DOS and Windows 95 environments as long as DELTREE.EXE is present and accessible.



SARC Technology Update

Macro Virus Protection Additions

Protection for the following macro viruses has been added to the May virus definition update:

WM.Andry.A
WM.Armadillo.A
WM.Atom.G:De
WM.Atom.J
WM.BadBoy.C
WM.Bandung.P
WM.Bandung.Q
WM.Bandung.R
WM.Bandung.Rem
WM.Bandung.S
WM.Bandung.T
WM.Bandung.U
WM.Bandung.V
WM.Bandung.W
WM.Bertik.A
WM.Cap.C
WM.Cap.D
WM.Cap.E
WM.Cap.F
WM.Clock.G:De
WM.Clock.H:De
WM.Colors.AA
WM.Colors.AB
WM.Colors.AC
WM.Colors.AD
WM.Colors.AE
WM.Colors.AF
WM.Colors.AG
WM.Colors.AH
WM.Colors.AI
WM.Colors.AJ
WM.Colors.X
WM.Colors.Y
WM.Colors.Z
WM.Concept.AB
WM.Concept.AC
WM.Concept.AD
WM.Concept.AE
WM.Concept.AF
WM.Concept.AG
WM.Concept.AH
WM.Concept.AI:Jp
WM.CVCK1
WM.CVCK1.A
WM.Dark.B
WM.Dark.C
WM.Dark.D
WM.DMV.D
WM.Doggie.C
WM.Doggie.D
WM.Drugs.A:De
WM.Eraser.E:Tw
WM.Eraser.F
WM.Eraser.G
WM.Eraser.H
WM.Eraser.I
WM.Eraser.J:Tw
WM.Eraser.K
WM.Eraser.L
WM.Eraser.M
WM.Eraser.N
WM.Eraser.O:Tw
WM.Friday.B:De
WM.Fuzzy.A
WM.Haggis.A
WM.Helper.B
WM.Hilight.A
WM.Hunter.A
WM.Hunter.B
WM.Hybrid.C
WM.Irish.E
WM.Irish.G
WM.Irish.H
WM.Irish.I
WM.Johnny.D
WM.Johnny.E
WM.Johnny.F
WM.Johnny.G
WM.Lazy.A
WM.Lemon.A
WM.Lemon.B
WM.MDMA.D
WM.MDMA.G
WM.MDMA.H
WM.MDMA.I
WM.MDMA.J
WM.MDMA.K
WM.MDMA.L
WM.Mercy.A
WM.Messenger.A:De
WM.Minimal.E
WM.Minimal.F
WM.Minimal.G
WM.Minimal.H
WM.Minimal.I
WM.Minimal.J
WM.Minimal.K
WM.Minimal.L
WM.Minimal.M
WM.Mota
WM.MTF.A
WM.Muck.D
WM.MVDK
WM.Niceday.D
WM.NJ-WMDLK1.F
WM.NJ_WMDLK1.E
WM.No-F.B
WM.Nop.F:De
WM.Nop.G
WM.Npad.AC
WM.Npad.AD
WM.NPAD.AE
WM.Npad.AF
WM.NPad.AG
WM.NPad.AH
WM.NPad.AI
WM.Npad.AJ
WM.Npad.AK
WM.Npad.AL
WM.Npad.AM
WM.Npad.AN
WM.Npad.AO
WM.Npad.AP
WM.Nuclear.I
WM.Oval.A
WM.Paycheck.A
WM.Phardera.E
WM.Rapi.R
WM.Rapi.S2
WM.Rapi.T
WM.Rapi.T1
WM.Rapi.T2
WM.Rapi.U2
WM.Rapi.V2
WM.Rapi.W2
WM.Sam.A:Tw
WM.Satanic.B
WM.Setmd.A:Tw
WM.Showoff.AA
WM.Showoff.AB
WM.ShowOff.AC
WM.Showoff.AD
WM.Showoff.AE
WM.ShowOff.AF
WM.ShowOff.AG
WM.ShowOff.K
WM.ShowOff.M
WM.ShowOff.N
WM.ShowOff.O
WM.ShowOff.P
WM.ShowOff.Q
WM.ShowOff.R
WM.ShowOff.S
WM.Showoff.T
WM.Showoff.U
WM.ShowOff.V
WM.ShowOff.W
WM.ShowOff.X
WM.ShowOff.Y
WM.ShowOff.Z
WM.Surabaya.A
WM.Swlabs.A
WM.Swlabs.B
WM.Sword.A
WM.Talon.D
WM.Talon.E
WM.Talon.F
WM.Talon.G
WM.Temple.A
WM.Terror.A
WM.Wallpaper.A
WM.Wazzu.BC
WM.Wazzu.BI
WM.Wazzu.BJ
WM.Wazzu.BK
WM.Wazzu.BL
WM.Wazzu.BM
WM.Wazzu.BN
WM.Wazzu.BO
WM.Wazzu.BP
WM.Wazzu.BQ
WM.Wazzu.BR

WM.Colors.B Remnant Renamed to WM.Colors Remnant
WM.Irish.E Renamed to WM.Irish.F

Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA

SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1997 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at:

http://www.symantec.com/avcenter/refa.html