Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec




Webmaster
Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 2, Issue 6 - June 1, 1997

The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global response to computer virus threats, proactively researching and developing technologies that eliminate such threats, and educating the public on safe computing practices.

Highlights Table of Contents



Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:

  • DOS/Windows 3.1—NAV 3.0, revision 3.10
  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows NT—NAV NT 2.0, revision 2.01
  • Novell—NAV NetWare, revision 2.04
  • Netscape—NAV Internet, revision 1.00
  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.51

You can get the latest updates to many of these products through any of the following online services:
CompuServe: GO SYMANTEC
America Online: Keyword: SYMANTEC
Symantec World Wide Web site: http://www.symantec.com
Symantec FTP: ftp://ftp.symantec.com
BBS (28.8 baud): (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).



June Virus Update Available Now!

The June 1997 virus definition set fully supports Word and Excel for Microsoft Office 97 with detection and repair. How can you keep your software safe from the latest macro, file, and boot sector viruses? Just run 06NAV97.EXE or click your LiveUpdate button to obtain this support.



SARC at PC Expo

Meet Alex Haddox, Product Manager of the Symantec AntiVirus Research Center, and other members of the SARC Research team at PC Expo. The show is scheduled for June 17 through 19 at the Javits Center in New York City. Stop by the Symantec booth and get the latest information from the world’s leading anti-virus experts!



In The Wild

In each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild"). You can access the complete Joe Wells Wild List on the SARC Web site at: http://www.symantec.com/avcenter/wild/wl.html

Ripper
Aliases: Jack Ripper
Infection length: 512 bytes
Area of infection: Floppy boot sectors, master boot records
Likelihood: Common
Region Reported: Europe, Australia/New Zealand, Hong Kong, Taiwan, Canada, Japan, South Africa
Characteristics: Wild, memory resident, stealthing
Target Platform: DOS
Trigger Date: Random

Description
When it is active in memory, the Ripper virus randomly corrupts disk writes. The virus invalidates information written to disk approximately once in every 1,000 writes.

Ripper contains two encrypted strings. One is an obscene message. The other reads as follows:

(C)1992 Jack Ripper


Sat_Bug.Natas
Aliases: Natas, Satan, Satan Bug
Infection Length: 4744 bytes (files), 512 bytes (master boot records)
Area of Infection: .COM files, .EXE files, floppy boot sectors, master boot records
Likelihood: Common
Region Reported: Mexico, Hong Kong, Europe, South America, India, Taiwan, Japan, South Africa
Characteristics: Wild, multipartite, memory resident, stealthing, encrypting, polymorphic
Target Platform: DOS
Trigger Date: None

Description
Sat_Bug.Natas infects program files, the DOS boot sector on floppy disks, and the master boot record (MBR) on the first physical hard disk (drive 80h, the C: drive). The virus code reserves 6K of memory and is two sectors in length. Thus, on a 640K computer, MEM would report 634K and CHKDSK would report 649,216 bytes of free memory.

The virus body is stored, unencrypted, on 9 sectors near the end of side 0, track 0, on the hard drive. If it is in memory, Sat_Bug.Natas hides the infected MBR, but not the extended sectors. Using a disk editor, you can see the virus name near the end of the last virus sector.

Infected files grow by 4744 bytes, but the change in size is concealed when Sat_Bug.Natas is in memory. The name Natas, located in the encrypted portion of the virus body, is not visible. The virus decryptor is extremely polymorphic. Sat_Bug.Natas contains no intentionally damaging routines and does not affect data files; however, it appears to be incompatible with some memory managers. Problems have been reported when QEMM386 and DOS EMM386 become infected.

Sat_Bug.Natas was evidently programmed by Little Loc., the programmer of the Sat_Bug (Satan Bug, or Satan) virus from San Diego, California. Sat_Bug.Natas has been distributed as commented source code, and is widely reported in Mexico.


NYB
Aliases: B1
Infection Length: 512 bytes
Area of Infection: Floppy boot sectors, master boot records
Likelihood: Common
Region Reported: Hong Kong, U.S.A., Europe, Russia, South America, India, Canada, Japan, South Africa
Characteristics: Wild, memory resident, stealthing
Target Platform: DOS
Trigger Date: None

Description
NYB is a simple virus that infects the master boot record (MBR) and DOS boot sector (DBS). NYB spreads when you attempt to boot your system from an infected floppy disk.

During the boot process, NYB loads the MBR into memory and checks for infection. NYB stores the non-infected MBR at cylinder 0, side 0, sector 17 on the hard disk. The virus then places its code into the MBR and writes the infected MBR back to the hard disk at cylinder 0, side 0, sector 1.

Once the boot process is complete and NYB is active in memory, the virus displays its stealthing capabilities by redirecting any disk reads of the infected MBR or DBS to their clean counterpart. (On floppy disks, the original DBS is stored in the last sector of the root directory.)



Virus Information on the Web

If you’re looking for the most current and largest collection of virus information on the web, check out the Virus Information Database on the Symantec AntiVirus Research Center website. It has just been updated with over 100 new virus write-ups. When you need virus information, trust only the best!
Virus Info Database



Most Frequently Reported Viruses

Following is a list of the top reported viruses, as published in Joe Wells’ Wild List last March:
Form.A WM.Concept.A
One_Half.3544 AntiEXE.A
Empire.Monkey.B Junkie.1027
Parity_Boot.B AntiCMOS.A
Ripper Natas.4744
NYB Die_Hard
Sampo Boot-437
Stoned.Angelina.A WM.Npad.A
Michelangelo.A Stoned.No_INT.A
WM.Wazzu.A Kampana.A



SARC Technology Update

Macro viruses continue to rise in prominence, as 6-10 new variants are discovered every day. Included in this update is new technology which allows detection and repair of unknown macro viruses and virus remnants residing in document files.

The basis of the technology is that many viruses are known to "mate." When a new virus infects a document that is already infected with another virus, the result can be a new variant that would neither be detected nor repaired using normal identification methods. The new technology (called "Macro Component") detects and repairs these new sets even before the Symantec AntiVirus Research Center has seen an instance of the infection. By verifying that all macros can be attributed to a known macro virus, all such traces can be removed safely. The likelihood of any future matings is reduced considerably.



New virus detection summary

Macro Viruses 156
File Viruses 56
Boot Viruses 6
File & Boot Viruses 2



Macro Virus Protection Additions

Protection for the following macro viruses has been added to the June virus definition update:

WM.Alien.D WM.Alien.E WM.Appder.D WM.Appder.E WM.Atom.I WM.Badboy.A WM.Bandung.AA WM.Bandung.AB wM.Bandung.AC WM.Bandung.AD WM.Bandung.AE WM.Bandung.O WM.Bandung.X WM.Bandung.Y WM.Bandung.Z WM.Cap.G WM.Cap.H WM.Cap.I WM.Cap.J WM.Cap.K WM.Cap.L WM.CeeFour.B WM.Colors.AL WM.Colors.AM WM.Colors.AN WM.Colors.AO WM.Colors.AP WM.Colors.AQ WM.Colors.AR WM.Colors.AS WM.Colors.AT WM.Concept.AJ WM.Concept.AK WM.Concept.AL WM.Concept.AM WM.Concept.AN WM.Concept.AO WM.Concept.AP WM.CountTen.D WM.CVCK1.B WM.Date.B WM.Dave.A WM.Divina.E WM.Divina.F WM.DMV.E WM.Dzt.C WM.Eraser.P:Tw WM.Frenzy.A WM.GoldFish.B WM.Goodnight.B WM.Helper.C WM.Helper.D WM.Helper.E WM.HiAC.A WM.Hider.A WM.Imposter.C WM.Irish.J WM.Irish.K WM.Irish.L WM.Johnny.H WM.Johnny.I WM.Johnny.J WM.Lunch.C WM.MDMA.M WM.MDMA.N WM.MDMA.O WM.Minimal.N WM.Minimal.O WM.NiceDay.E WM.NiceDay.F WM.NiceDay.G WM.NJ-WMDLK1.G WM.Nop.H:Fr WM.Nop.I WM.Nop.J WM.NOP.K WM.Npad.AA WM.Npad.AO WM.Npad.AP WM.Npad.AS WM.Npad.AT WM.Npad.AU WM.Npad.AV WM.Npad.AX WM.Npad.AY WM.Npad.AZ WM.Npad.BA WM.Npad.BB WM.Nuclear.J WM.Nuclear.K WM.Nuclear.L WM.Nuclear.M WM.Phardera.B WM.Rapi.AA2 WM.Rapi.AC WM.Rapi.AC1 WM.Rapi.AC2 WM.Rapi.AD2 WM.Rapi.AE1 WM.Rapi.AE2 WM.Rapi.AF1 WM.Rapi.AF2 WM.Rapi.AG WM.Rapi.AG1 WM.Rapi.AG2 WM.Rapi.AZ2 WM.Rapi.X WM.Rapi.Y WM.Rapi.Y1 WM.Rapi.Z2 WM.Sharefun.B WM.Showoff.AH WM.ShowOff.AI WM.ShowOff.AJ WM.ShowOff.AK WM.ShowOff.AL WM.ShowOff.AM WM.Showoff.AN WM.ShowOff.AO WM.Showoff.AP WM.ShowOff.AQ WM.ShowOff.AR WM.ShowOff.AS WM.ShowOff.AT WM.Shuffle.A WM.Simple.A WM.Simple.B WM.Sparkle.A WM.Talon.A WM.Talon.B WM.Talon.C WM.Talon.H WM.Talon.H1 WM.Talon.H2 WM.TestArea.A WM.Toten.A WM.TwoLines.D WM.TwoLines.E WM.Twolines.F WM.TwoLines.G WM.Twolines.H WM.Wazzu.BD WM.Wazzu.BS WM.Wazzu.BT WM.Wazzu.BU WM.Wazzu.BV WM.Wazzu.BW WM.Wazzu.BX WM.Wazzu.BY WM.Wazzu.BZ WM.Wazzu.CA WM.Wazzu.CB XM.Laroux.C


Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA

SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1997 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at:

http://www.symantec.com/avcenter/refa.html