© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global response to computer virus threats, proactively researching and developing technologies that eliminate such threats, and educating the public on safe computing practices.
| Highlights | Table of Contents |
|---|---|
The Symantec AntiVirus solution includes the following
line-up of currently available products:
You can get the latest updates to many of these products
through any of the following online services:
If you don’t have electronic access, you can
contact our Customer Service at (800) 441-7234 and
order a disk set for $12 (to cover shipping and
handling only).
The June 1997 virus definition set fully supports Word
and Excel for Microsoft Office 97 with detection and
repair. How can you keep your software safe from the
latest macro, file, and boot sector viruses? Just run
06NAV97.EXE or click your LiveUpdate button to obtain
this support.
Meet Alex Haddox, Product Manager of the Symantec
AntiVirus Research Center, and other members of the
SARC Research team at PC Expo. The show is scheduled
for June 17 through 19 at the Javits Center in New York
City. Stop by the Symantec booth and get the latest
information from the world’s leading anti-virus
experts!
In each issue of the SARC AntiVirus News Update, we
profile a few viruses known to be in free distribution
among the general public ("in the wild").
You can access the complete Joe Wells Wild List on the
SARC Web site at: http://www.symantec.com/avcenter/wild/wl.html
Ripper
Description
Ripper contains two encrypted strings. One is an
obscene message. The other reads as follows:
(C)1992 Jack Ripper
Sat_Bug.Natas
Description
The virus body is stored, unencrypted, on 9
sectors near the end of side 0, track 0, on
the hard drive. If it is in memory,
Sat_Bug.Natas hides the infected MBR, but not
the extended sectors. Using a disk editor, you
can see the virus name near the end of the
last virus sector.
Infected files grow by 4744 bytes, but the
change in size is concealed when
Sat_Bug.Natas is in memory. The name Natas,
located in the encrypted portion of the virus
body, is not visible. The virus decryptor is
extremely polymorphic. Sat_Bug.Natas contains
no intentionally damaging routines and does
not affect data files; however, it appears to
be incompatible with some memory managers.
Problems have been reported when QEMM386 and
DOS EMM386 become infected.
Sat_Bug.Natas was evidently programmed by
Little Loc., the programmer of the Sat_Bug
(Satan Bug, or Satan) virus from San Diego,
California. Sat_Bug.Natas has been
distributed as commented source code, and is
widely reported in Mexico.
NYB
Description
During the boot process, NYB loads the
MBR into memory and checks for infection.
NYB stores the non-infected MBR at
cylinder 0, side 0, sector 17 on the hard
disk. The virus then places its code into
the MBR and writes the infected MBR back
to the hard disk at cylinder 0, side 0,
sector 1.
Once the boot process is complete and
NYB is active in memory, the virus
displays its stealthing capabilities by
redirecting any disk reads of the
infected MBR or DBS to their clean
counterpart. (On floppy disks, the
original DBS is stored in the last
sector of the root directory.)
If you’re looking for the most
current and largest collection of
virus information on the web, check
out the Virus Information Database on
the Symantec AntiVirus Research Center
website. It has just been updated with
over 100 new virus write-ups. When you
need virus information, trust only the
best!
Following is a list of the top
reported viruses, as published in Joe
Wells’ Wild List last March:
Macro viruses continue to rise in
prominence, as 6-10 new variants are
discovered every day. Included in
this update is new technology which
allows detection and repair of
unknown macro viruses and virus
remnants residing in document files.
The basis of the technology is that
many viruses are known to
"mate." When a new virus
infects a document that is already
infected with another virus, the
result can be a new variant that
would neither be detected nor
repaired using normal
identification methods. The new
technology (called "Macro
Component") detects and
repairs these new sets even before
the Symantec AntiVirus Research
Center has seen an instance of the
infection. By verifying that all
macros can be attributed to a known
macro virus, all such traces can be
removed safely. The likelihood of
any future matings is reduced
considerably.
Protection for the following macro
viruses has been added to the June
virus definition update:
Address all correspondence
to:
SARC AntiVirus News Update is published monthly by
Symantec Corporation.
Copyright © 1997
Symantec Corporation. All
rights reserved. No Reprint
without Permission in
writing, in advance.
Archives of these
newsletters are available for
reading on the SARC WWW site
at:
Current AntiVirus Products
CompuServe:
GO SYMANTEC
America Online:
Keyword: SYMANTEC
Symantec World Wide Web site:
http://www.symantec.com
Symantec FTP:
ftp://ftp.symantec.com
BBS (28.8 baud):
(541) 484-6669 and (541) 984-5366
June Virus Update Available Now!
SARC at PC Expo
In The Wild
Aliases:
Jack Ripper
Infection length:
512 bytes
Area of infection:
Floppy boot sectors, master boot records
Likelihood:
Common
Region Reported:
Europe, Australia/New Zealand, Hong Kong,
Taiwan, Canada, Japan, South Africa
Characteristics:
Wild, memory resident, stealthing
Target Platform:
DOS
Trigger Date:
Random
When it is active in memory, the Ripper virus
randomly corrupts disk writes. The virus
invalidates information written to disk
approximately once in every 1,000 writes.
Aliases:
Natas, Satan, Satan Bug
Infection Length:
4744 bytes (files), 512 bytes (master boot
records)
Area of Infection:
.COM files, .EXE files, floppy boot
sectors, master boot records
Likelihood:
Common
Region Reported:
Mexico, Hong Kong, Europe, South America,
India, Taiwan, Japan, South Africa
Characteristics:
Wild, multipartite, memory resident,
stealthing, encrypting, polymorphic
Target Platform:
DOS
Trigger Date:
None
Sat_Bug.Natas infects program files, the DOS
boot sector on floppy disks, and the master
boot record (MBR) on the first physical hard
disk (drive 80h, the C: drive). The virus code
reserves 6K of memory and is two sectors in
length. Thus, on a 640K computer, MEM would
report 634K and CHKDSK would report 649,216
bytes of free memory.
Aliases:
B1
Infection Length:
512 bytes
Area of Infection:
Floppy boot sectors, master boot
records
Likelihood:
Common
Region Reported:
Hong Kong, U.S.A., Europe, Russia,
South America, India, Canada, Japan,
South Africa
Characteristics:
Wild, memory resident, stealthing
Target Platform:
DOS
Trigger Date:
None
NYB is a simple virus that infects the
master boot record (MBR) and DOS boot
sector (DBS). NYB spreads when you attempt
to boot your system from an infected
floppy disk.
Virus Information on the Web
Virus Info Database
Most Frequently Reported Viruses
Form.A
WM.Concept.A
One_Half.3544
AntiEXE.A
Empire.Monkey.B
Junkie.1027
Parity_Boot.B
AntiCMOS.A
Ripper
Natas.4744
NYB
Die_Hard
Sampo
Boot-437
Stoned.Angelina.A
WM.Npad.A
Michelangelo.A
Stoned.No_INT.A
WM.Wazzu.A
Kampana.A
SARC Technology Update
New virus detection summary
Macro Viruses
156
File Viruses
56
Boot Viruses
6
File & Boot Viruses
2
Macro Virus Protection Additions
WM.Alien.D WM.Alien.E
WM.Appder.D WM.Appder.E
WM.Atom.I WM.Badboy.A
WM.Bandung.AA WM.Bandung.AB
wM.Bandung.AC WM.Bandung.AD
WM.Bandung.AE WM.Bandung.O
WM.Bandung.X WM.Bandung.Y
WM.Bandung.Z WM.Cap.G WM.Cap.H
WM.Cap.I WM.Cap.J WM.Cap.K
WM.Cap.L WM.CeeFour.B
WM.Colors.AL WM.Colors.AM
WM.Colors.AN WM.Colors.AO
WM.Colors.AP WM.Colors.AQ
WM.Colors.AR WM.Colors.AS
WM.Colors.AT WM.Concept.AJ
WM.Concept.AK WM.Concept.AL
WM.Concept.AM WM.Concept.AN
WM.Concept.AO WM.Concept.AP
WM.CountTen.D WM.CVCK1.B
WM.Date.B WM.Dave.A WM.Divina.E
WM.Divina.F WM.DMV.E WM.Dzt.C
WM.Eraser.P:Tw WM.Frenzy.A
WM.GoldFish.B WM.Goodnight.B
WM.Helper.C
WM.Helper.D WM.Helper.E
WM.HiAC.A WM.Hider.A
WM.Imposter.C WM.Irish.J
WM.Irish.K WM.Irish.L
WM.Johnny.H WM.Johnny.I
WM.Johnny.J WM.Lunch.C
WM.MDMA.M WM.MDMA.N WM.MDMA.O
WM.Minimal.N WM.Minimal.O
WM.NiceDay.E WM.NiceDay.F
WM.NiceDay.G WM.NJ-WMDLK1.G
WM.Nop.H:Fr WM.Nop.I WM.Nop.J
WM.NOP.K WM.Npad.AA WM.Npad.AO
WM.Npad.AP WM.Npad.AS
WM.Npad.AT WM.Npad.AU
WM.Npad.AV WM.Npad.AX
WM.Npad.AY WM.Npad.AZ
WM.Npad.BA WM.Npad.BB
WM.Nuclear.J WM.Nuclear.K
WM.Nuclear.L WM.Nuclear.M
WM.Phardera.B WM.Rapi.AA2
WM.Rapi.AC WM.Rapi.AC1
WM.Rapi.AC2 WM.Rapi.AD2
WM.Rapi.AE1 WM.Rapi.AE2
WM.Rapi.AF1 WM.Rapi.AF2
WM.Rapi.AG WM.Rapi.AG1
WM.Rapi.AG2 WM.Rapi.AZ2
WM.Rapi.X WM.Rapi.Y WM.Rapi.Y1
WM.Rapi.Z2 WM.Sharefun.B
WM.Showoff.AH WM.ShowOff.AI
WM.ShowOff.AJ WM.ShowOff.AK
WM.ShowOff.AL WM.ShowOff.AM
WM.Showoff.AN WM.ShowOff.AO
WM.Showoff.AP WM.ShowOff.AQ
WM.ShowOff.AR WM.ShowOff.AS
WM.ShowOff.AT WM.Shuffle.A
WM.Simple.A WM.Simple.B
WM.Sparkle.A WM.Talon.A
WM.Talon.B WM.Talon.C
WM.Talon.H WM.Talon.H1
WM.Talon.H2 WM.TestArea.A
WM.Toten.A WM.TwoLines.D
WM.TwoLines.E WM.Twolines.F
WM.TwoLines.G WM.Twolines.H
WM.Wazzu.BD WM.Wazzu.BS
WM.Wazzu.BT WM.Wazzu.BU
WM.Wazzu.BV WM.Wazzu.BW
WM.Wazzu.BX WM.Wazzu.BY
WM.Wazzu.BZ WM.Wazzu.CA
WM.Wazzu.CB XM.Laroux.C
Editor: Alex Haddox, Product
Manager, Symantec AntiVirus
Research Center
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA
http://www.symantec.com/avcenter/refa.html