Symantec logo
United States
Antivirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec




Webmaster
Help

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 3, Issue 1 - January 16, 1998

The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global response to computer virus threats, proactively researching and developing technologies that eliminate such threats, and educating the public on safe computing practices.

Highlights Table of Contents



Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:

  • DOS/Windows 3.1—NAV 3.0, revision 3.11
  • DOS/Windows 3.1—NAV 4.0, revision 4.00

  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows 95—NAV 95 4.0, revision 4.00

  • Windows NT—NAV NT 2.0, revision 2.01
  • Windows NT—NAV NT 4.0 for Workstations, revision 4.00
  • Windows NT—NAV NT 4.0 for Servers, revision 4.00
  • Windows NT—NAV Internet E-mail Gateways 1.01, revision 1.00
  • Windows NT—NAV Firewalls 1.0, revision 1.00

  • Novell—NAV NetWare, revision 2.05

  • Lotus—Norton AntiVirus for Lotus Notes

  • Netscape—NAV Internet, revision 1.00

  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.51

You can get the latest updates to many of these products through any of the following online services:
CompuServe: GO SYMANTEC
America Online: Keyword: SYMANTEC
Symantec World Wide Web site: http://www.symantec.com
Symantec FTP: ftp://ftp.symantec.com
BBS (28.8 baud): (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).



Keeping Up With SARC

Latest Virus Update Now Available

The second virus definition set of 1998 (dated January 5, 1998) is available for downloading from the SARC website and other online services. However, if you're using our latest Norton AntiVirus 4.0 products for Windows 95 or Windows NT, you can click the attached file, called LIVEUPDT.NLU, and launch LiveUpdate automatically!



EICAR Standard Antivirus Test Files

Ever wondered if your antivirus program was really active and running? Well, now you can verify it with the EICAR Standard Antivirus Test Files. EICAR is the European Institute for Computer Anti-Virus Research, and the files are available for download from the SARC website.

These files are not true viruses. They are sample test strings only, legitimate uninfected DOS programs with their signatures taken for test purposes. SARC makes the files available so you can ensure that your antivirus programs are properly configured and active.

To obtain the EICAR files, just stop by the SARC Download Center's Miscellaneous Utils page and download them.

http://www.symantec.com/avcenter/download.html

For more information on EICAR or the EICAR Test Files, visit the EICAR website at http://www.eicar.com/

Please note that these test strings are supported only by non-Macintosh products.



In The Wild

In each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild"). You can access the complete Joe Wells Wild List on the SARC website at:

http://www.symantec.com/avcenter/wild/wl.html
WM.Wazzu
Aliases: Wazzu
Infection length: One Macro
Area of infection: Microsoft Word Documents
Likelihood: Common
Region Reported: World-wide
Characteristics: Wild, Macro
Target Platform: Macro
Trigger Date: None (strain specific)
Description:

WM.Wazzu is a broad family of viruses that use one macro to infect and spread. Infected documents and templates have a macro called AutoOpen.

Each time a document is opened, WM.Wazzu rearranges up to three words, and may also insert the word "Wazzu." Documents become infected when they are opened.

There are more than 95 variants of the original WM.Wazzu macro virus.

WM.Cap.A
Aliases: WordMacro/CAP.A, Cap
Infection length: Ten macros
Area of infection: Microsoft Word Documents
Likelihood: Common
Region Reported: World-wide
Characteristics: Wild, Macro, Stealth
Target Platform: Macro
Trigger Date: None (strain specific)
Description:

WM.Cap.A is another large family of viruses that consists of 10 macros:

Macro name        Function
------------------------------------------------ 
CAP               Infection Routine
AUTOEXEC          Calls the CAP macro 
AUTOOPEN          Calls the CAP macro 
FILEOPEN          Calls the CAP macro 
FILESAVEAS        Calls the CAP macro 
AUTOCLOSE         Calls the CAP macro 
FILECLOSE         Calls the CAP macro 
FILESSAVEAS       Calls the CAP macro 
TOOLSMACRO        Used for the Stealth Routine 
FILETEMPLATES     Used for the Stealth Routine 

All the macros are stored encrypted in infected documents. WM.CAP.A also has a stealth feature which hides the [macro...] menu item from the [Tools] menu and the [Templates...] menu item from the [File] menu when the NORMAL.DOT (Global template) file is infected. This prevents you from checking the list of macros which is contained in the document or template, and hides the macros. Once the NORMAL.DOT file is disinfected, the [macro...] menu item and [Templates...] menu item are restored.

WM.CAP.A has no intentional trigger or payload.

The virus includes the following text in the macro code:

     'C.A.P: Un virus social.. y ahora digital.. 
     '"j4cKy Qw3rTy" (jqw3rty@hotmail.com). 
     'Venezuela, Maracay, Dic 1996. 
     'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa ! 

There are over 50 variants of the original WM.Cap macro virus.


Write-up by Motoaki Yamamura

For information about other viruses found in general distribution, see the SARC website at:

http://www.symantec.com/avcenter/vinfodb.html


Most Frequently Reported Viruses

Following is a list of the top reported viruses, as published in the Joe Wells Wild List last December:


1. WM.Concept.A
2. Form.A
3. One_Half.3544
4. AntiEXE.A
5. Junkie.1027
6. Empire.Monkey.B
7. AntiCMOS.A
8. Natas.4744
9. Parity_Boot.B
10. WM.Npad.A

11. WM.Wazzu.A
12. NYB
13. Ripper
14. Sampo
15. WM.CAP.A
16. Boot-437
17. Die_Hard
18. Stoned.Angelina.A
19. Stoned.No_INT.A
20. WelcomB


Virus Watch

The viruses listed below activate or trigger in the upcoming months. Virus activations/triggers are not necessarily destructive. This information is provided for educational purposes only and is not intended to alarm. Detailed information on all of these viruses can be found on the SARC website.

-------------------------------------------- 
January
-------------------------------------------- 
EVERY SUNDAY -- Jerusalem.Sunday.A 
1st -- WM.Friendly:De 
1st -- WM.MDMA 
1st -- Wm.Theatre:Tw 
1st -- Wm.Twno.B 
1st -- Wm.Twno.C 
2nd -- Flip
5th -- Barrotes
5th -- Joshi 
10th -- WM.Helper 
13th -- Dr&Et.1710 
15th -- WM.BigDaddy
15th -- Wm.Theatre:Tw 
15th -- Wm.Twno.D 
18th -- Form
20th -- Wm.Outlaw 
22nd -- 10_Past_3
24th -- Npox-963.A 
25th -- Wm.Twno.D 
28th -- Wm.Twno.B 
28th -- Wm.Twno.C 

-------------------------------------------- 
February
-------------------------------------------- 
EVERY SUNDAY -- Jerusalem.Sunday.A 
1st -- WM.MDMA 
1st -- Wm.Theatre:Tw 
1st -- Wm.Twno.B 
1st -- Wm.Twno.C 
2nd -- Flip
5th -- Xm.Delta 
10th -- WM.Helper 
13th -- Dr&Et.1710 
15th -- Wm.Theatre:Tw 
15th -- Wm.Twno.D 
18th -- Form
20th -- Wm.Outlaw 
22nd -- 10_Past_3
24th -- Npox-963.A 
25th -- Wm.Twno.D 
28th -- Wm.Twno.B 
28th -- Wm.Twno.C 


Subscribe and Unsubscribe

To be added to the subscription mailing list, please fill out the form available on the SARC website at:

http://www.symantec.com/avcenter/newsletter.html

If you want to be removed from this mailing list, simply send an e-mail to listserv@lserver.symantec.com with the following on a line by itself in the body of the message:

SIGNOFF SARC-L


Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404
USA

SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1997 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at:

http://www.symantec.com/avcenter/refa.html