Symantec logo
United States
Antivirus Research Center

Advanced Search

Information for You

Shop Symantec


Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Service and Support

About Symantec


© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 3, Issue 2 - February 12, 1998

The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global response to computer virus threats, proactively researching and developing technologies that eliminate such threats, and educating the public on safe computing practices.

Highlights Table of Contents

Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:

  • DOS/Windows 3.1—NAV 3.0, revision 3.11
  • DOS/Windows 3.1—NAV 4.0, revision 4.00

  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows 95—NAV 95 4.0, revision 4.00

  • Windows NT—NAV NT 2.0, revision 2.01
  • Windows NT—NAV NT 4.0 for Workstations, revision 4.00
  • Windows NT—NAV NT 4.0 for Servers, revision 4.00
  • Windows NT—NAV Internet E-mail Gateways 1.01, revision 1.00
  • Windows NT—NAV Firewalls 1.0, revision 1.00

  • Novell—NAV NetWare, revision 2.05

  • Lotus—Norton AntiVirus for Lotus Notes

  • Netscape—NAV Internet, revision 1.00

  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.51

You can get the latest updates to many of these products through any of the following online services:
America Online: Keyword: SYMANTEC
Symantec World Wide Web site:
Symantec FTP:
BBS (28.8 baud): (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).

Keeping Up With SARC

Latest Virus Update Now Available

The latest virus definition set (dated February 4, 1998) is available for downloading from the SARC website and other online services. However, if you're using our latest Norton AntiVirus 4.0 products for Windows 95 or Windows NT, you can click the attached file, called LIVEUPDT.NLU, and launch LiveUpdate automatically!

The February virus definition update also provides detection and repair for the recently reported XF.Paix.A virus. This protection extends across all Norton AntiVirus supported platforms, including DOS, Windows 3.1, Windows 95, Windows NT, and NetWare. Once again, Norton AntiVirus continues its pioneering tradition of high-level support for multiple platforms.

XF.Paix.A in a Nutshell

XF.Paix.A has recently been detected in France, but poses a potential threat to users around the world. Unlike traditional Excel viruses, which use macros to infect, this new program uses formulas inside the data region of an Excel spreadsheet. The virus installs itself as an Add-In to Excel in a file called xlsheet.xla. The worksheet remains hidden and executes each time you open or change an existing file. Once the virus has executed, it inserts a new worksheet into the file. In addition, it randomly hides all toolbars, creates a new toolbar, hides all open workbooks, and renames the title bar to "Enfin la Paix" (peace at last). This virus affects PC-based systems only.

What Is the SARC AntiVirus News Update?

Published early each month, the SARC AntiVirus News Update is a free electronic newsletter focused on the needs of SARC's customers. Read it to learn about the latest Symantec product enhancements, anti-virus technology, and the trends in virus workings. Each issue includes detailed information on common viruses, warnings about virus outbreaks, notifications of special virus definition releases, and LiveUpdate E-mail files. Whether you're technically minded or just curious, you'll get essential information on the virus threats of today and tomorrow in the SARC AntiVirus News Update.

Combat New Boot-Sector Viruses with Bloodhound Boot Technology

The Symantec AntiVirus Research Center announces Bloodhound Boot heuristic technology--the industry's most comprehensive protection against unknown boot viruses. The new product provides the same protection against boot viruses that Bloodhound for Files and Bloodhound- Macro technologies provide for file and macro viruses. Norton AntiVirus users can download and install the new technology by simply running the LiveUpdate feature.

While the prevalence of macro viruses has grown exponentially in the last two years, boot-sector viruses still account for four out of the ten most common computer virus infections. In fact, boot- sector viruses are a leading cause of corruption on computers with the Microsoft Windows NT operating system.

"The risk of infection and damage from viruses is significantly greater today than ever before," said Enrique Salem, vice president of Symantec's Security and Assistance Business Unit. "Boot- sector viruses, like file and macro viruses, can have a profound effect not only on system reliability but on user productivity. Our Bloodhound technology ensures that our customers are protected against today's known viruses as well as tomorrow's new ones."

New and Improved Website for MIS/IS Professionals

The Symantec Corporate Virus Solutions website has been completely updated. We invite you to visit this extremely useful site at:

Be sure to check out our FREE CD offer in the Product Evaluation section. The CD contains full working versions of all our virus-fighting products.

Symantec Introduces New Trojan Horse Detection Technology

The Symantec AntiVirus Research Center (SARC) has developed a new Trojan Horse detection engine designed to address the growing threat of this type of malicious code. Trojan Horses are programs that may seem legitimate, but actually are designed to carry out malicious activities when activated, such as stealing passwords or destroying data. Once again, Symantec is able to update Norton AntiVirus users with this new engine easily and at no cost to the customer by using Symantec's exclusive LiveUpdate technology.

Users of all Norton AntiVirus 4.0 products, including server and desktop solutions, need only click the LiveUpdate button in the software or download the update from the SARC Web site ( to be protected immediately. Those users who have scheduled LiveUpdate to run on a regular basis will receive the solution with the next automatic update. As with all virus definition and program updates from Symantec, this solution is free to all Norton AntiVirus users and is fully tested.

Available with the February 1998 and all subsequent virus definition updates.

Symantec's Norton AntiVirus Chosen as Best AntiVirus Utility - PC Magazine

PC Magazine chose Norton AntiVirus 2.0 for Windows 95 for the "Best of 1997" award in the Utility: AntiVirus category. Norton AntiVirus was chosen as the best anti-virus solution from all the products tested by PC Magazine during the last year. The award article appears in the Jan. 6, 1998 issue of PC Magazine.

Visit for product information and trailware for all Norton AntiVirus products.

FREE Telecommuting Seminar

Symantec gives you the tools to implement a telecommuting solution in your organization easily and inexpensively--right now! Take advantage of this unique opportunity and speak with industry experts to learn about the latest telecommuting trends. To view the agenda and register in a city near you, call 1-800-257-2478 or visit our website at:

To view the calendar for all Symantec Events, Seminars, User Groups, and Trade Show events, check out this site:

In The Wild

In each issue of the SARC AntiVirus News Update, we profile a few viruses known to be in free distribution among the general public ("in the wild"). However, this month we are covering a few virus hoaxes which are causing some unnecessary concern.

For information on this and other virus hoaxes, see:
Join the Crew
Aliases: Hoax
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region Reported: Online
Characteristics: Hoax
Target Platform: Hoax
Trigger Date: Hoax

Join the Crew is not a virus; it is a hoax, meant only to panic new or inexperienced computer users.

The hoax message includes a "warning" in one of the following forms:

Form 1
     If you ever get an e-mail titled "JOIN THE CREW", do not open it
     because it will wipe everything on your hard disk. This is the 
     newest virus not many people know about it. So e-mail it to 
     everyone you know!!!!!!

Form 2
     Please do not open up any mail that has this title. It will 
     erase your whole hard drive. This is a new e-mail virus and not 
     a lot of people know about it, just let everyone know, so they 
     won't be a victim. Please forward this e-mail to you friends!!! 
     Remember the title: JOIN THE CREW

Form 3
     We have just had notice of an E:Mail virus doing the rounds. 
     Apparently the virus is so new most virus checkers do not 
     recognize it. If you receive an E:Mail titled 'JOIN THE CREW' 
     do not open it as it will:
     1. Delete your hard-disk
     2. Delete your E:Mail directories
     3. The nastiest part is that before deleting your E:Mail 
        directories it copies the message/virus and forwards it to 
        everyone on your directory If your techies haven't already 
        warned you it might be worth letting your colleagues know.

Form 4
     VIRUS WARNING !!!!!!!
     If you receive an email titled "JOIN THE CREW" DO NOT open it. 
     It will erase everything on your hard drive.  Forward this 
     letter out to as many people as you can.  This is a new, very 
     malicious virus and not many people know about it.  This 
     information was announced yesterday morning from IBM; please 
     share it with everyone that might access the internet.  Once 
     again, pass this along to EVERYONE in your address book so that 
     this may be stopped. Also, do not open or even look at any mail 
     that says "RETURNED OR UNABLE TO DELIVER." This virus will 
     attach itself to your computer components and render them 
     useless.  Immediately delete any mail items that say this.  AOL 
     has said that this is a very dangerous virus and that there is 
     NO remedy for it at this time. Please practice cautionary 
     measures and forward this to all your online friends ASAP.

Please ignore any messages regarding this supposed "virus" and do not pass the messages. Spreading warnings about this hoax serves only to further propagate it.

Returned or Unable to Deliver
Aliases: Hoax
Infection length: Hoax
Area of infection: Hoax
Likelihood: Hoax
Region Reported: Online
Characteristics: Hoax
Target Platform: Hoax
Trigger Date: Hoax

There is currently no virus that has the characteristics ascribed to "Returned or Unable to Deliver." It is not a virus at all, but rather an alarming hoax being spread among computer users.

The hoax message includes the following "warning":

     There is a new virus going around in the last couple of days!!! 
     DO NOT open or even look at any mail that you get that says: 
     "Returned or Unable to Deliver" This virus will attach itself to
     your computer components and render them useless. Immediately 
     delete any mail items that says this. AOL has said this is a 
     very dangerous virus, and there is NO remedy for it at this time,
     Please Be Careful, And forward to all your on-line friends 

Please do not pass on any messages regarding this supposed "virus." The best way to stop the hoax from spreading is to ignore the warnings.

For information on viruses found in general distribution, see the SARC website at:

Most Frequently Reported Viruses

Following is a list of the top reported viruses, as published in the Joe Wells' Wild List last January:

1. WM.Concept.A
2. Form.A
3. AntiEXE.A
4. One_Half.3544
5. Empire.Monkey.B
6. Junkie.1027
7. Natas.4744
8. AntiCMOS.A
9. Parity_Boot.B
10. WM.Npad.A

11. Ripper
12. WM.Wazzu.A
13. NYB
14. WM.CAP.A
15. Sampo
16. Boot-437
17. Die_Hard
18. Stoned.Angelina.A
19. Stoned.No_INT.A
20. WelcomB

Virus Watch

The viruses listed below activate or trigger in the upcoming months. Virus activations/triggers are not necessarily destructive. This information is provided for educational purposes only and is not intended to alarm. Detailed information on all of these viruses can be found on the SARC website.

EVERY SUNDAY -- Jerusalem.Sunday.A
1st -- WM.MDMA
1st -- Wm.Theatre:Tw
1st -- Wm.Twno.B
1st -- Wm.Twno.C
2nd -- Flip
5th -- Xm.Delta
10th -- WM.Helper
13th -- Dr&Et.1710
15th -- Wm.Theatre:Tw
15th -- Wm.Twno.D
18th -- Form
20th -- Wm.Outlaw
22nd -- 10_Past_3
24th -- Npox-963.A
25th -- Wm.Twno.D
28th -- Wm.Twno.B
28th -- Wm.Twno.C

EVERY SUNDAY -- Jerusalem.Sunday.A
ANY DAY -- Exe_Bug.C
1st -- WM.MDMA
1st -- Wm.Theatre:Tw
1st -- Wm.Twno.B
1st -- Wm.Twno.C
2nd -- Flip
3rd -- Pieck.4444
5th -- Xm.Delta
6th -- Stoned.Michelangelo
10th -- WM.Helper
13th -- Dr&Et.1710
15th -- Maltese_Amoeba
15th -- Wm.Theatre:Tw
15th -- Wm.Twno.D
18th -- Form
20th -- Wm.Outlaw
22nd -- 10_Past_3
24th -- Npox-963.A
25th -- Wm.Twno.D
28th -- Wm.Twno.B
28th -- Wm.Twno.C

Subscribe and Unsubscribe

To be added to the subscription mailing list, please fill out the form available on the SARC website at:

If you want to be removed from this mailing list, simply send an e-mail to with the following on a line by itself in the body of the message:


Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404

SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1997 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at: