Symantec logo
United States
Antivirus Research Center

Advanced Search

Resource Centers
--------Antivirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
Reference Area
Submit Virus Samples

Information for You


Shop Symantec

Service and Support

About Symantec

© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
spacer Volume 3, Issue 4 - May 22, 1998

The Symantec AntiVirus Research Center (SARC) is committed to providing swift, global response to computer virus threats, proactively researching and developing technologies that eliminate such threats, and educating the public on safe computing practices.

Highlights Table of Contents

Current AntiVirus Products

The Symantec AntiVirus solution includes the following line-up of currently available products:

  • DOS/Windows 3.1—NAV 3.0, revision 3.11
  • DOS/Windows 3.1—NAV 4.0, revision 4.00

  • Windows 95—NAV 95 1.0, revision 95.0b
  • Windows 95—NAV 95 2.0, revision 2.01
  • Windows 95—NAV 95 4.0, revision 4.00

  • Windows NT—NAV NT 2.0, revision 2.01
  • Windows NT—NAV NT 4.0 for Workstations, revision 4.00
  • Windows NT—NAV NT 4.0 for Servers, revision 4.00
  • Windows NT—NAV Internet E-mail Gateways 1.01, revision 1.00
  • Windows NT—NAV Firewalls 1.0, revision 1.00

  • Novell—NAV NetWare, revision 2.05

  • Lotus—Norton AntiVirus for Lotus Notes

  • Netscape—NAV Internet, revision 1.00

  • Macintosh/Power Macintosh—SAM, revision 4.0.8
  • Macintosh/Power Macintosh—SAM, revision 4.51

You can get the latest updates to many of these products through any of the following online services:
America Online: Keyword: SYMANTEC
Symantec World Wide Web site:
Symantec FTP:
BBS (28.8 baud): (541) 484-6669 and (541) 984-5366

If you don’t have electronic access, you can contact our Customer Service at (800) 441-7234 and order a disk set for $12 (to cover shipping and handling only).

Keeping Up With SARC

Weekly Updates Are Now Available

If you use Norton AntiVirus (NAV) on a PC, you can get four times the protection with new weekly virus definition updates. You can access the fully-tested virus definitions every Thursday evening by downloading the Intelligent Updater directly from the website ( or by using Symantec's exclusive automatic LiveUpdate feature.

"Improving the already excellent level of service we offer our customers--from individual users to large corporations--has been a long-term initiative for SARC," said Enrique Salem, vice president of Symantec's Security and Assistance Business Unit. "We have developed premier automation tools that allow us to provide the most up-to-date and reliable protection available on the market today."

Updates that were previously available monthly will now be available every week. SARC uses an automated process to evaluate each submission and prepare a detection and repair solution. The automation tools not only create the virus protection update, but also tests it. If it passes all tests, the solution is integrated into the next set of virus definition updates. The entire process takes less than five minutes to complete for each submission, allowing for hundreds of new virus definitions every week if necessary.

The latest virus definition set (available May 21, 1998) is available for downloading from the SARC website and other online services. However, if you're using our latest Norton AntiVirus 4.0 products for Windows 95 or Windows NT, you can click the attached file, called LIVEUPDT.NLU, and launch LiveUpdate automatically!

SARC Online Virus Encyclopedia Enhancement

SARC is proud to announce a customer-centered enhancement to the world's largest online virus encyclopedia. Data from the industry's leading cross-referencing system, Project VGrep, has been integrated into the SARC Online Virus Encyclopedia. Now you can find information on viruses named by any of nearly 15 different antivirus products.

Visit the SARC Online Virus Encyclopedia:

For more information on Project VGrep, see:

New Macintosh Worm Solution

SARC has posted a comprehensive detection and removal solution for AutoStart 9805, the first known Macintosh worm. If you use Symantec AntiVirus for Macintosh (SAM) 4.5 or Norton AntiVirus for NetWare, you can download the worm definition update immediately from our BBS, FTP or website or from Symantec's forums on CompuServe and AOL.

"As soon as the first reports of AutoStart 9805 surfaced, Symantec's AntiVirus Research Center worked immediately to protect our customers from the Macintosh worm," said Enrique Salem. "Viruses on the Macintosh platform have been quite rare, but Symantec is committed to providing comprehensive and timely solutions for the needs of our Macintosh customers, as the latest computer threats arise."

AutoStart 9805 affects only Macintosh PowerPC-based computers which include QuickTime and an active CD-ROM AutoPlay feature. As a worm rather than a virus, AutoStart 9805 does not infect programs or documents. Instead, it replicates itself from computer to computer as a self-contained, stand-alone file, usually causing performance problems and corrupting other files. It is transmitted via HFS or HFS+ Macintosh-formatted disk volumes including floppy disks, most removable cartridge drives, hard disks, and disk images. Files corrupted by the AutoStart worm are irreparable.

AutoStart 9805 is seeded as a hidden, AutoStart application file called "DB" in the root directory of the mounted volume. The worm begins its program routine when QuickTime's CD-ROM Auto-Play feature is active. The DB application attempts to transform itself into a hidden system extensions file called "Desktop Print Spooler." About every thirty minutes, Desktop Print Spooler completely searches all mounted volumes for an extensions folder where it can continue propagating itself, which causes periodic decreased performance. After searching the mounted volumes, AutoStart 9805 begins checking for files ending in .dat, .cod, .csa. and .data, and attempts to overwrite them with random data.

SARC Fights New MS Access Macro Virus

Thanks to SARC, you can now get protection from the new Access macro virus named "Accessiv." If you use Norton AntiVirus on a PC-based platform, you can click the LiveUpdate button in the software or download the latest virus definition update from the SARC website ( If you have scheduled LiveUpdate to run on a regular basis, you will receive the solution with the next automatic update.

The Accessiv virus is not currently in the wild and does not pose a significant threat at this time. Here's how to determine whether or not a particular database is infected: First, open the database and select the Tools/Options/View menu from the toolbar. In the View menu, enable the viewing of hidden objects. After you close that dialog box, you may see an object named "Autoexec" on the Macros tab and an object named "Virus" under the Modules tab. If both objects are there, the database is infected. Hold the shift key down when you open the database to prevent the virus from automatically executing. Then delete theAutoexec and Virus objects.

Announcing the Symantec Security Center

Are you concerned about Internet security? If so, the Symantec Security Center is the perfect place for you to visit. The site contains information on subjects ranging from digital signatures and encryption basics to finding and removing personal information on the Internet.

The Symantec Security Team continually updates the Security Alerts page to keep you informed about hot security issues in the news. Other topics include choosing effective passwords, email security, online transaction issues, and what to do about SPAM. The site also offers information on downloading free Norton security products like Norton Safe on the Web and Norton Secret Stuff. Check out the Symantec Security Center at:

New! Norton AntiVirus for Microsoft Exchange Servers

The latest addition to the Symantec's suite of award-winning, comprehensive virus protection products is Norton AntiVirus (NAV) for Microsoft Exchange Server. The new product works in real time to scan, detect, and repair viruses found in Microsoft Exchange environments without inhibiting or degrading server performance or stability. Norton AntiVirus for Microsoft Exchange includes Symantec's unsurpassed Bloodhound technology, which is able to detect and repair new and unknown viruses automatically.

According to Enrique Salem, vice president of Symantec's Security and Assistance Business Unit, "Today's groupware environments have become critical business communication hubs. As viruses continue to proliferate and jeopardize the integrity of corporate information exchange, the need for aggressive virus protection increases. With Norton AntiVirus for Microsoft Exchange, Symantec offers administrators and users the most exhaustive first line of defense available to eliminate this growing threat."

As the number of Exchange users grows exponentially every day, so does the possibility of distributing potentially devastating viruses. The new Symantec solution scans all incoming files and attachments to eliminate viruses at the groupware server before they reach the desktop or the network. With the inclusion of Bloodhound, Norton AntiVirus for MS Exchange leads the current product field in virus detection and removal.

Most Frequently Reported Viruses

Following is a list of the top reported viruses, as published in the Joe Wells' Wild List last April:

1. WM/Concept.A
2. AntiEXE.A
3. Form.A
4. One_Half.3544
5. Junkie.1027.A
6. Empire.Monkey.B
7. AntiCMOS.A
8. Parity_Boot.B
9. WM/Npad.A
10. WM/CAP.A

11. WM/Wazzu.A
12. Ripper
13. Natas.4744
14. NYB.A
15. Sampo
16. XM/Laroux.A
17. Stoned.Angelina
18. Die_Hard.4000.A
19. Stoned.No_INT.A
20. Boot-437.A

Virus Watch

The viruses listed below activate or trigger in the upcoming months. Virus activations/triggers are not necessarily destructive. This information is provided for educational purposes only and is not intended to alarm. Detailed information on all of these viruses can be found on the SARC website.

EVERY SUNDAY -- Jerusalem.Sunday.A 
EVERY DAY -- WM.Xenixos:De 
1st -- WM.MDMA 
1st -- Wm.Theatre:Tw 
1st -- Wm.Twno.B 
1st -- Wm.Twno.C 
2nd -- Flip
5th -- Xm.Delta 
10th -- WM.Helper 
13th -- Dr&Et.1710 
15th -- Wm.Theatre:Tw 
15th -- Wm.Twno.D 
18th -- Form
20th -- Wm.Outlaw 
21st -- WM.Divina.A 
22nd -- 10_Past_3
24th -- Npox-963.A 
25th -- Jeru.Suriv1.01.Argent 
25th -- Wm.Twno.D 
27th -- Cpw.1527 
28th -- Digi.3547 
28th -- Wm.Twno.B 
28th -- Wm.Twno.C 

EVERY SUNDAY -- Jerusalem.Sunday.A 
EVERY DAY -- Three_Turnes.1784
EVERY DAY -- Vampiro 
1st -- WM.MDMA 
1st -- Wm.Theatre:Tw 
1st -- Wm.Twno.B 
1st -- Wm.Twno.C 
2nd -- Flip
4th -- Cri-Cri 
4th -- Stoned.June_4th 
5th -- Xm.Delta 
10th -- WM.Helper 
13th -- Dr&Et.1710 
13th (Friday) -- Jerusalem.1808
13th (Friday) -- Xeram.1664 
15th -- Wm.Theatre:Tw 
15th -- Wm.Twno.D 
18th -- Form
20th -- Jeru.Suriv1.01.Argent 
20th -- Wm.Outlaw 
22nd -- 10_Past_3
24th -- Npox-963.A 
25th -- Wm.Twno.D 
28th -- Wm.Twno.B 
28th -- Wm.Twno.C 

Subscribe and Unsubscribe

To be added to the subscription mailing list, please fill out the form available on the SARC website at:

If you want to be removed from this mailing list, simply send an e-mail to with the following on a line by itself in the body of the message:


Editor: Alex Haddox, Product Manager, Symantec AntiVirus Research Center

Address all correspondence to:
Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404

SARC AntiVirus News Update is published monthly by Symantec Corporation. Copyright © 1996-1998 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at: