SARC Home Page

The SARC AntiVirus News Update

"The sun never sets on SARC"

Volume 4 Issue 1 June 1999


Top Reported Viruses, Trojans and Worms
Following is a list of the top reported viruses to SARC's regional offices.







Asia Pacific


SARC - Symantec AntiVirus Research Centre

Welcome to the new format Symantec AntiVirus Research Centre Newsletter, you'll be reading either the HTML or ASCII text version depending on the capabilities of your email program. Thankyou for subscribing, instructions for unsubscribing are at the bottom of this document.

As we are about to email this issue a new worm called Worm.ExploreZip been reported in Israel, Europe and the USA. Details are posted on the SARC web site at;

The Norton AntiVirus LiveUpdate feature will enable you to get the latest virus definitions to protect against this new threat.

Viruses have been making the headlines in the past few months! Melissa and CIH have made the media and general public acutely aware of the need for constant vigilance on the anti-virus front.

In this issue, we take a closer look at CIH (or Chernobyl) and its impact in Korea, the new Corel virus Galadriel, two trojans - K2PS and Promail, and a new twist on the Melissa front.

As the Melissa experience showed, intensive use of email in the workplace today enables the rapid proliferation of any new virus. I hope you use this newsletter and the web to stay informed about what's happening. Increased awareness and up-to-date virus definitions are vitally important to stop the spread of these ever more advanced threats to the computing environment.

As with all stories on this issue please visit the SARC web site for more information. As always, Norton AntiVirus users can protect themselves by downloading current virus definitions either through LiveUpdate or from the following web page:

David Banes,

Viruses in the News

W95.CIH aliases (Chernobyl)
The W95.CIH virus is the only known computer virus capable of rewriting a flash BIOS. It does so by infecting 32-bit Windows 95/98 executable files. When an infected program is run, the virus will infect the computer's memory. W95.CIH then infects new files when they are opened. This means that an infected system must be rebooted from a clean system disk before scanning with Norton AntiVirus -- if this is not done, the virus will infect every file that the anti-virus product scans. You can only be infected if you open the infected file.

W95.CIH's destructive payload is triggered on the 26th of the month. Chernobyl also has three variants: Win95.CIH.1003 that strikes on 26 April every year; Win95.CIH.1100 that strikes on 26 June every year; and Win95.CIH.1019 that triggers on the 26th of every month. The Chernobyl W95.CIH is not a new virus. Originally discovered in June 1998 in Taiwan, a complete detection and repair solution for Chernobyl was quickly developed by SARC, ensuring that users of any Norton AntiVirus version updated since June 1998 are fully protected against this threat. For this reason the CIH virus did not impact Symantec customers who maintained their virus definitions.
See SARC web site for a more detailed description

CIH Chaos in Korea

One of the hardest hit regions in the world by the CIH virus was South Korea, where reports indicate that its impact affected over 200,000 PCs on April 26th, 1999. Hundreds of corporate offices and government agencies such as the tax and prosecutors offices lost data. Large numbers of home PCs are still waiting for data recovery in computer centres.
NAV customers who were already protected did not suffer any problems from the virus. Furthermore, the Symantec web site proved a lifeline for all Koreans to learn more about how to recover from the damage of CIH and how to protect themselves from its devastation in future.
In addition to the uniqueness of the W95.CIH virus, another reason Korea and other Asian countries incurred a high incidence of the CIH virus can be attributed to high rates of piracy. When any software is illegally copied, the copiers often have no anti-virus measures or quality procedures in place, so an infection on a PC being used for copying is not detected. This is not an issue for the software pirates as they do not offer technical support or money back for faulty goods.

by Charles Choi,
Symantec Marketing Manager, Korea

First Corel Script virus

CS.Galadriel is a Corel Script virus infecting .CSC files. It has an intended trigger date of June 6. Regardless of the date, Galadriel will scan for uninfected scripts, and will attempt to write itself to the beginning of the first script it finds. Galadriel will unintentionally insert "garbage" characters into the script it is trying to infect.
An infected script can be repaired using the Corel Script Editor or any application capable of editing text files. To repair a script, delete the viral code at the beginning of the file, delete any "garbage" characters and save the file.
This virus is considered to be a low-risk. For more information visit:
By Peter Pak SARC, USA.

Melissa update - RTF file extensions

W97M.Melissa quickly emerged as a fast replicating chain letter virus designed to clog up networks, with the added potential to e-mail the contents of a computer. Although there was nothing unique in the infection routine of this macro virus, it had an unusual payload that utilised Microsoft Outlook to send copies of the infected document via e-mail. The user could only be infected with the virus if they opened the document within the email.
While not a new variant, the Melissa virus has recently been spreading again, this time disguised as a RTF file. The document is not actually in RTF format as the file extension name suggests, but is actually a Word format file that has had the file extension name renamed to "RTF". It can only be detected by anti-virus software if the scanning of RFT file extension options are switched on.
To be protected from this virus, Symantec AntiVirus Research Center recommends to update the configuration in Norton AntiVirus to include the "RTF" file extension. For details on how to change the scanning options in Norton AntiVirus please visit:

Subscribe and Unsubscribe

To be added to the subscription mailing list, please fill out the form available on the SARC website at:

If you want to be removed from this mailing list, simply send an e-mail to with the following on a line by itself in the body of the message:

Trojans in the News

K2PS.EXE Trojan

K2PS.EXE is a malicious Trojan Horse program designed to steal dial up network password information and secretly send it to an email account in Japan. It was distributed as an email attachment with the filename of "K2PS.EXE" to users of Fujitsu's InfoWeb Internet account in Japan. The email stated that a new virus called TX-500 had recently been discovered and the attachment was an anti-virus program and users should execute this on their systems to eradicate it. The attachment actually contained the trojan not an anti-virus program. Naturally, the instructions should not be followed to execute.
Once the creator of this trojan has received this information, it is possible to take over the users Internet account, access the users email, run up the Internet access bill and even change the password to the Internet account. Those affected should immediately change all passwords on dialup network accounts.
For more information regarding the
K2PS.EXE trojan see:

By Motoaki Yamamura

The Promail.Trojan is a Trojan Horse that steals POP account user-names and passwords. A full function POP client that allows users to obtain their email from a designated POP server, it also sends the account information including password to an anonymous email address.
This type of data export compromises systems by allowing the author or anyone with access to the anonymous email address mail-box to check, delete, and read confidential POP mail.
To fix this threat, Promail should be uninstalled or all Promail files should be deleted.For more information on Promail.Trojan please visit

Shockwave shocks

Blender.exe and Fish.exe
The cartoon 'Frog in a Blender (Joesterizer Frog Blender 2000)' originated on the web site listed on the Shockwave application ( The
'Fish' program (fish.exe) is another Shock-wave application of unknown origin. Both have recently been reported to carry virus code, becoming infected by contact with workstations that are not running any anti-virus software. Inherently, the programs are not malicious, although they display graphic images that may be unsettling to some. The CRC-32 of a clean Frog program (blender.exe) from PKZIP is 'F36B4C7C', and is 671,050 bytes in size. The CRC of a clean Fish program from PKZIP is 'AF1BED17', and is 341,331 bytes in size.
By Mark Zaremba

PowerPoint Virus Repair

Symantec Delivers Repair for All PowerPoint Viruses, including O97M.Tristate.
SARC was the first to provide a complete virus definition set on all platforms to detect and repair PowerPoint viruses as well as the prolific O97M.Tristate macro virus, which cross-infects Microsoft Office applications.
In the first week of discovery, Symantec received 132 submissions of the O97M.Tristate macro virus, alias O97M.Triplicate, via Norton AntiVirus' Scan and Deliver mechanism.
This makes the cross-platform virus the eighth most common virus ever submitted to SARC. Found in the wild,
O97M.Tristate cross-infects Microsoft Office applications including Word 97 documents, Excel 97 spreadsheets, and PowerPoint 97 presentations For further information about the O97M.Tristate virus, refer to the Symantec Virus Encyclopedia at

Stop Press

As we are about to email this issue a new worm called Worm.ExploreZip has hit in Israel and has also been reported in Australia and the USA. Details are posted on the SARC web site at;

The Norton AntiVirus LiveUpdate feature will enable you to get the latest virus definitions to protect against this new threat.


Address all correspondence by email to:

Or by letter to;

Symantec Corporation
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404

SARC AntiVirus News Update is published periodically by Symantec Corporation. Copyright © 1996-1999 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.

Archives of these newsletters are available for reading on the SARC WWW site at:
    All information contained in this newsletter is accurate and valid as of the date of issue.  

SARC Virus Hotline