Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
masthead
 
 
News Release

Symantec AntiVirus Research Center Finds First Cross-Platform Java Virus

- Symantec's revolutionary "Seeker" web spider finds new type of virus -

Cupertino, Calif --August 19, 1998-- Symantec Corporation (Nasdaq: SYMC), the world leader in utility software for business and personal computing, today announced that the Symantec AntiVirus Research Center (SARC) has found a computer virus reported to infect Java applets and applications. The virus, named Strange Brew, was found on the World Wide Web by Symantec's automated virus engine, known as Seeker. Seeker is a web spider that has been continuously scouring the Internet since 1996 and gathering files for analysis in the SARC lab.

The Strange Brew virus is considered the first truly cross-platform virus because it is capable of running on any computing platform where Java is supported, making virus infection viable on literally dozens of different computing architectures. SARC researchers have determined that while the virus does not pose a serious threat to the average consumer, it can affect Java application developers. Users of Norton AntiVirus can protect their systems against this new class of virus by downloading the latest set of virus definitions, which are scheduled to be posted on Aug. 20, 1998.

"The Strange Brew virus is just one of thousands that have been automatically tracked and quarantined by Symantec's Seeker technology," said Enrique Salem, vice president of Symantec's Security and Assistance Business Unit. "With Seeker and the Norton AntiVirus EXtensible engine (NAVEX) technology, SARC engineers can provide protection against new viruses-and even whole new classes of viruses-long before users ever run the risk of being exposed."

The Virus
As a parasitic virus, Strange Brew attaches itself onto a host program while still enabling the host program to function after infection. The virus attaches itself to Java ".class" files, which are the executable files that comprise Java applets and application programs. Java .class files can be used on any computer system that supports Java technology. As a result, whereas the replication capabilities of traditional viruses are limited to one or a small number of computing environments, Strange Brew is capable of successfully replicating on any platform that runs a Java virtual machine, from Windows 95 PCs to Unix servers and Cray supercomputers.

The virus can infect both Java application and Java applet files, but is only capable of spreading when infected Java applications are launched. The virus cannot spread from infected applets due to security features in most Java-enabled web browsers. As a result, the virus can infect applets, but once they are infected, the virus cannot spread further.

Strange Brew contains no intentional payload and will not cause any additional damage beyond infecting or possibly damaging Java executable files. This virus is not "in the wild," and it is not known to have infected end users or corporations. The virus cannot spread by web surfing. However, Java applet/application developers are at risk of having their Java .class files infected or corrupted.

Users who are infected by Strange Brew may notice that their Java applications take longer to load during start-up or that they may fail to operate. If an infected Java applet is inadvertently downloaded and run inside an Internet browser, an error message may display containing the name of the virus. A detailed technical analysis of the Strange Brew virus can be found on the SARC web site at http://www.symantec.com/avcenter.

SARC engineers were able to add protection against this new class of virus by using Symantec's award-winning NAVEX technology. NAVEX is a modular engine that allows Symantec to ship fundamental changes and updates to the Norton AntiVirus engine as part of Symantec's standard virus definition updates. This enables SARC to provide both detection and repair capabilities for complex viruses or whole new virus classes. As a result, Norton AntiVirus users can eliminate the threat in a matter of hours by upgrading their virus definitions over the Internet rather than waiting weeks or months for a product inline on diskette or CD distribution.

In addition to this new protection against Java viruses, Norton AntiVirus 5.0 includes state-of-the-art technology that automatically blocks malicious Active X code and Java applets from entering a user's computer. And because approximately 90 percent of Trojan Horses found in circulation today are from online services, Symantec has added its new Trojan Horse detection engine to the AutoProtect feature in Norton AntiVirus 5.0 to guard users against online programs that may steal passwords or destroy data.

The Seeker Project
The Seeker web spider, which found Strange Brew, was developed as part of a technology project initiated by SARC engineers more than two years ago. In 1996, the virus research experts at SARC created what is known as the Seeker Project as a system of virus search, retrieval, and analysis. The technology scours the Internet, gathering viruses lingering there, and creates solutions for them before users come into contact with them. The Seeker Project is broken down into three separate modules: Seeker, Bloodhound, and SARA.

Seeker is a web spider designed to scour the Internet and gather files for analysis. It moves out from Symantec across the world, obtaining samples for analysis in the SARC lab. Bloodhound uses Symantec's patented heuristic technology to detect new and unknown viruses by inspecting files for virus-like behavior. SARA, or Symantec AntiVirus Research Automation, is the heart of the Seeker project. The SARA module takes a virus sample obtained using Seeker, extracts the unique qualities of the virus, develops a Symantec detection and repair scheme, and tests that newly developed scheme in less than five minutes.

Symantec AntiVirus Research Center (SARC)
Norton AntiVirus is backed by the Symantec AntiVirus Research Center (SARC). SARC is the industry's largest dedicated team of virus experts. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.

About Symantec
Symantec is the world leader in utility software for business and personal computing. Symantec products and solutions help make users productive and keep their computers safe and reliable anywhere and anytime. Symantec offers a broad range of solutions and is acclaimed as a leader in both customer satisfaction and product brand recognition. Symantec is traded on Nasdaq under the symbol SYMC. More information on the company and its products can be obtained at www.symantec.com.

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, view the Symantec Press Center at www.symantec.com/PressCenter/ on Symantec's Website.

Brands and products referenced herein are the trademarks or registered trademarks of their respective holders. All prices noted are in US dollars and are valid only in the United States.