20A10.TXT - Description file for 20A10.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group November 1, 1992 ****************************************************************** Instructions for loading virus definitions, using Norton AntiVirus 2.0, Norton Desktop for DOS 1.0 or Norton Desktop for Windows 2.0: 1) Run Virus Clinic by typing NAV at the DOS prompt, choosing Norton AntiVirus from the Tools menu of the Norton Desktop for DOS or Windows, or by double-clicking on the Norton AntiVirus Windows icon in the Norton AntiVirus group window. 2) If you are in DOS, press to accept the Welcome screen. 3) Select "Cancel," or press to bypass the "Scan Drives" Screen. 4) Select the "Definitions" menu. 5) Select "Load from File..." 6) If the name of the drive and directory to which you loaded the definition file does not appear on the "Directory:" line, change to the proper drive and directory name and press . The name of the definition file should appear in the "Files" window. 7) Select the definition file, select "OK," and press . 8) After the definitions have loaded, press to exit from the "Load Definition File Results" screen. 9) Select "Exit" from the "Scan" menu. 10) Reboot your computer to activate the new definitions. The following virus definitions were enhanced with the concept of preventing false identification of viruses: 529, 566, 855, 1554, African-109, Akuku, Anti-Pascal-2, Bad Boy A, Bad Boy B, Best Wishes, Black Monday, Brain-A/B, Cinderella, Creeper, Destructor, Durban Saturday 14th, Eliza, Exodus, Flash, Fu Manchu, Gergana, Gergana-2, GP-1, Invader, Jerusalem-1, Jerusalem-2, Mix-1, Nina, Paris, Saturday the 14th, Scream, Sistor-2380, Slow, Star Dot, Sunday-2, SVC v5.00, Tequila, Thimble, Tokyo, Topo, USSR, USSR-600, USSR-696, V651, V801, V270x, VComm, Vien6, Voro-370, Voronezh, Weber Warrior, Westwood, Wolfman, Yale/Alameda, ZMT-262. The following virus definitions were enhanced for more capabilities: Murphy 1/2 and Murphy (2) were combined into a wide reaching definition, Murphy Family. Leech, PSQR-1364 (Mummy21), Rape-10, Scream 2B, Shake, Sylvia, Tiny, Trackswap, Were Here, and Kbug (Keyboard Bug) all were enhanced for more capability. The following virus definitions were reorganized: Flip with Flip-2153B, Flip-2153C, and Flip-2153D. Perfume and Sorry were combined into Perfume/Sorry. 1381 changed name to "Internal (1381)". Viruses named with the word "Virus" had that word stricken. Mocha Mocha has the capability of destroying hard disks! Mocha is an encrypting memory resident infector of COM and EXE files. Infected files will grow approximately 1800 bytes. Infected COM files can be repaired by NAV but not the EXE files. Spawn 519 Spawn 519 is a companion virus that creates COM files where there are EXE files. After infection, a COM file will exist in conjunction with every EXE file. Files detected as being infected by this virus should simply be deleted. On Fridays at 11AM, the following message will be printed, "this ain't no party, this ain't no disco, this ain't no fooling around," from a hit single by The Talking Heads. The program will sometimes try to create a README.COM on the A: drive. This is its preferred propagation mode. Sticky Sticky is a memory resident, self-encrypting infector of partition tables and COM and EXE files. This is referred as a multipartite virus. Infected files grow by approximately 925 (927) bytes. NAV can repair the infected partition tables. However, infected files must be deleted. This virus does not appear to do any damage however because so many components exist, it may be very difficult to completely be rid of it. V789 V789 is a direct action infector of EXE and COM files. Infected files will grow approximately 800 bytes (789 + (1 to 16), whatever makes the result divisible by 16). Attributes and file timestamp are left unchanged. Infected files can be repaired by NAV. On Sept 24 at 7AM, this virus will wipe out ever hard disk from Z: to A:, writing garbage onto the first 200 sectors of each drive! (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)