21A11.TXT - Description file for 21A11.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group September 1, 1993 ****************************************************************** [The NAV definition update installation instructions are also available on this disk in French, German, Italian, Swedish, and Spanish. Please reference the appropriate file.] Loading New Definitions To update NAV 2.1 with the new virus definition you have just received, do the following: Note: Each definition set completely replaces the current set so only the latest is required. From DOS: 1) At the DOS prompt, type "NAV" then . 2) Select the "Cancel" button (ALT-C) to bypass scanning at this time. 3) Select the Definitions menu (ALT-D), then select the "Load from file" item (L). You will now see the "Load from file" dialog box. 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) In the FILE field, type "A:*.DEF " ("B:*.DEF" if applicable) then . 6) The definition file on the disk should now appear in the "Files" box. 7) Select the "Files" box (ALT-L). Note: the filename is normally loaded into the "File" line automatically as it is usually the only file available. If this is not the case, use the TAB key to highlight the file then press the spacebar. 8) Select "OK" (ALT-O) to load the new definition set. 9) After loading, press "ESC", exit NAV, and reboot the machine. 10) NAV will now use the new definitions to scan for viruses. From Windows: 1) Activate NAV by double-clicking on its icon. 2) Click on "CANCEL" in the "Scan Drives" window to bypass scanning at this time. 3) From the "Definitions" menu choose "Load from file". 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) Type "A:*.DEF" ("B:*.DEF" if applicable) in the "File" field, then press the Enter key. 6) The latest definition file should now appear in the "Files" box. 7) Double-Click on the filename inside the "Files" box. 8) The file should begin to load. If not, click the "OK" button to load the new definition set. 9) After loading, exit NAV, exit Windows, then reboot the machine. 10) NAV will now use the new definitions to scan for viruses. ****************************************************************** Note for users who are not updated through Corporate Channels: After updating your definitions, if every file is identified as being infected with "MtE", don't panic. You probably do not have a virus. Please download the patch file, PTCH1A.ZIP (available through CompuServe and the Symantec BBS), unzip the file, follow the instructions included in the readme file, and then load these definitions again. If you are unable to download this patch file, or are still experiencing problems after using it, please contact Symantec Technical Support. ****************************************************************** MacGyver MacGyver is a memory-resident stealth virus that infects EXE files as they are run or opened. The virus also attaches itself to files that look like EXE files (.386, .DLL, .DRV, etc). These files will seem corrupted. The virus contains the encrypted messages "MACGYVER V 1.0" and "Keelung, TAIWAN 1992", but does not display those messages. If the month is after February and the date ends in 5 (i.e. March 5 to December 25) the virus is supposed to play a tune. Infected files will grow by approximately 2800 (2803) bytes. However, if the virus is active in memory this size change will not be visible in a directory listing. MacGyver can be repaired by NAV. ----- Scream-652 This is a another variant of the Scream II virus. This group of viruses infects COMMAND.COM when initially run, and infect other COM and EXE files from memory as they are run or opened for any reason. Infected files grow by approximately 650 (652) bytes with the virus located at the end of the host program. The virus is encrypted. This virus is not repaired by NAV. ----- Freddy Freddy is a memory-resident virus that infects COM and EXE files as they are run. The virus contains an encrypted directory in which all entries appear as "FREDDY KRG" with a size of 0 bytes. The time and date stamps do not appear as these fields also contain zero. When the virus triggers, the sector is decrypted and written to the first root directory sector of drive C: making the system unbootable. The virus then hangs the computer in an endless loop. Infected files grow by about 1900 bytes with the virus located at the end of the host program. However, COMMAND.COM is infected differently and grows by less than 100 bytes. Freddy can be repaired by NAV. ----- Stoned (3C) This is a minor variant of the standard Stoned virus. It does not contain the "Legalize Marijuana" message and appears to have been modified so as to avoid detection with older antivirus patterns. Stoned (3C) can be repaired by NAV. ----- (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)