21A04.TXT - Description file for 21A04.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group February 1, 1993 ****************************************************************** Instructions for loading virus definitions, using Norton AntiVirus 2.1: 1) Run Virus Clinic by typing NAV at the DOS prompt or clicking on the NAV Icon from within Windows. 2) Select "Cancel," or press to bypass the "Scan Drives" Screen. 3) Select the "Definitions" menu. 4) Select "Load from File..." 5) If the name of the drive and directory to which you loaded the definition file does not appear on the "Directory:" line, change to the proper drive and directory. The name of the definition file should appear in the "Files" window. 6) Select the definition file, click "OK," or press . 7) After the definitions have loaded, press to exit from the "Load Definition File Results" screen. 8) Select "Exit" from the "Scan" menu. 9) Reboot your computer to activate the new definitions. ****************************************************************** Note for users who are not updated through Corporate Channels: If you experience MtE problems, please download the patch file, PTCH1A.ZIP, unzip the file, follow the instructions in included in the readme file, then load these definitions again. ****************************************************************** In our effort to merge the industry to standards, we have chosen to follow the naming conventions established by CARO, the Computer Anomoly Research Organization. In future months, we will be slowly changing the virus names in the NAV product to more closely resemble names established by CARO. In this update, the following name changes occur: Old name New Name -------- -------- Christmas in Japan Japanese Christmas Agiplan Month 4-6 Manta VCS Jerusalem-Related-2 Jerusalem-2 Manola Manuel MFace Multiface Newcom YD-44.Login Smobla Vienna (Sicilian Mob 1a) Pisselo Pisello Taiwan-3 Anticad 2 Rocko Rock Steady UNK Kiss Invol Involuntary DiskInfect Quox Gnose Necros ----- Exebug Exebug is a memory resident infector of floppy diskette boot sectors and hard disk master boot records. The original boot sectors will be stored in encrypted form elsewhere on the disk, depending on the disk type. And the disk boot sector will now be replaced by the viral boot sector which will not be a legal MBR! It is a very complicated virus. If you are infected with Exebug, all attempts to read the boot sector will be redirected to the correct version of the boot sector. As a result, your system will seem to be unaffected. The only way to detect the virus when infected is by its memory signature. Exebug steals 1K of memory from the 640K mark. Thus infected systems will show 1K less memory available than normal. The virus will alter the CMOS configuration of the system to report that there is no A: drive. On some systems, this alteration causes the system to always boot first from the C: drive. Thus, on those systems, the virus will get into memory first. The virus, understanding that a user just attempted to reboot, will then simulate the booting process from A: but it will already be in memory. Fortunately, the Exebug virus is only known to be in the wild in South Africa and neighboring locations. If you discover that you are infected by this virus, please call our Technical Support for instructions on how to remove the virus. Apart from these technical complications, the virus does not intentionally damage the computer. Sector 7 of the hard disk boot track or a sector on track 0 of floppies is used to store the original boot sector. Thus, it might overwrite information. ----- Kilroy Kilroy is a very simple boot sector infector. It is from the book, "The Little Black Book of Viruses." It is not believed to be in the wild. However, as some people have the book and might be mischieviously playing with its instructions, we provide it to make sure those people do not mistakenly put it into the wild. The virus displays "Kilroy was here!" when booted from an infected diskette. _____ Vienna-629 Vienna-629 is a strain of the Vienna family of viruses. It is a direct action infector of COM files. On each execution of an infected file, another COM file in the current directory is found and infected. Files with the read-only bit set do not affect the decision criteria. Not all files COM files will be infected as some may randomly match the virus' self check against reinfection. Infected files will grow by 629 bytes. On random occasions, instead of a size increase, the virus will instead destroy the file by overwriting the first 5 bytes with garbage. The files which have grown by 629 bytes are repairable by NAV. Those files which have been overwritten are not. ----- Jerusalem (Pipi) Jerusalem (Pipi) is another strain in the Jerusalem family of viruses. It is a memory resident infector of COM and EXE files. For COM files, it prepends itself into the file. In EXE files, it appends itself to the file. The memory resident portion of the virus uses 2K of memory but CHKDSK will not show any memory deficiency. Files are infected when executed once the virus is in memory. Infected files grow by approximately 1550 (1552) bytes. Infected files will also have their file timestamps altered to that of the time of infection. The virus intercepts INT 21H and INT 1CH. INT 21H is the primary DOS interrupt and is used by the virus to replicate. INT 1CH is the timer tick interrupt and used by the virus to determine when to display a message on the screen. This virus, like many of the memory resident types in the Jerusalem family, has conflicts with the Novell network environment and may crash such systems. ----- Michelangelo 5/26 This virus is a third strain of the well known Michelangelo virus. It has been slightly altered from the original Michelangelo virus. One of the things that was altered was the activation date. This strain activates on May 26th. Otherwise, it has all the same characteristics as the other Michelangelo viruses. ----- (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)