21A11.TXT - Description file for 21A11.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group September 1, 1993 ****************************************************************** [The NAV definition update installation instructions are also available on this disk in French, German, Italian, Swedish, and Spanish. Please reference the appropriate file.] Loading New Definitions To update NAV 2.1 with the new virus definition you have just received, do the following: Note: Each definition set completely replaces the current set so only the latest is required. From DOS: 1) At the DOS prompt, type "NAV" then . 2) Select the "Cancel" button (ALT-C) to bypass scanning at this time. 3) Select the Definitions menu (ALT-D), then select the "Load from file" item (L). You will now see the "Load from file" dialog box. 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) In the FILE field, type "A:*.DEF " ("B:*.DEF" if applicable) then . 6) The definition file on the disk should now appear in the "Files" box. 7) Select the "Files" box (ALT-L). Note: the filename is normally loaded into the "File" line automatically as it is usually the only file available. If this is not the case, use the TAB key to highlight the file then press the spacebar. 8) Select "OK" (ALT-O) to load the new definition set. 9) After loading, press "ESC", exit NAV, and reboot the machine. 10) NAV will now use the new definitions to scan for viruses. From Windows: 1) Activate NAV by double-clicking on its icon. 2) Click on "CANCEL" in the "Scan Drives" window to bypass scanning at this time. 3) From the "Definitions" menu choose "Load from file". 4) Place the definition diskette in drive A: (Drive B: where applicable). 5) Type "A:*.DEF" ("B:*.DEF" if applicable) in the "File" field, then press the Enter key. 6) The latest definition file should now appear in the "Files" box. 7) Double-Click on the filename inside the "Files" box. 8) The file should begin to load. If not, click the "OK" button to load the new definition set. 9) After loading, exit NAV, exit Windows, then reboot the machine. 10) NAV will now use the new definitions to scan for viruses. ****************************************************************** Note for users who are not updated through Corporate Channels: After updating your definitions, if every file is identified as being infected with "MtE", don't panic. You probably do not have a virus. Please download the patch file, PTCH1A.ZIP (available through CompuServe and the Symantec BBS), unzip the file, follow the instructions included in the readme file, and then load these definitions again. If you are unable to download this patch file, or are still experiencing problems after using it, please contact Symantec Technical Support. ****************************************************************** Satan Bug Satan Bug is a polymorphic, non-stealth, resident, COM and EXE infector. It is approximate in complexity to those viruses incorporating the Mutation Engine. The virus starts with a very long decryption routine which varies greatly in both size and content. Several decryption methods may be employed. Due to the complexity of the encryption, NAV does not repair this virus. When an infected file is executed, the virus will seek out COMMAND.COM. It will be infected first. Then the virus will stay resident in memory as it infects COM and EXE files as they are executed or copied. The virus ranges in size from about 3600 to 5400 bytes; the actual virus being about 3500 bytes and the rest being the polymorphic decryptor. The text "Satan Bug virus - Little Loc" is hidden in the encrypted portion of the virus. A company on the east coast of the United States discovered that it had been infected by this virus. Thus computer users in the region should be most careful. If you discover that you are infected by this virus, please call our Support personnel. ----- Butterfly Butterfly is a simple non-resident infector of COM programs. It appears to be closely related to the Ash virus. Past definition sets would have been able to detect this variant as the Ash virus. Butterfly only infects on execution, targetting other files in the current directory. It is about 300 bytes long and contains the text "butterflies". This virus has been reported in the wild by another antivirus company. As noted, you would have been equally protected by the previous definition of Ash. However, NAV is now able to differentiate. The Ash definition has been fine tuned to acknowledge the presence of this new variant and let this new variant be called Butterfly. Butterfly can be repaired by NAV. (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)