Release Notes for McAfee Virex 7 Monthly Update Copyright (c) 2001 Networks Associates Technology, Inc. All Rights Reserved =============================================== Product Release: October, 2001 DAT Versions: 4164 =============================================== Thank you for using our products. This file contains important information about the current definition (.DAT) files. We strongly recommend that you read the entire document. We welcome your comments and suggestions. _______________________________________________ IMPORTANT NOTES This software can only be used to update VirexÝ7. This update package replaces older DAT files within your Virex 7 installation. _______________________________________________ WHATíS IN THIS FILE? - What are .DAT files? - Whatís in the package? - Installation - Testing your installation - New Viruses Detected and Removed - New Detections - New Removals - Understanding Virus Names - Prefix - Infix - Suffix - Generic Detections - Contacting McAfee and Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement ______________________________________________ WHAT ARE .DAT FILES? Virus definition (.DAT) files contain up-to-date virus signatures and other information that our anti-virus products use to protect your computer against the thousands of computer viruses in circulation. New .DAT files are released regularly to provide protection against the hundreds of new viruses that appear each month. To ensure that your anti-virus software can protect your system or network against the latest virus threats, download and install the latest .DAT files. _______________________________________________ WHATíS IN THE PACKAGE? This package will update the virus definition files for Virex 7, which now protects against both Mac viruses and Windows PC viruses. _______________________________________________ INSTALLATION 1. Download the compressed Virex 7 update file to hard disk and copy it into a temporary directory off the root on your computer, or the desktop. 2. Uncompress the file if required, and then double-click the update package. This will launch the Installer. 3. Follow the prompts in the installer. (At the Authorization stage, click on "Click the lock to make changes" and enter your administrator password. This is the account created when the operating system was installed.) 4. The installer overwrites the existing DAT files within the Virex installation. TESTING YOUR INSTALLATION The EICAR Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 68 or 70 bytes. Next, start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When your software scans this file, it will report finding the EICAR test file. Note that this file is NOT A VIRUS. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. _______________________________________________ NEW VIRUSES DETECTED AND REMOVED Hundreds of new viruses and variants appear each month. Those which are detected and cleaned by AVERT's generic methods are added to the total virus count listed but they are not listed separately here. Total viruses and variants, Trojan horse programs, and other malicious software detected: 58803 A full list of all the new detections and removals included since the previous update can be found at the following location. The file Virlist.txt can be downloaded from: ftp.nai.com/virusdefs/mac/virex7/ NEW DETECTIONS Total number of new items detected with this release: 254 NEW REMOVALS Total number of new items removed with this release: 243 The software removes a virus either by deleting the infecting virus code from files or by deleting the file from your computer. NOTE: The New Removals list notes when the .DAT files do not include the ability to remove certain types of viruses. In these cases, you must remove the virus yourself, either by deleting the infected file or by removing harmful code. For more information, see the McAfee Virus Information Library at: http://vil.nai.com/villib/alpha.asp _______________________________________________ UNDERSTANDING VIRUS NAMES McAfee anti-virus software typically follows industry-wide naming conventions to identify the viruses that it detects and cleans. Occasionally,some virus names deviate from strict industry standards. The first virus with a given set of characteristics that mark it as a distinctly new entity receives a "family" name. Virus researchers draw the family name from some identifying quirk in the virus, such as a text string, or a payload effect. A family name can also include a numeric string that designates the byte size of the virus. Researchers use this name as a convenient shorthand to distinguish among very closely allied virus variants. Names for variants within a virus family consist of the family name and a suffix - .A, for example. The suffix designations continue in alphabetical order until they reach .Z. At that point, they begin again with .AA and continue until they reach .AZ. Still later variants receive the suffix .BA through .BZ, and so forth, until the suffix designations reach .ZZ. If yet another variant appears after that, it would get the suffix .AAA. As new virus strains appeared, industry naming conventions evolved to include more information. Some names, for instance, include parts that identify the platform on which the virus can run. Macro viruses, the most prevalent of the virus types, can have a complex names that consists of a number of parts. Among anti-virus vendors, virus names can include a prefix, an infix and a suffix. PREFIX The prefix designates the type of file that the virus infects or the platform on which it can run. Viruses that infect DOS executables do not receive a prefix. McAfee virus names can include these prefixes: A97M/ Macro virus. Infects Microsoft Access 97 files APM/ Macro virus or Trojan horse program. Infects Ami Pro document and template files BV/ Batch-file virus or Trojan horse program. These viruses usually run as batch or script files that affect a particular program that interprets the script or batch commands they include. They are very portable and can affect nearly any platform that can run batch or script files. The files themselves often have a .BAT extension. CSC/ Corel Script virus or Trojan horse program. Infects Corel Draw document files, template files, and scripts. HLL/ File-infector virus written in a high-level programming language HTML/ Script virus. Infects HTML files IRC/ Internet Relay Chat script virus. This virus type can use early versions of the mIRC client software to distribute a virus or payload JS/ JavaScript virus or Trojan horse program JV/ Java application or applet that functions as malicious software. JVS/ JavaScript virus or Trojan horse program O2KM/ Macro virus. Infects Microsoft Office 2000 files P98M/ Macro virus or Trojan horse program. Infects Microsoft Project documents and templates. PP97M/ Macro virus. Infects Microsoft PowerPoint 97 files V5M/ Macro or script virus, or Trojan horse program. Infects Visio VBA (Visual Basic for Applications) macros or scripts. VBS/ Script virus. Infects Visual Basic scripts W32/ File-infector or boot-sector virus. Runs in 32-bit Windows environments (Windows 95, Windows 98 or Windows NT) WIN/ File-infector virus. Runs in 16-bit and 32-bit Windows environments (Windows 3.1x, Windows 95, Windows 98, or Windows NT) W95/ File-infector virus. Runs in Windows 95 and Windows 98 Environments W97M/ Macro virus. Infects Microsoft Word 97 files WM/ Macro virus. Infects Microsoft Word 95 files X97F/ Macro virus. Infects Microsoft Excel 97 via Excel formulas X97M/ Macro virus. Infects Microsoft Excel 97 files XF/ Macro virus. Infects Microsoft Excel 95 or 97 via Excel formulas XM/ Macro virus. Infects Microsoft Excel 95 files INFIX These designations usually appear in the middle of a virus name. AVERT assigns these designations,which will differ from industry conventions. .CMP. Companion file. This designates a companion file that the virus adds to an existing executable file. McAfee software deletes the companion file to prevent later infections. .MP. Multi-partite virus. A McAfee designation. .OW. Overwriting. This identifies a virus that overwrites data in a file, thereby irreparably corrupting it. This file must be deleted. SUFFIX These designations usually appear as the last part of a virus name. A virus name can have more than one suffix. One might designate a variant, for example, while others give additional information. AVERT assigns many of these designations, which can differ from industry conventions. @MM Mass mailing distribution. This virus might use standard techniques to propagate itself, but will also, or in some cases primarily, use an e-mail system to spread. .A to .ZZZ Virus variant designation. .APP Appended viruses. This designates a virus that appends its code to the file it infects, but fails to provide for correct replication. McAfee software detects these files in order to prevent false virus identifications. .CAV Cavity virus. This designates a virus that copies itself into "cavities" (areas of all zeroes) in a program file. .CLI Client-side component of an Internet Trojan-horse program. .DAM Damaged file. This designates afile damaged or corrupted by aninfection .DR Dropper file. This file introduces the virus into the host program .GEN Generic detection. Native routines in McAfee software detect this virus without using specific code strings .GR Generic detection and removal. Native routines in McAfee software detect and remove this virus without using specific code strings .INTD "Intended" virus. This designates a virus that has most of the usual virus characteristics, but cannot replicate correctly. McAfee anti-virus software will detect it in order to prevent false identifications of active viruses .SFX Self-extracting installation utility for Trojan horse programs .SRC Viral source code. This ordinarily cannot replicate or infect files, but some virus droppers add this to files as part of the infection cycle. McAfee products routinely flag files with additional code of this sort for deletion .SVR Server-side component of an Internet Trojan-horse program. GENERIC DETECTIONS When a scanner reports W97M/Generic@MM or X97M/Generic@MM driver it means the engine (4070 or later only) has detected heuristically a highly suspicious VBA macro that is likely to be a mass-mailing virus. The cleaning for such viruses is also available but should be done with extra caution - users are advised to keep a copy of a file before cleaning and submit a sample to AVERT. _______________________________________________ CONTACTING MCAFEE AND NETWORK ASSOCIATES Technical Support http://knowledge.nai.com Product Documentation Issues tvd_documentation@nai.com McAfee Beta Program Beta Web Site www.mcafeeb2b.com/beta/ E-mail avbeta@nai.com AVERT Anti-Virus Research Site www.mcafeeb2b.com/avert Download Site www.mcafeeb2b.com/naicommon/download/ DAT File Updates www.mcafeeb2b.com/naicommon/download/dats/find.asp Product Upgrades www.mcafeeb2b.com/naicommon/download/upgrade/login.asp Valid grant number required. Contact Network Associates Customer Service On-Site Training Information www.mcafeeb2b.com/services/mcafee-training/default.asp Finding a Reseller www.mcafeeb2b.com/naicommon/partners/tsp-seek/intro.asp Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: www.nai.com www.mcafeeb2b.com For additional information on contacting Network Associates and McAfee (including toll-free numbers for other geographic areas) see the CONTACT file that accompanied your original product release. _______________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS (c) 2001 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call +1-972-308-9960. TRADEMARKS Active Security, ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Building a World of Trust, Certified Network Expert, Clean-Up, CleanUp Wizard, Cloaking, CNX, CNX Certification Certified Network Expert and design, CyberCop, CyberMedia, CyberMedia UnInstaller, Data Security Letter and design, Design (logo), Design (Rabbit with hat), design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomonís, Dr Solomonís label, Enterprise SecureCast, EZ SetUp, First Aid, ForceField, Gauntlet, GMT, GroupShield, Guard Dog, HelpDesk, HomeGuard, Hunter, I C Expert, ISDN TEL/SCOPE, LAN Administration Architecture and design, LANGuru, LANGuru (in Katakana), LANWords, Leading Help Desk Technology, LM1, M and design, Magic Solutions, Magic University, MagicSpy, MagicTree, MagicWord, McAfee Associates, McAfee, McAfee (in Katakana), McAfee and design, NetStalker, MoneyMagic, More Power To You, MultiMedia Cloaking, myCIO.com, myCIO.com design (CIO design), myCIO.com Your Chief Internet Officer & design, NAI & design, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetRoom, NetScan, NetShield, NetStalker, Network Associates, Network General, Network Uptime!, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PC Medic 97, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, PowerLogin, PowerTelNet, Pretty Good Privacy, PrimeSupport, Recoverkey, Recoverkey ñ International, Registry Wizard, ReportMagic, RingFence, Router PM, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SniffMaster, SniffMaster (in Hangul), SniffMaster (in Katakana), SniffNet, Stalker, Stalker (stylized), Statistical Information Retrieval (SIR), SupportMagic, TeleSniffer, TIS, TMACH, TMEG, TNV, TVD, TNS, TSD, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, Trusted MACH, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker, WebWall, Whoís Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE AGREEMENT NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NAI OR THE PLACE OF PURCHASE FOR A FULL REFUND. .