VIREX Release Notes for the Virex Virus Update for September 1, 2001 Copyright 1992-2001 Networks Associates Technology, Inc. All Rights Reserved. Virus Definitions Release Date: September 1, 2001 Current Virex Scan Engine Version: 4131 Includes these Virus Definition files: 4154 Thank you for using Virex, the fastest, most accurate virus detection and repair solution available for the Macintosh. These release notes contain important information about the current Virex Virus Update. Network Associates strongly recommends that you read the entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact Network Associates Customer Care, technical support, and the Total Virus Defense documentation team. WHAT'S IN THIS FILE? - What Is a Virus Update File? - Documentation - New Features - Installation - Additional Information - New Viruses Detected and Removed - Understanding Virus Names - Contacting Network Associates - Copyright and Trademark Attributions WHAT IS A VIRUS UPDATE FILE? Virus Update files contain up-to-date virus signatures and other information for Virex to use to protect your computer against the thousands of computer viruses in circulation and against the hundreds of new viruses that emerge between updates. Network Associates releases new Virus Update files each month. To protect yourself against these virus threats, download and install the latest Virus Update file every month. DOCUMENTATION Network Associates provides each of its products with an extensive set of documentation, which usually consists of one or more product guides saved in Adobe Acrobat Portable Document Format (.PDF), and an online help system, whose form can vary, depending on the platform on which the product runs. Acrobat .PDF files are flexible online documents that contain hyperlinks, outlines and other aids for easy navigation and information retrieval. You can also install an Acrobat plug-in file that allows you to read .PDF documents from within your web browser while online. Copies of the product documentation come with the product CD-ROM or are available on the Network Associates website at: ftp://ftp.nai.com/pub/manuals/total_virus_defense A copy of the latest version of the free Acrobat Reader also comes with the product CD-ROM, or you can download the latest English-language version from the Network Associates FTP site at: ftp://ftp.nai.com/pub/manuals/acrobat_reader To download other Acrobat Reader versions, visit the Adobe website at: http://www.adobe.com/prodindex/acrobat/readstep.html IMPORTANT: Most Network Associates TVD product documentation produced during and after September 1999 requires the use of Adobe Acrobat Reader v4.0. To comment, ask about, or suggest improvements to Network Associates anti-virus product documentation, send e-mail to: tvd_documentation@nai.com To get answers to your technical support questions, send messages to: techsupport@mcafee.com To ask about your eligibility for updates and upgrades, check your registration, or ask general questions related to Network Associates software, send messages to: custcare@nai.com INSTALLATION Network Associates distributes Virus Update files as StuffIt archives. These come in two forms: a BinHexed VX010901.HQX file, and as VX010901.UPD, a straight archive file suitable for use with the eUpdate feature in Virex anti-virus software v6.0 and later. USING EUPDATE TO INSTALL VIRUS UPDATE FILES If you use the eUpdate feature in the Virex v6.0 or later software, the software itself will download, extract, and install the Virus Update file. Although this works quite well for individual Macintosh computers, Network Associates recommends a different approach for medium and large networks. With this method, you use a web browser or FTP client software to download the VX010901.UPD file directly from the Network Associates FTP site. You then post the file to a central server on your network and configure all of your client computers to download the VX010901.UPD file from that central server via FTP or AppleTalk, depending on your preference or your network configuration. This allows you to control when all updates occur, to reduce network traffic on your servers, to reduce your security risks from outside your network, and to take best advantage of Network Associates server bandwidth. For more details, see the Virex User's Guide stored on the Virex CD-ROM or disc image. INSTALLING VIRUS UPDATE FILES DIRECTLY To install Virus Update files directly on to each of your client Macintosh computers, download the VX010901.HQX file from the Network Associates website or FTP site, then extract the files for installation. To do so, you'll need a copy of StuffIt Expander, StuffIt Lite, or another utility that can read and process files saved in StuffIt format. You can download the utilities you need from most electronic services. Most browser software also includes a plug-in version of StuffIt Expander that can extract the files automatically, as soon as you download them. NOTE: If you have Virex anti-virus software v6.0 or later installed, you can use its eUpdate feature to download and install new Virus Update files automatically. To learn how to do so, see the Virex User's Guide. To install the Virus Update file, download or copy the compressed file to your Macintosh desktop or to a temporary folder on your hard disk. Next, follow these steps: 1. Start your compression application, then use it to open and extract the Virus Definitions 2001-09-01.sit file. If you have a copy of StuffIt Expander on your desktop, you can simply drag the Virus Definitions file on top of StuffIt Expander to have the file extract automatically. 2. The extracted file will appear on your hard disk with the name Virus Definitions 2001-09-01. Double-click this file to start Virex. Virex will ask you to confirm that you want to update your Virus Definitions file. 3. Click Update to continue. Virex will tell you when it has finished updating your file. 4. Click OK to return to the Virex application's main window, where you can immediately start a new scan operation. In the lower left corner of its main window, the Virex application displays the legend Virus Definitions, followed by a date. This date marks the day Network Associates produced or designated this update file for release. For the September 1, 2001 Virus Update, this date is 9/1/01. The specific format of the date shown will depend on how you have your computer set to display dates. NOTE: By default, the Virex Installer uses the Virus Definition file that comes with it to scan your system. You should consider replacing this Virus Definition file with a current Virus Update file in order to take advantage of new detection capabilities. ADDITIONAL INFORMATION AUTOSTART WORMS If Virex detects an AutoStart worm on your computer, Network Associates strongly recommends that you restart your system with extensions disabled, then start a scan operation with the Virex application. To disable your extensions, press the Shift key on your keyboard as you restart your computer. Continue to hold the Shift key until you see the message Extensions Disabled. This prevents the AutoStart worm from loading into your computer's memory and allows Virex to remove it from your system. If you do not disable your extensions, the worm will load into memory and can continue to spread even after you remove its original files from your system. As an alternative, follow these steps: 1. Choose Virex Control Panel from the Apple menu to open the control panel window. 2. Click Preferences. 3. Select the General icon at the left of the Preferences dialog box, then choose either First or Alphabetically from the Load Control Panel menu. 4. Select the File Access icon at the left of the Preferences dialog box. 5. Verify that the Scan Files When Opened checkbox is selected. 6. Click Save to save your settings and return to the Virex Control Panel window. 7. Close the Control Panel window, then restart your computer. Virex will load into your computer's memory first and will remove the worm as it tries to launch at startup. To prevent the AutoStart worm from reappearing on your computer or infecting other computers, use Virex to scan all disks that you might have used with an infected computer. If you have the Scan Files When Opened option activated in the Virex Control Panel, you can safely mount infected disks for scanning. If you need to enable additional extensions in order to mount some disk types, you should disable the AutoPlay option in the QuickTime Settings control panel before you restart your computer. Follow these steps: 1. Choose QuickTime Settings from the Apple menu to open the control panel window. 2. Choose AutoPlay from the menu at the top of the control panel window. 3. Verify that the Enable Audio CD AutoPlay and the Enable CD-ROM AutoPlay checkboxes are clear. 4. Close the control panel window. 5. Use Extensions Manager or an extensions manager utility to enable the extensions you need, then restart your computer. NEW VIRUSES DETECTED AND REMOVED Hundreds of new viruses and variants appear each month. Those which are detected and cleaned by AVERT's generic methods are added to the total virus count but they are not listed separately here. IMPORTANT NOTE This Virus Update file functions only with Virex v5.9.0 or later. You cannot use this Virus Update file with earlier Virex versions. This Virus Update file detects these 9 new viruses: SubSeven (Mac Trojan) W97M/BOLUC.BAT W97M/BOLUC@MM W97M/CHACK.CG.DAM W97M/LILI.GEN W97M/SKRSTEAL W97M/OMK W97M/SHORE WM/UCK GENERIC DETECTION AND CLEANING AVERT has developed a Generic Detection and Cleaning technique, which means that although our documentation may indicate that the number of new viruses added each release is falling, we are in fact dealing with more viruses and Trojans than ever before. This generic detection is being constantly updated, so users will still need to download regular updates as before. With the development of the generic techniques in our scanner, we reached a situation when the great majority of new macro viruses, script viruses, worms and Trojans are detected and cleaned before we receive the sample and even before they are written. For example, in January 2001, users of all currently supported engines (4.0.70 or later) have benefited from VBA generic capabilities delivered in the Virex updates. So users of these engines benefit from automatic detection and cleaning of over 90% of new and not yet known macro viruses. That is why the number of macro viruses added to the monthly updates (reported in the appropriate section of the README.TXT file) has gone down. We want to assure you that AVERT researchers process every single virus that we receive and make sure we detect everything worth detecting. UNDERSTANDING VIRUS NAMES Network Associates anti-virus software typically follows industry-wide naming conventions to identify the viruses that it detects and cleans. Occasionally, some virus names deviate from strict industry standards. The first virus with a given set of characteristics that mark it as a distinctly new entity receives a "family" name. Virus researchers draw the family name from some identifying quirk in the virus--a text string, perhaps, or a payload effect. Names for variants of that first virus consist of the family name and a suffix--.A, for example. The suffix designations continue in alphabetical order until they reach .Z. At that point, they begin again with .AA and continue until they reach .AZ. Still later variants receive the suffix .BA through .BZ, and so forth, until the suffix designations reach .ZZ. If yet another variant appears after that, it would get the suffix .AAA. As new virus strains appeared, industry naming conventions evolved to include more information. Some names, for instance, include parts that identify the platform on which the virus originated or can run. Macro viruses, the most prevalent of the virus types, can have a complex names that consists of a number of parts. Although the virus name might identify the platform of origin, most macro viruses are cross-platform and can run in a number of different environments. The effects of a virus infection can vary between platforms, but in a networked environment, what might have no effect on one platform can do severe damage in another. Among anti-virus vendors, virus names can include: PREFIX The prefix designates the type of file that the virus infects or the platform on which it can run. Network Associates virus names can include these prefixes: A97M/ Macro virus. Infects Microsoft Access 97 files CSC/ Corel Script virus. Infects Corel Draw scripts HLL/ File-infector or boot-sector virus. Written in a high-level programming language HTML/ Script virus. Infects HTML files IRC/ Internet Relay Chat script virus. This virus type can use early versions of the mIRC client software to distribute a virus or payload JS/ JavaScript virus or Trojan horse program O2KM/ Macro virus. Infects Microsoft Office 2000 files PP97M/ Macro virus. Infects Microsoft PowerPoint 97 files VBS/ Script virus. Infects Visual Basic scripts W32/ File-infector or boot-sector virus. Runs in 32-bit Windows environments (Windows 95, Windows 98 or Windows NT) WIN/ File-infector virus. Runs in 16-bit and 32-bit Windows environments (Windows 3.1x, Windows 95, Windows 98, or Windows NT) W95/ File-infector or boot-sector virus. Runs in Windows 95 and Windows 98 environments W97M/ Macro virus. Infects Microsoft Word 97 files WM/ Macro virus. Infects Microsoft Word 95 files X97F/ Macro virus. Infects Microsoft Excel 97 via Excel formulas X97M/ Macro virus. Infects Microsoft Excel 97 files XF/ Macro virus. Infects Microsoft Excel 95 or 97 via Excel formulas XM/ Macro virus. Infects Microsoft Excel 95 files INFIX These designations usually appear in the middle of a virus name. Network Associates assigns these designations, which will differ from industry conventions. .CMP. Companion file. This designates a companion file that the virus adds to an existing executable file. Network Associates software deletes the companion file to prevent later infections .MP. Multi-partite virus. A Network Associates designation .OW. Overwritten. This identifies a file irreparably corrupted when a virus overwrote data within it. This file must be deleted. SUFFIX These designations usually appear as the last part of a virus name. A virus name can have more than one suffix. One might designate a variant, for example, while others give additional information. Network Associates assigns many of these designations, which can differ from industry conventions. @MM Mass mailing distribution. This virus might use standard techniques to propagate itself, but it will also, or in some cases primarily, use an e-mail system to spread .A to .ZZZ Virus variant designation .APP Appended viruses. This designates a virus that appends its code to the file it infects, but that fails to provide for correct replication. Network Associates software detects these files in order to prevent false virus identifications .CAV Cavity virus. This designates a virus that copies itself into "cavities" (areas of all zeroes) in a program file. .CLI Client-side component of an Internet Trojan-horse program. .DAM Damaged file. This designates a file damaged or corrupted by an infection .DR Dropper file. This file introduces the virus into the host program .GEN Generic detection. Native routines in Network Associates software detect this virus without using specific code strings .GR Generic detection and removal. Native routines in Network Associates software detect and remove this virus without using specific code strings .INTD "Intended" virus. This designates a virus that has most of the usual virus characteristics, but cannot replicate correctly. Anti-virus software will detect it in order to prevent false identifications of active viruses .SVR Server-side component of an Internet Trojan-horse program. CONTACTING NETWORK ASSOCIATES On December 1, 1997, McAfee Associates merged with Network General Corporation, Pretty Good Privacy, Inc., and Helix Software, Inc. to form Network Associates, Inc. The combined Company subsequently acquired Dr Solomon's Software, Trusted Information Systems, Magic Solutions, and CyberMedia, Inc. Network Associates continues to market and support the product lines from each of the former entities. You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to the Network Associates Customer Service department at the addresses or phone numbers listed below. Contact the Network Associates Customer Service department between 8:00 a.m. and 8:00 p.m. Central Time, Monday through Friday, at: Network Associates Customer Service 4099 McEwen, Suite 500 Dallas, Texas 75244 Contact information for McAfee corporate- licensed customers: Phone: (888) VIRUS NO or (888) 847-8766 Fax: (972) 619-7485 (24-hour, Group III fax) E-Mail: services_corporate_division@nai.com Web: http://www.nai.com Contact information for retail licensed customers: Phone: (972) 308-9960 Fax: (972) 619-7485 (24-hour, Group III fax) E-Mail: cust_care@nai.com Web: http://www.mcafee.com Send correspondence to any of the following Network Associates locations: Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 Network Associates offices outside the United States: Network Associates International Level 3, 40 Miller Street North Sydney NSW 2060 Australia Phone: 61-2-8425-4200 Fax: 61-2-9439-5166 Network Associates Austria Pulvermuehlstrasse 17 Linz, Austria Postal Code A-4040 Phone: 43-732-757-244 Fax: 43-732-757-244-20 Network Associates Belgique BDC Heyzel Esplanade, boite 43 1020 Bruxelles Belgique Phone: 0032-2-478.10.29 Fax: 0032-2-478.66.21 Network Associates do Brasil Rua Geraldo Flausino Gomez 78 Cj. - 51 Brooklin Novo - Sao Paulo SP - 04575-060 - Brasil Phone: (55 11) 5505 1009 Fax: (55 11) 5505 1006 Network Associates Canada 139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 Phone: (905) 479-4189 Fax: (905) 479-4540 Network Associates People's Republic of China Room 913, Tower B Full Link Plaza No. 18, Chao Yang Men Wai Avenue Beijing, People's Republic of China 100020 Phone: 86-10-6538-3399 Fax: 86-10-6588-5601 Network Associates Denmark Lautruphoej 1-3 2750 Ballerup Danmark Phone: 45 70 277 277 Fax: 45 44 209 910 NA Network Associates Oy Mikonkatu 9, 5. krs. 00100 Helsinki Finland Phone: 358 9 5270 70 Fax: 358 9 5270 7100 Network Associates France S.A. 50 Rue de Londres 75008 Paris France Phone: 33 1 44 908 737 Fax: 33 1 45 227 554 Network Associates GmbH Ohmstrasse 1 D-85716 Unterschleissheim Deutschland Phone: 49 (0)89/3707-0 Fax: 49 (0)89/3707-1199 Network Associates Hong Kong 14th Floor, Plaza 2000 2-4 Russell Street Causeway Bay, Hong Kong Phone: 852 2892 9500 Fax: 852 2832 9530 Network Associates Srl Centro Direzionale Summit Palazzo D/1 Via Brescia, 28 20063 - Cernusco sul Naviglio (MI) ITALY Phone: 39 02 92 65 01 Fax: 39 02 92 14 16 44 Network Associates Japan, Inc. Shibuya Mark City West 20F 1-12-1 Dougenzaka, Shibuya-ku Tokyo 150-0043, Japan Phone: 81 3 5428 1100 Fax: 81 3 5428 1480 Network Associates Latin America 1200 South Pine Island Road, Suite 375 Plantation, Florida 33324 United States Phone: (954) 452-1721 Fax: (954) 236-8031 Network Associates de Mexico Andres Bello No. 10, 4 Piso 4th Floor Col. Polanco Mexico City, Mexico D.F. 11560 Phone: (525) 282-9180 Fax: (525) 282-9183 Network Associates International B.V. Gatwickstraat 25 1043 GL Amsterdam The Netherlands Phone: 31 20 586 6100 Fax: 31 20 586 6101 Network Associates Portugal Av. da Liberdade, 114 1269-046 Lisboa Portugal Phone: 351 1 340 4543 Fax: 351 1 340 4575 Net Tools Network Associates South Africa Hawthorn House, St. Andrews Business Park Meadowbrook Lane Bryanston, Johannesburg South Africa 2021 Phone: 27 11 700-8200 Fax: 27 11 706-1569 Network Associates South East Asia 78 Shenton Way #29-02 Singapore 079120 Phone: 65 222-7555 Fax: 65 222-7555 Network Associates Spain Orense 4, 4a Planta. Edificio Trieste 28020 Madrid Spain Phone: 34 9141 88 500 Fax: 34 9155 61 404 Network Associates Sweden Datavagen 3A Box 596 S-175 26 Jarfalla Sweden Phone: 46 (0) 8 580 88 400 Fax: 46 (0) 8 580 88 405 Network Associates AG Baeulerwisenstrasse 3 8152 Glattbrugg Switzerland Phone: 0041 1 808 99 66 Fax: 0041 1 808 99 77 Network Associates Taiwan Suite 6, 11F No. 188, Sec. 5 Nan King E. Rd. Taipei, Taiwan, Republic of China Phone: 886-2-27-474-8800 Fax: 886-2-27-635-5864 Network Associates International Ltd. 227 Bath Road Slough, Berkshire SL1 5PP United Kingdom Phone: 44 (0)1753 217 500 Fax: 44 (0)1753 217 520 Or, you can receive online assistance through any of the following resources: 1. Internet E-mail: techsupport@mcafee.com 2. Internet FTP: ftp://ftp.nai.com 3. World Wide Web: http://www.nai.com/asp_set/support/technical/intro.asp 4. America Online: keyword MCAFEE 5. CompuServe: GO NAI To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system version number - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and bits-per-second rate, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or e-mail DOWNLOAD SUPPORT To get help with navigating or downloading files from the Network Associates website or FTP site, call: Corporate customers (801) 492-2650 Retail customers (801) 492-2600 FOR PRODUCT UPGRADES Network Associates has a worldwide range of partnerships and reseller relationships with hundreds of independent vendors, each of which can provide you with consulting services, sales advice, and product support for Network Associates software. To find a reseller near your location, see the RESELLER.TXT file located on your product CD-ROM or installed on your hard disk. For assistance in locating a local reseller, you can also contact Network Associates Customer Service. FOR REPORTING PROBLEMS Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered appears in the Known Issues section of this README.TXT file, Network Associates is already aware of the problem, and you need not report it. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates or one of its resellers with your suggestions or concerns. FOR ON-SITE TRAINING INFORMATION Contact Network Associates Customer Service at (800) 338-8754. NETWORK ASSOCIATES BETA SITE To test pre-release software and obtain update files, including virus definition (.DAT) files, visit the Network Associates beta site at http://beta.nai.com. You will have access to Public Beta and External Test Areas. Your feedback will make a difference. AVERT ANTI-VIRUS RESEARCH SITE To see the latest information about emerging virus threats, submit samples of potentially infected files, and download updated scanning engine files, EXTRA.DAT files, and similar anti-virus software for testing, visit these web sites: http://www.avertlabs.com http://vil.nai.com http://www.mcafeeb2b.com/naicommon/avert Network Associates also seeks and appreciates general feedback. COPYRIGHT AND TRADEMARK ATTRIBUTIONS Copyright 1999-2001 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. TRADEMARKS * ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon's, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, LeadingHelp Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker, WebWall, and ZAC 2000 are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE AGREEMENT NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE LICENSE.TXT, README.1ST, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.   .