Errata for VirusScan Version 2.2.6 (9509) Copyright 1994, 1995 by McAfee, Inc. All Rights Reserved. These release notes cover what is new in VirusScan 2.2.6 and the August DAT release (9509) of VirusScan for DOS, VirusScan for Windows, VirusScan for OS/2 and VShield. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! NOTE: OS/2 users. IF YOUR OS/2 SYSTEM IS CONNECTED TO OS/2 ! ! LANMANAGER, DO NOT RUN OS/2 SCAN FROM STARTUP.CMD. DOING SO ! ! COULD RESULT IN LOST DESKTOP OR OTHER UNDESIRABLE RESULTS. ! ! ! ! McAfee is working with IBM and with several large ! ! organizations, which rely heavily on OS/2, to alleviate the ! ! corruption problem. ! ! ! ! The temporary solution is to put VirusScan in a start up ! ! group. Not in the log in script or in the start up command ! ! file. ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Note for NT users: You must add the following line in your DEFAULT.CFG and PROFILE1.PRF file (or any other profile you have chosen to use), residing in the same directory as WSCAN.EXE. /NODDA If you are not familiar with profiles, please refer to VIRUSCAN.TXT or your printed manual. ----------------------------------------------------- 2.2.6 New Functionality: The new VSHIELD.EXE is required for VSHIELD to make use of these new detection strings (DAT files). /ALL Now understands the data format of a Microsoft Word (tm) document file format in order to search for the new breed of Word Macro viruses. For example: SCAN C: /ALL /REPORT scan.rpt ------------------------------------------------------ Detectors added or updated in the 9509 DAT file (149): _383 _383 GENERATION 1 571 _1315 2014 4SEASONS ADIN.3026 ALAMEDA.DR.B ALFA.3072 ARARA.1054 ASH.280.B ASSASSIN.952 BACKFORM.2329 (2345) BACKFORM.2365 (2381) BCV BEACHES BELORUSSIA BENGAL.863 (EXE) BIOSPASS BOB.448.B BOOTKILL BYE CANNIBAL CASINO.2330 CCC_381 CECE CENTENARY CHCC.2662 CHEMIST.265 CIVIL_IV.594 CLI&HLT.1345 CLOUDS.588 CLOUDS.657 CLOUDS.718 CREPATE CYBERTECH.503 DAME.LAME.2326 DARK_APOCALYPSE.1020 DARK_AVENGER.G DEI.1526 GENERATION-1 DIABLO DIAMOND.DAVID DREAMER.4808 DRUID.311 DSU.1414 DUAL_GTM.1528 ESPEJO.A ESPEJO.C ESTO TE PASA EXEBUG.A FAILLURE FAXFREE.BLINKER FEEBLEMIND FRED-657 FF_CHAR.1000 FRED-657 GAMBLER.288 GARDEN GREEN HATES.212 HLLO.CVIR.2 HS.903 HS.982 ICELANDIC.2706 (EXE) ISTANBUL.1349 IVP 365 IVP.683 JERUSALEM.MOCTEZUMA JESTER.1258 KEYPRESS.BBS.1258 LEPROSY.LUBEC LITTLE.GIRL.1008 MARAWI.2828 MASSACRE MING.359 MIRROR.2 MURTI.577 N-XERAM NATAS.G (MBR) NARCOSIS NEUROQUILA.A (MBR) NEUROQUILA.B (MBR) NEUROQUILA.VARIENT (MBR) NIGHT_KNIGHT NR.300 OVERRIDE PARITY.BOOT.ENC PARITY.BOOT.UNE PEANUT.443 PEANUT.453 PIA PJ.VARIES PLAYGAME.A POSSESSED.2443 PS-MPC.MOM.974 PS-MPC.TRAIN.646 PURE.441.B PURE.441.CAV RADISH.8466 RETRIBUTION RIOT.MULTIPLEX.815 RMNS.456 RMNS.651 RMNS.736 RMNS.736.B RMNS.MAN RMNS.WOMAN RUSSIAN_FLAG.A SANDY SAROV.1140 SATURDAY_14TH_2 SCREAMING_FIST.927 (MBR) SHUTDOWN.698 SIGN.615 SILLYC.126 SLOFTXC SLUKNOV SPLIT SECOND 1033 SPLIT SECOND 1035 STRANGER TALON TELECO.1000 THIEF TINY_SHARK TPE-GEN TRIVIAL.24 TRIVIAL.25.B TRIVIAL.31.C TRIVIAL.54 TRIVIAL.346 TRIVIAL.B&B VCL.2 VCL.FIRE.206 VIENNA.648.LISBON.H VIENNA.REBOOT VLAMIX.1 VODKA.560 VOLGA.A VOLGA.B VOLGA.C VS.985 VVM.204 VVM.207 VVMA.205 WEFLOW.93 WINWORD.CONCEPT (see below) WORDMACRO.DMV (see below) XEP.1355 XINIX.CHAOS Winword.Concept (alias Prank Macro, WordMacro.Concept, WW6Macro) The new virus, Winword.Concept, representing a new class of viruses, has been discovered! This virus is a Macro virus. It infects the Word environment on any hardware platform (PC Compatible, Mac, PowerPC, etc.) and its .DOC and .DOT files. Winword.Concept is a benign virus. Your only symptom if you have this virus is a one time occurance of a dialog box with only "1" as text and only "OK" as a choice. Following that, it replicates a set of macros into your global template file (usually NORMAL.DOT) and changes any file saved using the "Save As..." command to be of the template type. VirusScan 2.2.6 can be used to scan your .DOC and .DOT files. You must use the /ALL switch as described above. If you discover that you have this virus, please enter into Word and read the .DOC file included in this package. Follow the instructions and apply them to every .DOC or .DOT file which VirusScan detects as being infected with the WinWord.Concept virus. If you determine that you are not infected, please take this opportunity to protect yourself from this form of viruses. In Word, go to: Tools Options... Save and enable the "Prompt to Save Normal.dot" option. This will alert you to any future attempt by any macro viruses to infect your system. WordMacro.DMV This one was published shortly after the outbreak of WinWord.Concept. It is not as widespread as WinWord.Concept. ---------------------------------------------------- Removers added or updated in the 9509 DAT file (74): _1315 ALFA.3072 ALFA.3072 (MBR) BONES BW.MAYBERRY.ANDY.609 BYE CAZ.722 DESPERADO.C DIABLO DUAL_GTM.1528 ESPEJO.B ESPEJO.C EXEBUG.A FAILLURE HATES.212 ICELANDIC.2706 (EXE) ISTANBUL.1349 IVP.683 JERUSALEM.1808.NEW8 (COM) JERUSALEM.1808.NEW8 (EXE) JERUSALEM.1808.NEW8.A JERUSALEM.CVEX3.5120.A/C JUNE_12TH.2660 LITTLE.GIRL.1008 MANZON MARAWI.2828 MPS-OPC2.682 N-XERAM NEUROQUILA.A (MBR) NEUROQUILA.B (MBR) PARITY.BOOT.ENC PARITY.BOOT.UNE PEANUT.443 PEANUT.453 PS-MPC.331.A PS-MPC.478 PS-MPC.569.D PS-MPC.644 PS-MPC.644_ PS-MPC.ANARCHIST.524 PS-MPC.G2.585 PS-MPC.G2.MUDSHARK.314 PS-MPC.G2.MUDSHARK.314 (DROPPER) PS-MPC.GREETINGS.1118 PS-MPC.KERSPLAT.670 PS-MPC.MAYBERRY.OPY.409 PS-MPC.MOM.974 PS-MPC.NAPOLEAN.729 PS-MPC.POWERMAN.717 PS-MPC.SAMH.441 PS-MPC.SCHRUNCH.458 PS-MPC.SKELETON.596.B/601 PS-MPC.SOUL.517 PS-MPC.SWANSONG.1508 PS-MPC.TOYS.773 PS-MPC.TRAIN.646 PS-MPC.TREX PS-MPC.WALT.311 PS-MPC.WAREZ.1803 PUPPET RUSSIAN_FLAG.A SAROV.1140 SAROV.1200A SAROV.1200B SATANBUG SATANBUG.9849 SATANBUG.A SCREAMING_FIST.927 (MBR) SLOFTXC TEKRAR.VAZGEC.561 TRACEBACK.2930.B TRACEBACK.3066.A TRACEBACK.3066.B VIENNA.648.LISBON.H ----------------------- False Alarms fixed: KILROY HLLC.4875.A ---------------------------------------------------- Top active viruses other than those presented above: AntiCmos (alias: Lixi) Byway (alias: Dir2.Byway) (*) Da'Boys (**) Junkie MonkeyA MonkeyB Natas NYB (alias: B1) Ripper Sampo V-Sign (alias: Cansu) WelcomB (alias: BuptBoot) Winword.Concept (*) Effective 9508, we adopted the CARO name of Byway. To remove this virus, boot up with the virus in memory. Copy all executable files to floppy, with a non-executable extension. Copy all the data files off. Format harddisk. Replace files. (**) To remove Da'Boys from a hard disk infection, one needs to boot from a clean corresponding DOS version and execute the command "SYS C:".