Instructions for loading virus definitions, using Norton AntiVirus
2.0, Norton Desktop for DOS 1.0 or Norton Desktop for Windows 2.0:

1)   Run Virus Clinic by typing NAV at the DOS prompt, choosing Norton
AntiVirus from the Tools menu of the Norton Desktop for DOS or
Windows, or by double-clicking on the Norton AntiVirus Windows icon in
the Norton AntiVirus group window.

2)   If you are in DOS, press <Enter> to accept the Welcome screen.

3)   Select "Cancel," or press <Esc> to bypass the "Scan Drives"
Screen.

4)   Select the "Definitions" menu.

5)   Select "Load from File..."

6)   If the name of the drive and directory to which you loaded the
definition file does not appear on the "Directory:" line, change to
the proper drive and directory name and press <Enter>.  The name of
the definition file should appear in the "Files" window.

7)   Select the definition file, select "OK," and press <Enter>.

8)   After the definitions have loaded, press <Enter> to exit from the
"Load Definition File Results" screen.

9)   Select "Exit" from the "Scan" menu.

10)  Reboot your computer to activate the new definitions.


Wolf Trojan
This program was presented as a version of the WolfCheat program.  Instead,
running the program will scramble the FAT and destroy the integrity of the
hard disk.

Groove memory detection
Pogue memory detection
The October update include memory detection signatures for Groove and Pogue.
These are two of the first viruses to use the Mutation Engine.	As such, you
must use NAV 2.1 to detect infected files on disk.  However, with the memory
detection signatures in place, you will be notified if you have a problem.
Infected files cannot be repaired.

Groove is a memory resident infector of COM and EXE files.  Infections occur
when a program is executed (DOS Interrupt 21, function 4B).  Infections to EXE
files are based on whether an MZ or ZM is present in the first two bytes.
Otherwise, a file is infected assuming it is a COM file.  No check of the
actual extension is ever made.

Groove tries to determine if it is memory resident by issuing FBA0 to INT 21
and checking the return value.	This may conflict with certain configurations
as function FB is reserved by Microsoft for OEM use.  Apart from this conflict,
the Groove virus is poorly written and will likely cause all infected programs
to crash.  Thus the capability of spread is not great as you will be alarmed by
the fact that many programs will no longer function.

Groove reserves approximately 5K out of DOS' memory.  Groove is unique through
its intention.	It is the first virus to have been designed to attack anti-virus
software.  Code present in the virus will delete the following files, whether
they are set as read-only or not:
	C:\NAV_._NO
	C:\NOVIRCVR.CTS
	C:\NOVIPERF.DAT
	C:\CPAV\CHKLIST.CPS
	C:\TOOLKIT\FILES.LST
	C:\UNTOUCH\UT.UT1
	C:\UNTOUCH\UT.UT2
	C:\VS.VS

Based on the existence of a real-time clock, which most PCs have, the
following message will be displayed at about 12:30am:

	This Virus is NOT dedicated to Sara
	its dedicated to her Groove (...Thats my name)
	This Virus is only a test Virus therefor
	be ready for my   Next	Test ..

Without the real-time clock, the message is displayed upon each new infection.

Pogue infects files on execute and close.  Pogue will not function properly on
Novell networks as it uses Novell's INT 21 function DA to look for itself in
memory.  It requires that the system be of DOS version 3 or greater, supposedly
to fool some anti-virus programs into thinking the program is a natural file.
The Pogue virus does not seem to contain system destructive code.  However, on
May 1 all day, or each day before 7am, the system will generate noises from the
speaker.

PSQR-1364 (aka MUMMY21)
PSQR-1364 is an infector of EXE files, or more specifically, anything with MZ
in its header which would include Windows files and overlays.  Corrupted
Windows files will no longer function from Windows.  Based on counting down
an internal counter, the virus will wipe out the current logical drive, which
for most people will be their C drive.	This definition is an enhancement of an
earlier definition and can now detect more strains.

Como Lake
Como Lake is a non-resident infector of EXE files.  File size growth ranges
somewhere near 2020 bytes.  It appears not to have any nasty intentions except
to spread.  Although a repair is provided, the repair may not always function
correctly.

855 (aka November 17th)
855 is a memory resident infector of COM and EXE files.  Once memory resident,
all subsequent executions of programs will infect the executed program.  The
name of this virus represents the expected file growth.  On November 17th,
the virus is expected to wipe out the hard disk.

Demolition
Demolition is a memory resident infector of COM files.	Once memory resident,
all subsequent executions of COM programs will infect the executed program.
Programs will grow in size by around 1600 (1585) bytes per infection.  As the
virus does not verify if it has already infected that file, files will be
continually infected.  A repair is provided but repairs are only possible if
the virus is detected early enough.  Following 30 or more levels of infection,
the original program is beyond repair, at which time you may see the following
message:

	Sorry, this file was destroyed by DEMOLITION!
	from THE YODAS CREW Italy

Stoned (Whit)
This is yet another form of the Stoned boot sector infectors.  Whit intercepts
INT 13 (disk/diskette I/O) and on each call to INT 13, will check the system
timer.	At random times, an intercepted command to read the disk or diskette
will result in a single byte being XOR'ed before the buffer is returned to the
system, yielding unpredictable or inconsequential results.  This virus steals
2K of conventional ram.

Geek
Geek is a resident infector of EXE and COM files of approximately 450 bytes.
Files are infected on execution.  The virus loads itself into the interrupt
vector table and thus may be incompatible with certain hardware and software
combinations.  By doing so, it may also seem to you that all the upper set of
interrupts have changed.  If an infected file is executed on the 29th of any
month, a random sector of data will be overwritten.

PS-MPC.644
PS-MPC.644 is the first virus to be seen that obviously comes from a virus
creation package known as PS-MPC.  This is a self-encrypting virus which
infects EXEs and COMs when it an infected file is run.	The encryption key
will change with each iteration.  If no files can be infected in the present
directory, it will attempt to change directories to the parent directory.
However, COMMAND.COM will be avoided.  The read-only attribute has no effect.
Files grow by 644 bytes, thus its name.  If the day of the week is Friday,
the first three sectors of the hard disk is overwritten with garbage.

Flip
Flip is a family of viruses which have evolved through the ages.  It is a
member of what is known as multipartite viruses (more than one part).
Infected COM and EXE files can infect boot sectors and partition tables and
vice versa.  Earlier versions have been found that were poorly written which
could not spread.  But newer version have no such problem.  Versions have
also been found to be encrypted and be able to hide the infected file size
from the user.

Multipartite viruses are generally all memory resident and this is not an
exception.  Different strains place themselves in high or low memory and
reserve approximately 2.8k.  Between 16:00 and 16:59, the monitor will flip
upside down on EGA/VGA monitors.

VirDem
This is a family of 3 known viruses which infect COM files.  These viruses
are prepending and have the side effect that if the uninfected file size is
smaller than the virus, the infected file size becomes double the size of the
virus.	Other files will increase by the size of the variant, listed below.
When infected files are executed, the program forces the user to guess a
number, the variant number.  If the user guesses correctly, the program runs
correctly, otherwise it will terminate.

It can infect read-only/hidden/etc files.  The file timestamp on infected
files will not change.	The earliest version looked on the A: drive for COM
files to infect, always skipping the first file in the directory.  In all
variants, one file will be infected per execution.

	First variant
	The first variant is what was just referred to above as "the earliest
	version."

	Variant 792
	This variant will start looking for files to infect in the current
	directory.  It will then change to the root directory and start
	traversing the directory structure looking for files to infect.  If
	the year is 1988 or before OR the month is Jan or Feb, this variant
	will execute the host normally after infecting another program.  If
	the date does not fit the above description (now, any time MAR to DEC),
	the first 2 sectors of C: will be overwritten with garbage.

	Variant 1542
	This variant starts looking for files in the root directory right away.
	It will also traverse the whole directory tree.  When it finds a file,
	it checks the date.  If it's the 31st of the month, the program will
	not run and the virus just exits to DOS.  Otherwise, another file will
	be infected and the program will run normally.

834
The 834 virus is a memory resident infector of COM files though it avoids
COMMAND.COM.  When an infected file is executed, the first three bytes of the
boot sector will be overwritten.  This will result in future boot up failures.
Files grow by 834 bytes and 1.9K of memory is taken for the memory resident
part of this virus.
