Release Notes for McAfee 4181 DAT Files Copyright (c) 1992-2002 Networks Associates Technology, Inc. All Rights Reserved =============================================== Product Release: January 16, 2002 - DAT Version: 4181 - Engine Version: 4160 =============================================== Thank you for using our products. This file contains important information about the current data (.DAT) files. We strongly recommend that you read the entire document. We welcome your comments and suggestions. _______________________________________________ WHAT’S IN THIS FILE? - What are .DAT files? - What is the 4181XDAT.EXE File? - Which file to use - When to use the 4181XDAT.EXE Utility - When to use DAT-4181.ZIP or DAT-4181.TAR - Installation - Preparing to install .DAT files - Using 4181XDAT.EXE to update .DAT Files - Using DAT-4181.ZIP or DAT-4181.TAR to update VirusScan Command Line and VirusScan for UNIX Software - Using DAT-4181.ZIP to update other products - VirusScan 4.5 Anti-virus Software for Windows 95, Windows 98, Windows NT Workstation 4.0, and Windows 2000 Professional - VirusScan 4.0.3 Anti-virus Software for Windows 95 and Windows 98 - VirusScan 4.0.3 Anti-Virus Software for Windows NT and Netshield 4.0.3 Anti-virus Software for Windows NT - Netshield Anti-Virus Software for Novell Netware - Groupshield Notes Anti-Virus Software - Primary program files for Virus Definitions - Testing your installation - New Viruses Detected and Removed - New Detections - New Removals - INTERNET.DAT Detections - New Extensions - Understanding Virus Names - Prefix - Infix - Suffix - Generic Detections - Documentation - Contacting Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement _______________________________________________ IMPORTANT NOTES - We no longer provide the weekly 40XXUPDT.EXE utility for .DAT-only updates. Instead, we now provide 4181XDAT.EXE, an update utility for the same purpose. 4181XDAT.EXE uses the same technology that the weekly SuperDAT utility uses. This change does NOT affect the release and distribution of regular SuperDAT packages in any way. You may use 4181XDAT.EXE to update all supported version 4.0.3 and later anti-virus product releases, including version 4.5.x releases. As with the current SuperDAT package, 4181XDAT.EXE does NOT support GroupShield Notes version 4.x or NetShield for Novell NetWare versions, nor any version of Dr Solomon Anti-Virus Toolkit software. The package DOES support GroupShield Domino v5.0 software, however. - The 4181 .DAT files are compatible with McAfee anti-virus products that use any 4.0.70 (or higher) scan engine version. This does NOT include VirusScan 4.0.0 anti-virus software, which uses a v3.2.2 scanning engine. These .DAT files will NOT work with version 3.x or version 2.x scan engines. We recommend that you upgrade to the latest version of the version 4.x.xx engine for optimal virus detection and repair. _______________________________________________ WHAT ARE .DAT FILES? Virus definition, or .DAT, files contain up-to-date virus signatures and other information that McAfee anti-virus products use to protect your computer against the thousands of computer viruses in circulation. McAfee releases new .DAT files regularly to provide protection against the hundreds of new viruses that appear each month. To ensure that your anti-virus software can protect your system or network against the latest virus threats, download and install the latest .DAT files. _______________________________________________ WHAT IS THE 4181XDAT.EXE FILE? This package installs updated .DAT files for your McAfee anti-virus products. It uses SuperDAT technology to shut down any active scan operations, services, or other memory-resident software components that might interfere with your updates. It then copies the new files to their proper locations and enables your software to use them immediately. It differs from a regular SuperDAT package in that it updates ONLY your .DAT files, which means you can download this package if you already have a current scan engine and want to save time and bandwidth. NOTE: The 4181XDAT.EXE utility platform and product support is the same as that for the SuperDAT utility. To learn more, see the SuperDAT package README.TXT file. _______________________________________________ WHICH FILE TO USE WHEN TO USE THE 4181XDAT.EXE UTILITY We provide the 4181XDAT.EXE utility to make .DAT file updating quick and simple. The utility uses SuperDAT technology, but does not update the scan engine for your anti-virus software. Use the utility when your scan engine is current and you want to download a smaller SuperDAT upgrade and update package. The 4181XDAT.EXE utility is compatible with most McAfee version 4.x anti-virus products, including most version 4.5 product versions. The utility does NOT support the following: - McAfee product versions that incorporate an engine version earlier than 4.x. This includes all v3.x products, all v2.x products, and the retail version of VirusScan 4.0.0 anti-virus software for Windows 95 and Windows 98. - McAfee VirusScan 4.0.2 and Netshield NT 4.0.2. - Any Dr Solomon Anti-Virus Toolkit product. - NetShield anti-virus software for NetWare - GroupShield anti-virus software for Lotus Notes. - VirusScan for UNIX Software WHEN TO USE DAT-4181.ZIP OR DAT-4181.TAR The DAT-4181.ZIP and dat-4181.tar packages allow you to update the .DAT files for any supported McAfee version 4.x anti-virus product. The difference between these files and the other, executable, files is that you must stop any scan operations or scan services and unload any Terminate-and-Stay-Resident (TSR) programs from your computer's memory yourself. You must then copy the new files to your anti-virus software's program directory, then restart the services or background scanning software your application uses. Alternatively, if your anti-virus software has an AutoUpdate feature, you can configure it to download and install one of these packages. Version 4.5-series anti-virus packages can also use incremental .DAT file updating. To learn more about incremental .DAT files, consult your product documentation. These McAfee products require you to use the DAT-4181.ZIP or the DAT-4181.TAR files to update your .DAT files: - VirusScan for UNIX - GroupShield for Lotus Notes - WebShieldX Proxy To learn how to use these utilities, see the "Installation" section later in this file. _______________________________________________ INSTALLATION PREPARING TO INSTALL .DAT FILES McAfee stores .DAT file updates on its web site in a compressed format to reduce transmission time, and makes the updates available in three formats: as an executable file that includes a setup feature; as a .ZIP or tar archive that you can extract and install yourself to update some, though not all, McAfee anti-virus software; and as part of a SuperDAT executable package that often includes scan engine and other program component upgrades. Your options are: - 4181XDAT.EXE. Download this package to update the .DAT files in most McAfee anti-virus software. Visit the Network Associates web site at: http://www.nai.com/asp_set/download/dats/mcafee_4x.asp - DAT-4181.ZIP and dat-4181.tar. Download either of these packages specifically to update the VirusScan for UNIX application, the GroupShield Notes applications, or the NetShield NetWare application. You can also use this file to update the .DAT files for any other McAfee anti-virus software, if you wish. Visit the Network Associates web site at: http://www.nai.com/asp_set/download/dats/mcafee_4x.asp - SDAT4181.EXE. Download the SuperDAT executable package to update a range of McAfee anti-virus software. See the README.TXT file for the SuperDAT utility for a complete list of supported products. The SuperDAT package also includes scan engine upgrades and upgrades to other program components. Visit the Network Associates web site at: http://www.nai.com/asp_set/download/dats/superdat.asp NOTE: This file does NOT discuss how to use the SuperDAT package to update and upgrade your anti-virus software. To learn about the SuperDAT executable package, see the README.TXT file posted with the SuperDAT package. USING 4181XDAT.EXE TO UPDATE .DAT FILES To install new .DAT file updates quickly and easily, first create a temporary directory on your hard disk, then copy the 4181XDAT.EXE utility to that directory. Next, locate the file you downloaded, then double-click it to start the update. Follow the wizard panel instructions that appear to update your .DAT files. The utility will unload McAfee memory-resident software or stop Windows NT services that use your current .DAT files before it copies updated .DAT files to the appropriate program directories. It will then restart the software components needed to continue scan operations with your updated .DAT files. WARNING: Do NOT attempt to install 4181XDAT.EXE on Digital Alpha computers. We no longer support the Alpha platform. When 4181XDAT.EXE has finished updating your .DAT files, you may delete the archive file you downloaded from your hard disk, unless you want to keep a copy available for further updates. USING DAT-4181.ZIP OR DAT-4181.TAR TO UPDATE VIRUSSCAN COMMAND LINE AND VIRUSSCAN FOR UNIX SOFTWARE Some McAfee anti-virus products, such as NetShield for Novell NetWare, cannot use the executable version of the .DAT file update. Instead, you must copy .DAT file updates directly to the product directory. To do so, follow these steps: 1. Create a temporary directory on your hard disk, then copy the .DAT file .ZIP or tar archive that you downloaded to that directory. 2. Unload the VShield TSR software from memory, if your anti-virus software has a VShield version and you have it running. To do so, type VSHIELD /REMOVE at the command-line prompt. This step is not necessary if you have not started the VShield scanner or if your anti-virus software does not include a background or on-access scanner. 3. Back up or rename the existing .DAT files stored in the program directory for your anti-virus software. See "Primary Program Files for Virus Definitions" later in this file for a complete .DAT file list. 4. Use WinZip, PKUnzip, or a similar utility to open the .ZIP archive and extract the updated .DAT files. You can save the extracted files directly to the program directory for your anti-virus software. Allow the updated files to overwrite the existing .DAT files. To extract .DAT files stored in a tar archive, use a compression utility that can read and extract tar files, or follow these steps from a UNIX command prompt: 1. Change to the directory into which you want to extract the new .DAT files. This could mean the program directory for your anti-virus software, or a temporary directory from which you intend to copy the new files. 2. Type this command at the command prompt: tar xf /dat-4181.tar Here, is the path to the tar file you downloaded. The tar utility will extract the .DAT files into your current working directory. NOTE: The syntax for the tar command might vary in different UNIX versions. Consult your manual pages or other product documentation for more details. 5. Copy the new .DAT files to the program directory for the software you want to update. Allow the new files to replace the existing files. 6. Restart the VShield TSR, if your anti-virus software includes a VShield component, to enable background or on-access scanning. To do so, type VSHIELD, followed by the scanning options you want to use, at the command-line prompt. NOTE: When you have finished using DAT-4181.ZIP to update your .DAT files, you may delete it from your hard disk, unless you want to keep a copy available for further updates. USING DAT-4181.ZIP TO UPDATE OTHER PRODUCTS We recommend that you use either the SuperDAT utility, or the 4181XDAT.EXE utility to install new .DAT file versions for supported anti-virus products. These utilities offer an easy and foolproof method for correctly updating .DAT files. If you want to install .DAT file updates directly from the .ZIP archive, however, locate the heading for the anti-virus product you use in the list below, then follow the corresponding steps. - VirusScan 4.5 Anti-virus Software for Windows 95, Windows 98, Windows NT Workstation 4.0, and Windows 2000 Professional - VirusScan 4.0.3 Anti-virus Software for Windows 95 and Windows 98 - VirusScan 4.0.3 Anti-virus Software for Windows NT and Netshield 4.0.3 Anti-virus Software for Windows NT - Netshield Anti-virus Software for Novell Netware - Groupshield Notes Anti-virus Software VIRUSSCAN 4.5 ANTI-VIRUS SOFTWARE FOR WINDOWS 95, WINDOWS 98, WINDOWS NT WORKSTATION 4.0, AND WINDOWS 2000 PROFESSIONAL To use the DAT-4181-.ZIP package to update VirusScan version 4.5 anti-virus software, follow these steps: 1. Click Start in the Windows task bar, point to Settings, then choose Control Panel. 2. Locate the VirusScan control panel, then double-click it to open it. 3. Click the Stop button on the Service page. Leave the VirusScan control panel open. You will need to return to it in Step 7. 4. Create a temporary directory on your hard disk, then copy the .DAT file .ZIP archive you downloaded to that directory. 5. Back up or rename the existing .DAT files stored in the Network Associates Common Files directory. If you installed VirusScan software to its default location, you'll find this directory here: C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx See "Primary Program Files for Virus Definitions" later in this file for a complete .DAT file list. 6. Use WinZip, PKUnzip, or a similar utility to open the .ZIP archive and extract the updated .DAT files. Save the extracted files directly to the Network Associates Common Files directory. Allow the new files to overwrite the existing .DAT files. 7. Return to the VirusScan control panel, then click Start in the Service page. The VShield scanner and the VirusScan Console will start again. Your VirusScan software is up to date. VIRUSSCAN 4.0.3 ANTI-VIRUS SOFTWARE FOR WINDOWS 95 AND WINDOWS 98 To use the DAT-4181.ZIP package to update VirusScan version 4.0.3 anti-virus software on a Windows 95 or Windows 98 system, follow these steps: 1. Right-click the VShield icon that appears in your Windows system tray at the bottom, right-hand corner of your screen to display the VShield shortcut menu. 2. Point to Enable, then choose System Scan to remove the checkmark beside the name. This disables the VShield System Scan module. 3. Repeat Steps 1 and 2 to disable all of the remaining VShield modules: E-Mail Scan, Download Scan, and Internet Filter. 4. Restart your computer to remove all VShield modules from memory. 5. Create a temporary directory on your hard disk, then copy the .DAT file .ZIP archive you downloaded to that directory. 6. Back up or rename the existing .DAT files stored in the VirusScan program directory. See "Primary Program Files for Virus Definitions" later in this file for a complete .DAT file list. 7. Use WinZip, PKUnzip, or a similar utility to open the .ZIP archive and extract the updated .DAT files. You can save the extracted files directly to the VirusScan program directory. Allow the updated files to overwrite the existing .DAT files. 8. Restart your computer. 9. Right-click the VShield icon that appears in your Windows system tray at the bottom, right-hand corner of your screen to display the VShield shortcut menu. 10. Point to Enable, then choose one of the listed VShield modules to add a checkmark beside the name. This enables that VShield module again. Begin with the System Scan module, then repeat Steps 9 and 10 to enable these remaining VShield modules: E-Mail Scan, Download Scan, and Internet Filter. VIRUSSCAN 4.0.3 ANTI-VIRUS SOFTWARE FOR WINDOWS NT AND NETSHIELD 4.0.3 ANTI-VIRUS SOFTWARE FOR WINDOWS NT. If you have Administrator rights for the server or workstation you want to update, the VirusScan software for Windows NT and the NetShield software for Windows NT allow you to initiate update requests at any time. Simply use the AntiVirus Console to connect to the workstation or server you want to update, double-click the AutoUpdate task to open it, then click Update Now. The program will retrieve updated files from the location specified in the task settings, and will install the new files correctly. To install .DAT file updates directly from a .ZIP archive WITHOUT using the AutoUpdate utility, follow these steps: NOTE: We do not recommend that you use this method to update your .DAT files. 1. Create a temporary directory on your hard disk, then copy the .DAT file .ZIP archive you downloaded to that directory. 2. Back up or rename the existing .DAT files stored in the program directory. See "Primary Program Files for Virus Definitions" later in this file for a complete .DAT file list. 3. Use WinZip, PKUnzip, or a similar utility to open the .ZIP archive and extract the updated .DAT files. 4. Log on to the server or workstation you want to update. You must have Administrator rights for the target computer. 5. Click Start, point to Settings, then choose Control Panel to open the Control Panel window. Next, locate and double-click the Services control panel to open it. If the computer is running Windows NT 3.51, start Program Manager, then locate the Control Panels program group. Double-click the program group to open it, then locate and double-click the Services control panel. 6. Select the Network Associates McShield Service, then click Stop. 7. Copy the .DAT files you extracted from the .ZIP archive to the program directory. 8. Return to the Services control panel, select the McShield Service, then click Start. Next, close the Services control panel. NetShield software for Windows NT and VirusScan software for Windows NT will use the updated .DAT files in scan operations immediately. NETSHIELD ANTI-VIRUS SOFTWARE FOR NOVELL NETWARE To install .DAT file updates directly from a .ZIP archive WITHOUT using the AutoUpdate utility, follow these steps: NOTE: We do not recommend using this method to update your .DAT files. 1. Create a temporary directory on your hard disk, then copy the .DAT file .ZIP archive you downloaded to that directory. 2. Use WinZip, PKUnzip, or a similar utility to open the .ZIP archive and extract the updated .DAT files. 3. Log on to the server you want to update. You must have administrative rights for the target server. 4. Type this line at the NetWare Console prompt: unload netshld 5. Back up or rename the existing .DAT files stored in your NetShield program directory. If you installed NetShield to the default program directory, you'll find the .DAT files here: SYS:MCAFEE\NETSHLD See "Primary Program Files for Virus Definitions" later in this file for a complete .DAT file list. 6. Copy the files you extracted from the temporary directory you created in Step 1 to the NetShield program directory on your server. 7. Type this line at the NetWare Console prompt to restart the NetShield NetWare server software: netshld The NetShield software will begin to use the new .DAT files immediately. GROUPSHIELD NOTES ANTI-VIRUS SOFTWARE The GroupShield Notes software allows you to download and install .DAT file updates with an included automatic update component. We recommend this method, but you can also update your .DAT files directly. Follow these steps: 1. Create a temporary directory on your hard disk, then copy the .DAT file .ZIP archive you downloaded to that directory. 2. Back up or rename the existing .DAT files stored in the GSUPDATE.NSF database. See "Primary Program Files for Virus Definitions" later in this file for a complete .DAT file list. 3. Use WinZip, PKUnzip, or a similar utility to open the .zip archive and extract the updated .DAT files. 4. Start Lotus Notes, then right-click Workspace. Next, choose Open Database from the menu that appears. 5. Locate the database GSUPDATE.NSF, then add to that database those files that you extracted into the temporary directory you created in Step 1. GroupShield Notes will use the new .DAT files as soon as they replicate across the network. If you have partitioned Notes servers, you must shut down and restart each of the partitioned servers for the update to take effect. PRIMARY PROGRAM FILES FOR VIRUS DEFINITIONS Files contained in the .DAT file set are: SCAN.DAT = Data file for virus scanning NAMES.DAT = Data file for virus names CLEAN.DAT = Data file for virus cleaning INTERNET.DAT = Data file to detect hostile Java/ActiveX objects. TESTING YOUR INSTALLATION The EICAR Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation, copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 68 or 70 bytes. Next, start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When your software scans this file, it will report finding the EICAR test file. Note that this file is NOT A VIRUS. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. _______________________________________________ NEW VIRUSES DETECTED AND REMOVED Hundreds of new viruses and variants appear each month. Those which are detected and cleaned by AVERT's generic methods are added to the total virus count listed but they are not listed separately here. Total viruses and variants, Trojan horse programs, and other malicious software detected: 59643 NEW DETECTIONS Total number of new items detected with this release: 106 BOOT-SECTOR VIRUSES (0) ----------------------- No new detections DOS FILE-INFECTING VIRUSES (9) ------------------------------ EL.1824 HKILL.997.DR LETUCHKI MPC.748.DAM PADSO.349 PEACEKEEPER.3834 PEACEKEEPER.3846 SHADOW.DR UNIV/L.DAM INTERNET WORM (9) ----------------- IRC/MONEL VBS/MONEL W32/ANTITES@MM W32/FUNSO.GEN@MM W32/GIZER.C@MM W32/LIBIDO.WORM.B W32/SYSNOM.B@MM W32/TOGET@MM W32/WALLY.REG LINUX/UNIX FILE-INFECTING VIRUSES (2) ------------------------------------- LINUX/NUXBEE.1403.INTD LINUX/RST MACRO VIRUSES (0) ----------------- No new detections MULTIPARTITE VIRUSES (0) ------------------------ No new detections WINDOWS PORTABLE EXECUTABLE FILE VIRUSES (12) --------------------------------------------- W32/AWFULL W32/DONUT W32/DONUT.DR W32/FAKER.B W32/GODOG.A.9412 W32/GODOG.B.3072 W32/HLLP.18431A W32/HLLP.18431B W32/INEX W32/MARYL W32/NOSYS.WORM W32/PEED SCRIPT VIRUSES (0) ------------------ No new detections TROJAN HORSE PROGRAMS/MALWARE (74) ---------------------------------- BACKDOOR-SP.DR BACKDOOR-YL BACKDOOR-YM BACKDOOR-YN BACKDOOR-YO BACKDOOR-YP BACKDOOR-YQ BACKDOOR-YQ.BAT BACKDOOR-YQ.SCRIPT BACKDOOR-YR BACKDOOR-YS BACKDOOR-YT BACKDOOR-YU BACKDOOR-YV BACKDOOR-YW BACKDOOR-YX BACKDOOR-YY BACKDOOR-YZ BACKDOOR-ZA BACKDOOR-ZA.DR BACKDOOR-ZB BACKDOOR-ZC BACKDOOR-ZD BACKDOOR-ZE BACKDOOR-ZI BACKDOOR-ZI.HTM BACKDOOR-ZJ BAT/SS.REG BAT/TE BAT/TF BAT/TG BAT/TH BAT/TI BAT/TJ BAT/TK BAT/TL BAT/TM BAT/TN BAT/TO BAT/TP BAT/TQ BAT/TR FDOS-BCP FDOS-UATTACK FILEMAKER GREAP GREAP.KIT IRC/BACKDOOR-SUB7.CLI JS/EXPLOIT-GETOBJECT JUSP KEYLOG-IMPOSSIBLE LAMENESS LINUX/DDOS-KNIGHT LINUX/DDOS-KNIGHT.SRC NUKE-CYRUS NUKE-SUBATTACK PWS-DAFDAF.B PWS-ISPHACK PWS-NONAM PWS-RIST PWS-XNF QDEL198 QDEL199 QZAP199 SPAM/FAKEMAIL SYDO.A SYDO.B SYSOBS UNIX/EXPLOIT-BUGZILLA UNIX/EXPLOIT-DOMINO UNIX/SPAM-POSTMAN UNIX/WUFTPD_EXPLOIT UNIX/WUFTPD_EXPLOIT.SRC VBS/RATCH NEW REMOVALS Total number of new items removed with this release: 103 McAfee software removes a virus either by deleting the infecting virus code from files or by deleting the file from your computer. NOTE: The New Removals list notes when the .DAT files do not include the ability to remove certain types of viruses. In these cases, you must remove the virus yourself, either by deleting the infected file or by removing harmful code. For more information, see the McAfee Virus Information Library at: http://vil.nai.com/villib/alpha.asp BOOT-SECTOR VIRUSES (0) ----------------------- No new removals DOS FILE-INFECTING VIRUSES (6) ------------------------------ EL.1824 HKILL.997.DR MPC.748.DAM PEACEKEEPER.3834 PEACEKEEPER.3846 UNIV/L.DAM INTERNET WORM (9) ----------------- IRC/MONEL VBS/MONEL W32/ANTITES@MM W32/FUNSO.GEN@MM W32/GIZER.C@MM W32/LIBIDO.WORM.B W32/SYSNOM.B@MM W32/TOGET@MM W32/WALLY.REG LINUX/UNIX FILE-INFECTING VIRUSES (2) ------------------------------------- LINUX/NUXBEE.1403.INTD LINUX/RST MACRO VIRUSES (0) ----------------- No new removals MULTIPARTITE VIRUSES (0) ------------------------ No new removals WINDOWS PORTABLE EXECUTABLE FILE VIRUSES (12) --------------------------------------------- W32/AWFULL W32/DONUT W32/DONUT.DR W32/FAKER.B W32/GODOG.A.9412 W32/GODOG.B.3072 W32/HLLP.18431A W32/HLLP.18431B W32/INEX W32/MARYL W32/NOSYS.WORM W32/PEED SCRIPT VIRUSES (0) ------------------ No new removals TROJAN HORSE PROGRAMS/MALWARE (74) ---------------------------------- BACKDOOR-SP.DR BACKDOOR-YL BACKDOOR-YM BACKDOOR-YN BACKDOOR-YO BACKDOOR-YP BACKDOOR-YQ BACKDOOR-YQ.BAT BACKDOOR-YQ.SCRIPT BACKDOOR-YR BACKDOOR-YS BACKDOOR-YT BACKDOOR-YU BACKDOOR-YV BACKDOOR-YW BACKDOOR-YX BACKDOOR-YY BACKDOOR-YZ BACKDOOR-ZA BACKDOOR-ZA.DR BACKDOOR-ZB BACKDOOR-ZC BACKDOOR-ZD BACKDOOR-ZE BACKDOOR-ZI BACKDOOR-ZI.HTM BACKDOOR-ZJ BAT/SS.REG BAT/TE BAT/TF BAT/TG BAT/TH BAT/TI BAT/TJ BAT/TK BAT/TL BAT/TM BAT/TN BAT/TO BAT/TP BAT/TQ BAT/TR FDOS-BCP FDOS-UATTACK FILEMAKER GREAP GREAP.KIT IRC/BACKDOOR-SUB7.CLI JS/EXPLOIT-GETOBJECT JUSP KEYLOG-IMPOSSIBLE LAMENESS LINUX/DDOS-KNIGHT LINUX/DDOS-KNIGHT.SRC NUKE-CYRUS NUKE-SUBATTACK PWS-DAFDAF.B PWS-ISPHACK PWS-NONAM PWS-RIST PWS-XNF QDEL198 QDEL199 QZAP199 SPAM/FAKEMAIL SYDO.A SYDO.B SYSOBS UNIX/EXPLOIT-BUGZILLA UNIX/EXPLOIT-DOMINO UNIX/SPAM-POSTMAN UNIX/WUFTPD_EXPLOIT UNIX/WUFTPD_EXPLOIT.SRC VBS/RATCH INTERNET.DAT DETECTIONS The INTERNET.DAT component included with the .DAT files enables VirusScan anti-virus software v4.x for Windows 95 and Windows 98 to detect 130 hostile Java classes and six hostile ActiveX controls. This list has not changed from that shown in the README.TXT file that accompanied the 4050 .DAT file set. NEW EXTENSIONS The scan engine now scans files with these extensions: SWF _______________________________________________ UNDERSTANDING VIRUS NAMES McAfee anti-virus software typically follows industry-wide naming conventions to identify the viruses that it detects and cleans. Occasionally,some virus names deviate from strict industry standards. The first virus with a given set of characteristics that mark it as a distinctly new entity receives a "family" name. Virus researchers draw the family name from some identifying quirk in the virus, such as a text string, or a payload effect. A family name can also include a numeric string that designates the byte size of the virus. Researchers use this name as a convenient shorthand to distinguish among very closely allied virus variants. Names for variants within a virus family consist of the family name and a suffix - .A, for example. The suffix designations continue in alphabetical order until they reach .Z. At that point, they begin again with .AA and continue until they reach .AZ. Still later variants receive the suffix .BA through .BZ, and so forth, until the suffix designations reach .ZZ. If yet another variant appears after that, it would get the suffix .AAA. As new virus strains appeared, industry naming conventions evolved to include more information. Some names, for instance, include parts that identify the platform on which the virus can run. Macro viruses, the most prevalent of the virus types, can have a complex names that consists of a number of parts. Among anti-virus vendors, virus names can include a prefix, an infix and a suffix. PREFIX The prefix designates the type of file that the virus infects or the platform on which it can run. Viruses that infect DOS executables do not receive a prefix. McAfee virus names can include these prefixes: A97M/ Macro virus. Infects Microsoft Access 97 files APM/ Macro virus or Trojan horse program. Infects Ami Pro document and template files BV/ Batch-file virus or Trojan horse program. These viruses usually run as batch or script files that affect a particular program that interprets the script or batch commands they include. They are very portable and can affect nearly any platform that can run batch or script files. The files themselves often have a .BAT extension. CSC/ Corel Script virus or Trojan horse program. Infects Corel Draw document files, template files, and scripts. HLL/ File-infector virus written in a high-level programming language HTML/ Script virus. Infects HTML files IRC/ Internet Relay Chat script virus. This virus type can use early versions of the mIRC client software to distribute a virus or payload JS/ JavaScript virus or Trojan horse program JV/ Java application or applet that functions as malicious software. JVS/ JavaScript virus or Trojan horse program O2KM/ Macro virus. Infects Microsoft Office 2000 files P98M/ Macro virus or Trojan horse program. Infects Microsoft Project documents and templates. PP97M/ Macro virus. Infects Microsoft PowerPoint 97 files V5M/ Macro or script virus, or Trojan horse program. Infects Visio VBA (Visual Basic for Applications) macros or scripts. VBS/ Script virus. Infects Visual Basic scripts W32/ File-infector or boot-sector virus. Runs in 32-bit Windows environments (Windows 95, Windows 98 or Windows NT) WIN/ File-infector virus. Runs in 16-bit and 32-bit Windows environments (Windows 3.1x, Windows 95, Windows 98, or Windows NT) W95/ File-infector virus. Runs in Windows 95 and Windows 98 Environments W97M/ Macro virus. Infects Microsoft Word 97 files WM/ Macro virus. Infects Microsoft Word 95 files X97F/ Macro virus. Infects Microsoft Excel 97 via Excel formulas X97M/ Macro virus. Infects Microsoft Excel 97 files XF/ Macro virus. Infects Microsoft Excel 95 or 97 via Excel formulas XM/ Macro virus. Infects Microsoft Excel 95 files INFIX These designations usually appear in the middle of a virus name. AVERT assigns these designations,which will differ from industry conventions. .CMP. Companion file. This designates a companion file that the virus adds to an existing executable file. McAfee software deletes the companion file to prevent later infections. .MP. Multi-partite virus. A McAfee designation. .OW. Overwriting. This identifies a virus that overwrites data in a file, thereby irreparably corrupting it. This file must be deleted. SUFFIX These designations usually appear as the last part of a virus name. A virus name can have more than one suffix. One might designate a variant, for example, while others give additional information. AVERT assigns many of these designations, which can differ from industry conventions. @MM Mass mailing distribution. This virus might use standard techniques to propagate itself, but will also, or in some cases primarily, use an e-mail system to spread. .A to .ZZZ Virus variant designation. .APP Appended viruses. This designates a virus that appends its code to the file it infects, but fails to provide for correct replication. McAfee software detects these files in order to prevent false virus identifications. .CAV Cavity virus. This designates a virus that copies itself into "cavities" (areas of all zeroes) in a program file. .CLI Client-side component of an Internet Trojan-horse program. .DAM Damaged file. This designates afile damaged or corrupted by aninfection .DR Dropper file. This file introduces the virus into the host program .GEN Generic detection. Native routines in McAfee software detect this virus without using specific code strings .GR Generic detection and removal. Native routines in McAfee software detect and remove this virus without using specific code strings .INTD "Intended" virus. This designates a virus that has most of the usual virus characteristics, but cannot replicate correctly. McAfee anti-virus software will detect it in order to prevent false identifications of active viruses .SFX Self-extracting installation utility for Trojan horse programs .SRC Viral source code. This ordinarily cannot replicate or infect files, but some virus droppers add this to files as part of the infection cycle. McAfee products routinely flag files with additional code of this sort for deletion .SVR Server-side component of an Internet Trojan-horse program. GENERIC DETECTIONS When a scanner reports W97M/Generic@MM or X97M/Generic@MM driver it means the engine (4070 or later only) has detected heuristically a highly suspicious VBA macro that is likely to be a mass-mailing virus. The cleaning for such viruses is also available but should be done with extra caution - users are advised to keep a copy of a file before cleaning and submit a sample to AVERT. _______________________________________________ DOCUMENTATION This product includes the following documents: 1. This README file. 2. A CONTACT file. This file provides a list of phone numbers, street addresses, web addresses, and fax numbers for Network Associates offices in the United States and around the world. It also includes contact information for services, such as technical support, customer service, onsite training, the beta program, and AVERT Anti-Virus Research Site. _______________________________________________ CONTACTING MCAFEE AND NETWORK ASSOCIATES Technical Support http://knowledge.nai.com Product Documentation Issues tvd_documentation@nai.com McAfee Beta Program Beta Web Site www.mcafeeb2b.com/beta/ E-mail avbeta@nai.com AVERT Anti-Virus Research Site www.mcafeeb2b.com/avert Download Site www.mcafeeb2b.com/naicommon/download/ DAT File Updates www.mcafeeb2b.com/naicommon/download/dats/find.asp Product Upgrades www.mcafeeb2b.com/naicommon/download/upgrade/login.asp Valid grant number required. Contact Network Associates Customer Service On-Site Training Information www.mcafeeb2b.com/services/mcafee-training/default.asp Finding a Reseller www.mcafeeb2b.com/naicommon/partners/tsp-seek/intro.asp Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: www.nai.com www.mcafeeb2b.com For additional information on contacting Network Associates and McAfee (including toll-free numbers for other geographic areas) see the CONTACT file that accompanied your original product release. _______________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS (c) 1992-2002 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 3965 Freedom Circle, Santa Clara, California 95054, or call +1-972-308-9960. TRADEMARKS Active Security, ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Building a World of Trust, Certified Network Expert, Clean-Up, CleanUp Wizard, Cloaking, CNX, CNX Certification Certified Network Expert and design, CyberCop, CyberMedia, CyberMedia UnInstaller, Data Security Letter and design, Design (logo), Design (Rabbit with hat), design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, Enterprise SecureCast, EZ SetUp, First Aid, ForceField, Gauntlet, GMT, GroupShield, Guard Dog, HelpDesk, HomeGuard, Hunter, I C Expert, ISDN TEL/SCOPE, LAN Administration Architecture and design, LANGuru, LANGuru (in Katakana), LANWords, Leading Help Desk Technology, LM1, M and design, Magic Solutions, Magic University, MagicSpy, MagicTree, MagicWord, McAfee Associates, McAfee, McAfee (in Katakana), McAfee and design, NetStalker, MoneyMagic, More Power To You, MultiMedia Cloaking, myCIO.com, myCIO.com design (CIO design), myCIO.com Your Chief Internet Officer & design, NAI & design, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetRoom, NetScan, NetShield, NetStalker, Network Associates, Network General, Network Uptime!, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PC Medic 97, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, PowerLogin, PowerTelNet, Pretty Good Privacy, PrimeSupport, Recoverkey, Recoverkey - International, Registry Wizard, ReportMagic, RingFence, Router PM, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SniffMaster, SniffMaster (in Hangul), SniffMaster (in Katakana), SniffNet, Stalker, Stalker (stylized), Statistical Information Retrieval (SIR), SupportMagic, TeleSniffer, TIS, TMACH, TMEG, TNV, TVD, TNS, TSD, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, Trusted MACH, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker, WebWall, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE AGREEMENT NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE LICENSE.TXT OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.