  Release Notes for McAfee 4253 DAT Files
  Copyright (c) 1992-2003 Networks Associates
                Technology, Inc.
              All Rights Reserved


===============================================

   Product Release:     March 19, 2003

   - DAT Version:       4253
   - Engine Version:    4160

===============================================


Thank you for using our products. This file
contains important information about the
current data (.DAT) files. We strongly
recommend that you read the entire document.

We welcome your comments and suggestions.


_______________________________________________
WHATS IN THIS FILE?

-  What are .DAT files?
-  What is the 4253XDAT.EXE File?
-  Which file to use
   -  When to use the 4253XDAT.EXE Utility
   -  When to use DAT-4253.ZIP or
      DAT-4253.TAR
-  Installation
   -  Preparing to install .DAT files
   -  Using 4253XDAT.EXE to update .DAT
      Files
   -  Using DAT-4253.ZIP or
      DAT-4253.TAR to update VirusScan
      Command Line and VirusScan for UNIX
      Software
   -  Using DAT-4253.ZIP to update other
      products
   -  VirusScan 4.5 Anti-virus Software for
      Windows95, Windows 98, Windows NT
      Workstation 4.0, and Windows 2000
      Professional
   -  VirusScan 4.0.3 Anti-virus Software for
      Windows 95 and Windows 98
   -  VirusScan 4.0.3 Anti-Virus Software for
      Windows NT and Netshield 4.0.3 Anti-virus
      Software for Windows NT
   -  Netshield Anti-Virus Software for Novell
      Netware
   -  Groupshield Notes Anti-Virus Software
   -  Primary program files for Virus
      Definitions
   -  Testing your installation
-  New Viruses Detected and Removed
   -  New Detections
   -  New Removals
   -  INTERNET.DAT Detections
   -  New Extensions
-  Understanding Virus Names
   -  Prefix
   -  Infix
   -  Suffix
   -  Generic Detections
-  Documentation
-  Contacting Network Associates
-  Copyright and Trademark Attributions
   -  Trademarks
   -  License Agreement



_______________________________________________
IMPORTANT NOTES

-  We no longer provide the weekly 40XXUPDT.EXE
   utility for .DAT-only updates. Instead, we
   now provide 4253XDAT.EXE, an update
   utility for the same purpose.
   4253XDAT.EXE uses the same technology
   that the weekly SuperDAT utility uses. This
   change does NOT affect the release and
   distribution of regular SuperDAT packages in
   any way.

   You may use 4253XDAT.EXE to update all
   supported version 4.0.3 and later anti-virus
   product releases, including version 4.5.x
   releases. As with the current SuperDAT
   package, 4253XDAT.EXE does NOT support
   GroupShield Notes version 4.x or NetShield
   for Novell NetWare versions, nor any version
   of Dr Solomon Anti-Virus Toolkit software.
   The package DOES support GroupShield Domino
   v5.0 software, however.

-  The 4253 .DAT files are compatible with
   McAfee anti-virus products that use any
   4.0.70 (or higher) scan engine version. This
   does NOT include VirusScan 4.0.0 anti-virus
   software, which uses a v3.2.2 scanning
   engine. These .DAT files will NOT work with
   version 3.x or version 2.x scan engines. We
   recommend that you upgrade to the latest
   version of the version 4.x.xx engine for
   optimal virus detection and repair.


_______________________________________________
WHAT ARE .DAT FILES?

Virus definition, or .DAT, files contain
up-to-date virus signatures and other
information that McAfee anti-virus products use
to protect your computer against the thousands
of computer viruses in circulation. McAfee
releases new .DAT files regularly to provide
protection against the hundreds of new viruses
that appear each month. To ensure that your
anti-virus software can protect your system or
network against the latest virus threats,
download and install the latest .DAT files.


_______________________________________________
WHAT IS THE 4253XDAT.EXE FILE?

This package installs updated .DAT files for
your McAfee anti-virus products. It uses
SuperDAT technology to shut down any active
scan operations, services, or other
memory-resident software components that might
interfere with your updates. It then copies the
new files to their proper locations and enables
your software to use them immediately. It
differs from a regular SuperDAT package in that
it updates ONLY your .DAT files, which means
you can download this package if you already
have a current scan engine and want to save
time and bandwidth.

   NOTE:
   The 4253XDAT.EXE utility platform and
   product support is the same as that for the
   SuperDAT utility. To learn more, see the
   SuperDAT package README.TXT file.


_______________________________________________
WHICH FILE TO USE


WHEN TO USE THE 4253XDAT.EXE UTILITY

We provide the 4253XDAT.EXE utility to make
.DAT file updating quick and simple. The
utility uses SuperDAT technology, but does not
update the scan engine for your anti-virus
software. Use the utility when your scan engine
is current and you want to download a smaller
SuperDAT upgrade and update package.

The 4253XDAT.EXE utility is compatible with
most McAfee version 4.x anti-virus products,
including most version 4.5 product versions.
The utility does NOT support the following:

-  McAfee product versions that incorporate an
   engine version earlier than 4.x. This
   includes all v3.x products, all v2.x
   products, and the retail version of
   VirusScan 4.0.0 anti-virus software for
   Windows 95 and Windows 98.

-  McAfee VirusScan 4.0.2 and Netshield NT
   4.0.2.

-  Any Dr Solomon Anti-Virus Toolkit product.

-  NetShield anti-virus software for NetWare

-  GroupShield anti-virus software for Lotus
   Notes.

-  VirusScan for UNIX Software


WHEN TO USE DAT-4253.ZIP OR
DAT-4253.TAR

The DAT-4253.ZIP and dat-4253.tar
packages allow you to update the .DAT files for
any supported McAfee version 4.x anti-virus
product.

The difference between these files and the
other, executable, files is that you must stop
any scan operations or scan services and unload
any Terminate-and-Stay-Resident (TSR) programs
from your computer's memory yourself. You must
then copy the new files to your anti-virus
software's program directory, then restart the
services or background scanning software your
application uses.

Alternatively, if your anti-virus software has
an AutoUpdate feature, you can configure it to
download and install one of these packages.
Version 4.5-series anti-virus packages can also
use incremental .DAT file updating. To learn
more about incremental .DAT files, consult your
product documentation.

These McAfee products require you to use the
DAT-4253.ZIP or the DAT-4253.TAR files
to update your .DAT files:

-  VirusScan for UNIX

-  GroupShield for Lotus Notes

-  WebShieldX Proxy

To learn how to use these utilities, see the
"Installation" section later in this file.


_______________________________________________
INSTALLATION


PREPARING TO INSTALL .DAT FILES

McAfee stores .DAT file updates on its web site
in a compressed format to reduce transmission
time, and makes the updates available in three
formats: as an executable file that includes a
setup feature; as a .ZIP or tar archive that
you can extract and install
yourself to update some, though not all, McAfee
anti-virus software; and as part of a SuperDAT
executable package that often includes scan
engine and other program component upgrades.
Your options are:

-  4253XDAT.EXE. Download this package to
   update the .DAT files in most McAfee
   anti-virus software. Visit the Network
   Associates web site at:

      http://www.nai.com/asp_set/download/dats/mcafee_4x.asp

-  DAT-4253.ZIP and dat-4253.tar.
   Download either of these packages
   specifically to update the VirusScan for
   UNIX application, the GroupShield Notes
   applications, or the NetShield NetWare
   application. You can also use this file to
   update the .DAT files for any other McAfee
   anti-virus software, if you wish. Visit the
   Network Associates web site at:

      http://www.nai.com/asp_set/download/dats/mcafee_4x.asp

-  SDAT4253.EXE. Download the SuperDAT
   executable package to update a range of
   McAfee anti-virus software. See the
   README.TXT file for the SuperDAT utility for
   a complete list of supported products. The
   SuperDAT package also includes scan engine
   upgrades and upgrades to  other program
   components. Visit the Network Associates web
   site at:

      http://www.nai.com/asp_set/download/dats/superdat.asp

   NOTE:
   This file does NOT discuss how to use the
   SuperDAT package to update and upgrade your
   anti-virus software. To learn about the
   SuperDAT executable package, see the
   README.TXT  file posted with the SuperDAT
   package.


USING 4253XDAT.EXE TO UPDATE .DAT FILES

To install new .DAT file updates quickly and
easily, first create a temporary directory on
your hard disk, then copy the 4253XDAT.EXE
utility to that directory. Next, locate the
file you downloaded, then double-click it to
start the update. Follow the wizard panel
instructions that appear to update your .DAT
files.

The utility will unload McAfee memory-resident
software or stop Windows NT services that use
your current .DAT files before it copies
updated .DAT files to the appropriate program
directories. It will then restart the software
components needed to continue scan operations
with your updated .DAT files.

   WARNING:
   Do NOT attempt to install 4253XDAT.EXE
   on  Digital Alpha computers.  We no longer
   support the Alpha platform.

When 4253XDAT.EXE has finished updating
your .DAT files, you may delete the archive
file you downloaded from your hard disk, unless
you want to keep a copy available for further
updates.


USING DAT-4253.ZIP OR DAT-4253.TAR TO
UPDATE VIRUSSCAN COMMAND LINE AND VIRUSSCAN FOR
UNIX SOFTWARE

Some McAfee anti-virus products, such as
NetShield for Novell NetWare, cannot use the
executable version of the .DAT file update.
Instead, you must copy .DAT file updates
directly to the product directory.

To do so, follow these steps:

1. Create a temporary directory on your hard
   disk, then copy the .DAT file .ZIP or tar
   archive that you downloaded to that
   directory.

2. Unload the VShield TSR software from memory,
   if your anti-virus software has a VShield
   version  and you have it running. To do so,
   type VSHIELD /REMOVE at the command-line
   prompt. This step is not necessary if you
   have not started the VShield scanner or if
   your anti-virus software does not include a
   background or on-access scanner.

3. Back up or rename the existing .DAT files
   stored in the program directory for your
   anti-virus software. See "Primary Program
   Files for Virus Definitions" later in this
   file for a complete .DAT file list.

4. Use WinZip, PKUnzip, or a similar utility
   to open the .ZIP archive and extract the
   updated .DAT files. You can save the
   extracted files directly to the program
   directory for your anti-virus software.
   Allow the updated files to overwrite the
   existing .DAT files.
   To extract .DAT files stored in a tar
   archive, use a compression utility that can
   read and extract tar files, or follow these
   steps from a UNIX command prompt:

   1. Change to the directory into which you
      want to extract the new .DAT files. This
      could mean the program directory for your
      anti-virus software, or a temporary
      directory from which you intend to copy
      the new files.

   2. Type this command at the command prompt:

      tar xf <directory path>/dat-4253.tar

   Here, <directory path> is the path to the
   tar file you downloaded. The tar utility
   will extract the .DAT files into your
   current working directory.

   NOTE:
   The syntax for the tar command might vary in
   different UNIX versions. Consult your manual
   pages or other product documentation for
   more details.

5. Copy the new .DAT files to the program
   directory for the software you want to
   update. Allow the new files to replace the
   existing files.

6. Restart the VShield TSR, if your anti-virus
   software includes a VShield component, to
   enable background or on-access scanning. To
   do so, type VSHIELD, followed by the
   scanning options you want to use, at the
   command-line prompt.

   NOTE:
   When you have finished using
   DAT-4253.ZIP to update your .DAT files,
   you may delete it from your hard disk,
   unless you want to keep a copy available for
   further updates.


USING DAT-4253.ZIP TO UPDATE OTHER
PRODUCTS

We recommend that you use either the SuperDAT
utility, or the 4253XDAT.EXE utility to
install new .DAT file versions for supported
anti-virus products. These utilities offer an
easy and foolproof method for correctly
updating .DAT files.

If you want to install .DAT file updates
directly from the .ZIP archive, however, locate
the heading for the anti-virus product you use
in the list below, then follow the
corresponding steps.

-  VirusScan 4.5 Anti-virus Software for
   Windows95, Windows 98, Windows NT
   Workstation 4.0, and Windows 2000
   Professional

-  VirusScan 4.0.3 Anti-virus Software for
   Windows 95 and Windows 98

-  VirusScan 4.0.3 Anti-virus Software for
   Windows NT and Netshield 4.0.3 Anti-virus
   Software for Windows NT

-  Netshield Anti-virus Software for Novell
   Netware

-  Groupshield Notes Anti-virus Software


VIRUSSCAN 4.5 ANTI-VIRUS SOFTWARE FOR WINDOWS
95, WINDOWS 98, WINDOWS NT WORKSTATION 4.0, AND
WINDOWS 2000 PROFESSIONAL

To use the DAT-4253-.ZIP package to update
VirusScan version 4.5 anti-virus software,
follow these steps:

1. Click Start in the Windows task bar, point
   to Settings, then choose Control Panel.

2. Locate the VirusScan control panel, then
   double-click it to open it.

3. Click the Stop button on the Service page.
   Leave the VirusScan control panel open. You
   will need to return to it in Step 7.

4. Create a temporary directory on your hard
   disk, then copy the .DAT file .ZIP archive
   you downloaded to that directory.

5. Back up or rename the existing .DAT files
   stored in the Network Associates Common
   Files directory. If you installed VirusScan
   software to its default location, you'll
   find this directory here:

      C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx

   See "Primary Program Files for Virus
   Definitions" later in this file for a
   complete .DAT file list.

6. Use WinZip, PKUnzip, or a similar utility to
   open the .ZIP archive and extract the
   updated .DAT files.

   Save the extracted files directly to the
   Network Associates Common Files directory.
   Allow the new files to overwrite the
   existing .DAT files.

7. Return to the VirusScan control panel, then
   click Start in the Service page.

   The VShield scanner and the VirusScan
   Console will start again. Your VirusScan
   software is up to date.


VIRUSSCAN 4.0.3 ANTI-VIRUS SOFTWARE FOR WINDOWS
95 AND WINDOWS 98

To use the DAT-4253.ZIP package to update
VirusScan   version 4.0.3 anti-virus software
on a Windows 95 or  Windows 98 system, follow
these steps:

1. Right-click the VShield icon that appears in
   your Windows system tray at the bottom,
   right-hand corner of your screen to display
   the VShield shortcut menu.

2. Point to Enable, then choose System Scan to
   remove the checkmark beside the name. This
   disables the VShield System Scan module.

3. Repeat Steps 1 and 2 to disable all of the
   remaining VShield modules: E-Mail Scan,
   Download Scan, and Internet Filter.

4. Restart your computer to remove all VShield
   modules from memory.

5. Create a temporary directory on your hard
   disk, then copy the .DAT file .ZIP archive
   you downloaded to that directory.

6. Back up or rename the existing .DAT files
   stored in the VirusScan program directory.
   See "Primary Program Files for Virus
   Definitions" later in this file for a
   complete .DAT file list.

7. Use WinZip, PKUnzip, or a similar utility to
   open the .ZIP archive and extract the
   updated .DAT files.
   You can save the extracted files directly to
   the VirusScan program directory. Allow the
   updated files to overwrite the existing .DAT
   files.

8. Restart your computer.

9. Right-click the VShield icon that appears in
   your Windows system tray at the bottom,
   right-hand corner of your screen to display
   the VShield shortcut menu.

10.   Point to Enable, then choose one of the
   listed VShield modules to add a checkmark
   beside the name. This enables that VShield
   module again.

   Begin with the System Scan module, then
   repeat Steps 9 and 10 to enable these
   remaining VShield modules: E-Mail Scan,
   Download Scan, and Internet Filter.


VIRUSSCAN 4.0.3 ANTI-VIRUS SOFTWARE FOR WINDOWS
NT AND NETSHIELD 4.0.3 ANTI-VIRUS SOFTWARE FOR
WINDOWS NT.

If you have Administrator rights for the server
or workstation you want to update, the
VirusScan software for Windows NT and the
NetShield software for Windows NT allow you to
initiate update requests at any time. Simply
use the AntiVirus Console to connect to the
workstation or server you want to update,
double-click the AutoUpdate task to open it,
then click Update Now. The program will
retrieve updated files from the location
specified in the task settings, and will
install the new files correctly.

To install .DAT file updates directly from a
.ZIP archive WITHOUT using the AutoUpdate
utility, follow these steps:

   NOTE:
   We do not recommend that you use this method
   to update your .DAT files.

1. Create a temporary directory on your hard
   disk, then copy the .DAT file .ZIP archive
   you downloaded to that directory.

2. Back up or rename the existing .DAT files
   stored in the program directory. See
   "Primary Program Files for Virus
   Definitions" later in this file for a
   complete .DAT file list.

3. Use WinZip, PKUnzip, or a similar utility to
   open the .ZIP archive and extract the
   updated .DAT files.

4. Log on to the server or workstation you want
   to update. You must have Administrator
   rights for the target computer.

5. Click Start, point to Settings, then choose
   Control Panel to open the Control Panel
   window. Next, locate and double-click the
   Services control panel to open it.

   If the computer is running Windows NT 3.51,
   start Program Manager, then locate the
   Control Panels program group. Double-click
   the program group to open it, then locate
   and double-click the Services control
   panel.

6. Select the Network Associates McShield
   Service, then click Stop.

7. Copy the .DAT files you extracted from the
   .ZIP archive to the program directory.

8. Return to the Services control panel, select
   the McShield Service, then click Start.

   Next, close the Services control panel.

NetShield software for Windows NT and VirusScan
software for Windows NT will use the updated
.DAT files in scan operations immediately.


NETSHIELD ANTI-VIRUS SOFTWARE FOR NOVELL
NETWARE

To install .DAT file updates directly from a
.ZIP archive WITHOUT using the AutoUpdate
utility, follow these steps:

   NOTE:
   We do not recommend using this method to
   update your .DAT files.

1. Create a temporary directory on your hard
   disk, then copy the .DAT file .ZIP archive
   you downloaded to that directory.

2. Use WinZip, PKUnzip, or a similar utility to
   open the .ZIP archive and extract the
   updated .DAT files.

3. Log on to the server you want to update. You
   must have administrative rights for the
   target server.

4. Type this line at the NetWare Console
   prompt:

      unload netshld

5. Back up or rename the existing .DAT files
   stored in your NetShield program directory.
   If you installed NetShield to the default
   program directory, you'll find the .DAT
   files here:

      SYS:MCAFEE\NETSHLD

   See "Primary Program Files for Virus
   Definitions" later in this file for a
   complete .DAT file list.

6. Copy the files you extracted from the
   temporary directory you created in Step 1 to
   the NetShield program directory on your
   server.

7. Type this line at the NetWare Console prompt
   to restart the NetShield NetWare server
   software:

      netshld

   The NetShield software will begin to use the
   new .DAT files immediately.


GROUPSHIELD NOTES ANTI-VIRUS SOFTWARE

The GroupShield Notes software allows you to
download and install .DAT file updates with an
included automatic update component. We
recommend this method, but you can also update
your .DAT files directly. Follow these steps:

1. Create a temporary directory on your hard
   disk, then copy the .DAT file .ZIP archive
   you downloaded to that directory.

2. Back up or rename the existing .DAT files
   stored in the GSUPDATE.NSF database. See
   "Primary Program Files for Virus
   Definitions" later in this file for a
   complete .DAT file list.

3. Use WinZip, PKUnzip, or a similar utility to
   open the .zip archive and extract the
   updated .DAT files.

4. Start Lotus Notes, then right-click
   Workspace. Next, choose Open Database from
   the menu that appears.

5. Locate the database GSUPDATE.NSF, then add
   to that database those files that you
   extracted into the temporary directory you
   created in Step 1.

   GroupShield Notes will use the new .DAT
   files as soon as they replicate across the
   network. If you have partitioned Notes
   servers, you must shut down and restart each
   of the partitioned servers for the update to
   take effect.


PRIMARY PROGRAM FILES FOR VIRUS DEFINITIONS

Files contained in the .DAT file set are:

   SCAN.DAT = Data file for virus scanning

   NAMES.DAT = Data file for virus names

   CLEAN.DAT = Data file for virus cleaning

   INTERNET.DAT = Data file to detect hostile
   Java/ActiveX objects.


TESTING YOUR INSTALLATION

The EICAR Standard AntiVirus Test File is a
combined effort by anti-virus vendors
throughout the world to implement one standard
by which customers can verify their anti-virus
installations.

To test your installation, copy the following
line into its own file, then save the file with
the name EICAR.COM.

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The file size will be 68 or 70 bytes.

Next, start your anti-virus software and allow
it to scan the directory that contains
EICAR.COM. When your software scans this file,
it will report finding the EICAR test file.

Note that this file is NOT A VIRUS. Delete the
file when you have finished testing your
installation to avoid alarming unsuspecting
users.


_______________________________________________
NEW VIRUSES DETECTED AND REMOVED

Hundreds of new viruses and variants appear
each month. Those which are detected and
cleaned by AVERT's generic methods are added to
the total virus count listed but they are not
listed separately here.

Total viruses and variants, Trojan horse
programs, and other malicious software
detected: 67993


NEW DETECTIONS

Total number of new items detected with this
release: 95

BOOT-SECTOR VIRUSES (0)
-----------------------
No new detections

DOS FILE-INFECTING VIRUSES (2)
------------------------------
DSME.DEMO.D
HLLT.9776

INTERNET WORM (17)
------------------
VBS/RENALO.B@MM
VBS/YPSAN@MM
W32/BIBROG.D@MM
W32/DEBORM.DR
W32/DEBORM.WORM
W32/DUCKTEST.WORM
W32/GANDA@MM
W32/GANDA
W32/GIBE.GEN@MM
W32/HOLAR.D@MM
W32/IXAS.B@MM
W32/KINDAL@MM
W32/LAMADO.BAT
W32/LAMADO.HTM
W32/LAMADO@MM
W32/LOVGATE.E@M
W32/YAHA.Q@MM

LINUX/UNIX FILE-INFECTING VIRUSES (1)
-------------------------------------
UNIX/SPAM-SMS.CHUNG

MACRO VIRUSES (4)
-----------------
A97M/ACCESSIV.E
W97M/SOPS.KIT.C
WM/MWVCK.KIT.C
X97M/JAL

MULTIPARTITE VIRUSES (2)
------------------------
CIVIL.MP.6672.K
MATTHEW.MP.3037E

WINDOWS PORTABLE EXECUTABLE FILE VIRUSES (1)
--------------------------------------------
W32/TOSEP

SCRIPT VIRUSES (5)
------------------
BAT/LIBERTE
JS/RONCHA
JS/SPALM.INTD
VBS/NOBLEMAN
VBS/SOMIE

TROJAN HORSE PROGRAMS/MALWARE (63)
----------------------------------
ANALOGX-PROXY.LDR
BACKDOOR-ARB
BACKDOOR-ARD
BACKDOOR-ARF
BACKDOOR-ARH
BACKDOOR-ARI
BACKDOOR-ARL
BACKDOOR-ARL.DR
BACKDOOR-ARN
BACKDOOR-ARO
BACKDOOR-ARO.BAT
BACKDOOR-ARO.DLL
BACKDOOR-ARX
DISKFILL-G
DOWNLOADER-BW.B
DOWNLOADER-BY.DR
EXPLOIT-IIS.CMD
EXPLOIT-IIS.IISDIE
EXPLOIT-MS03-007
FDOS-BAMABOY
FDOS-BLAKBLUD
FDOS-CHIBOY
FDOS-DANDAN
FDOS-DESTINY
FDOS-HASIST
FDOS-IROCSK
FDOS-MEGA
FDOS-MRTYPE
FDOS-ROOMKILL
FDOS-UNABOMB
FDOS-WARPING
FDOS-XOOX
FUD
FUD.CFG
IPCALLER
IRC/FLOOD.BQ
IRC/FLOOD.BR
IRC/FLOOD.BS
IETHIEF.A
IETHIEF.B
JS/PWS-WEBLOG
KIT-PVBSWG
MULTIDROPPER-FM.GEN
MULTIDROPPER-FN
MULTIDROPPER-FN.CFG
PWS-AIMFORGE
PWS-AOLEK
PWS-COUN
PWS-FAKER
PWS-FF.DR
PWS-FIXERR
PWS-GEEF
PWS-GFINT
PWS-INSTPIC
PWS-PWCOLLECTER
PWS-PIRT
QDEL373
SPY-KEYLIST
VBS/HACKOOL
VBS/KVPE
VBS/SPLATFLAT
VBS/SPLATFLAT.INTD
VBS/SWADE


NEW REMOVALS

Total number of new items removed with this
release: 94

McAfee software removes a virus either by
deleting the infecting virus code from files or
by deleting the file from your computer.

   NOTE:
   The New Removals list notes when the .DAT
   files do not include the ability to remove
   certain types of viruses. In these cases,
   you must remove the virus yourself, either
   by deleting the infected file or by removing
   harmful code. For more information, see the
   McAfee Virus Information Library at:

      http://vil.nai.com/villib/alpha.asp


BOOT-SECTOR VIRUSES (0)
-----------------------
No new removals

DOS FILE-INFECTING VIRUSES (2)
------------------------------
DSME.DEMO.D
HLLT.9776

INTERNET WORM (16)
------------------
VBS/RENALO.B@MM
VBS/YPSAN@MM
W32/BIBROG.D@MM
W32/DEBORM.DR
W32/DEBORM.WORM
W32/DUCKTEST.WORM
W32/GANDA@MM
W32/GANDA
W32/GIBE.GEN@MM
W32/HOLAR.D@MM
W32/IXAS.B@MM
W32/LAMADO.BAT
W32/LAMADO.HTM
W32/LAMADO@MM
W32/LOVGATE.E@M
W32/YAHA.Q@MM

LINUX/UNIX FILE-INFECTING VIRUSES (1)
-------------------------------------
UNIX/SPAM-SMS.CHUNG

MACRO VIRUSES (4)
-----------------
A97M/ACCESSIV.E
W97M/SOPS.KIT.C
WM/MWVCK.KIT.C
X97M/JAL

MULTIPARTITE VIRUSES (2)
------------------------
CIVIL.MP.6672.K
MATTHEW.MP.3037E

WINDOWS PORTABLE EXECUTABLE FILE VIRUSES (1)
--------------------------------------------
W32/TOSEP

SCRIPT VIRUSES (5)
------------------
BAT/LIBERTE
JS/RONCHA
JS/SPALM.INTD
VBS/NOBLEMAN
VBS/SOMIE

TROJAN HORSE PROGRAMS/MALWARE (63)
----------------------------------
ANALOGX-PROXY.LDR
BACKDOOR-ARB
BACKDOOR-ARD
BACKDOOR-ARF
BACKDOOR-ARH
BACKDOOR-ARI
BACKDOOR-ARL
BACKDOOR-ARL.DR
BACKDOOR-ARN
BACKDOOR-ARO
BACKDOOR-ARO.BAT
BACKDOOR-ARO.DLL
BACKDOOR-ARX
DISKFILL-G
DOWNLOADER-BW.B
DOWNLOADER-BY.DR
EXPLOIT-IIS.IISDIE
EXPLOIT-IIS.CMD
EXPLOIT-MS03-007
FDOS-BAMABOY
FDOS-BLAKBLUD
FDOS-CHIBOY
FDOS-DANDAN
FDOS-DESTINY
FDOS-HASIST
FDOS-IROCSK
FDOS-MEGA
FDOS-MRTYPE
FDOS-ROOMKILL
FDOS-UNABOMB
FDOS-WARPING
FDOS-XOOX
FUD
FUD.CFG
IPCALLER
IRC/FLOOD.BQ
IRC/FLOOD.BR
IRC/FLOOD.BS
IETHIEF.A
IETHIEF.B
JS/PWS-WEBLOG
KIT-PVBSWG
MULTIDROPPER-FM.GEN
MULTIDROPPER-FN
MULTIDROPPER-FN.CFG
PWS-AIMFORGE
PWS-AOLEK
PWS-COUN
PWS-FAKER
PWS-FF.DR
PWS-FIXERR
PWS-GEEF
PWS-GFINT
PWS-INSTPIC
PWS-PWCOLLECTER
PWS-PIRT
QDEL373
SPY-KEYLIST
VBS/HACKOOL
VBS/KVPE
VBS/SPLATFLAT
VBS/SPLATFLAT.INTD
VBS/SWADE


INTERNET.DAT DETECTIONS

The INTERNET.DAT component included with the
.DAT files enables VirusScan anti-virus
software v4.x for Windows 95 and Windows 98 to
detect 130 hostile Java classes and six hostile
ActiveX controls. This list has not changed
from that shown in the README.TXT file that
accompanied the 4050 .DAT file set.


NEW EXTENSIONS

The scan engine now scans files with these
extensions:

none


_______________________________________________
UNDERSTANDING VIRUS NAMES

McAfee anti-virus software typically follows
industry-wide naming conventions to identify
the viruses that it detects and cleans.
Occasionally,some virus names deviate from
strict industry standards.

The first virus with a given set of
characteristics that mark it as a distinctly
new entity receives a "family" name. Virus
researchers draw the family name from some
identifying quirk in the virus, such as a text
string, or a payload effect.

A family name can also include a numeric string
that designates the byte size of the virus.
Researchers use this name as a convenient
shorthand to distinguish among very closely
allied virus variants.

Names for variants within a virus family
consist of the family name and a suffix -
<VIRUS>.A, for example. The suffix designations
continue in alphabetical order until they reach
.Z. At that point, they begin again with .AA
and continue until they reach .AZ. Still later
variants receive the suffix .BA through .BZ,
and so forth, until the suffix designations
reach .ZZ. If yet another variant appears after
that, it would get the suffix .AAA.

As new virus strains appeared, industry naming
conventions evolved to include more
information. Some names, for instance, include
parts that identify the platform on which the
virus can run. Macro viruses, the most
prevalent of the virus types, can have a
complex names that consists of a number of
parts.

Among anti-virus vendors, virus names can
include a prefix, an infix and a suffix.


PREFIX

The prefix designates the type of file that the
virus infects or the platform on which it can
run. Viruses that infect DOS executables do not
receive a prefix. McAfee virus names can
include these prefixes:

   A97M/    Macro virus. Infects Microsoft
            Access 97 files
   APM/     Macro virus or Trojan horse
            program. Infects Ami Pro document
            and template files
   BV/      Batch-file virus or Trojan horse
            program. These viruses usually run
            as batch or script files that
            affect a particular program that
            interprets the script or batch
            commands they include. They are
            very portable and can affect nearly
            any platform that can run batch or
            script files. The files themselves
            often have a .BAT extension.
   CSC/     Corel Script virus or Trojan horse
            program. Infects Corel Draw
            document files, template files, and
            scripts.
   HLL/     File-infector virus written in a
            high-level programming language
   HTML/    Script virus. Infects HTML files
   IRC/     Internet Relay Chat script virus.
            This virus type can use early
            versions of the mIRC client
            software to distribute a virus or
            payload
   JS/      JavaScript virus or Trojan horse
            program
   JV/      Java application or applet that
            functions as malicious software.
   JVS/     JavaScript virus or Trojan horse
            program
   O2KM/    Macro virus. Infects Microsoft
            Office 2000 files
   P98M/    Macro virus or Trojan horse
            program. Infects Microsoft Project
            documents and templates.
   PP97M/   Macro virus. Infects Microsoft
            PowerPoint 97 files
   V5M/     Macro or script virus, or Trojan
            horse program. Infects Visio VBA
            (Visual Basic for Applications)
            macros or scripts.
   VBS/     Script virus. Infects Visual Basic
            scripts
   W32/     File-infector or boot-sector virus.
            Runs in 32-bit Windows environments
            (Windows 95, Windows 98 or Windows
            NT)
   WIN/     File-infector virus. Runs in 16-bit
            and 32-bit Windows environments
            (Windows 3.1x, Windows 95, Windows
            98, or Windows NT)
   W95/     File-infector virus. Runs in
            Windows 95 and Windows 98
            Environments
   W97M/    Macro virus. Infects Microsoft Word
            97 files
   WM/      Macro virus. Infects Microsoft Word
            95 files
   X97F/    Macro virus. Infects Microsoft
            Excel 97 via Excel formulas
   X97M/    Macro virus. Infects Microsoft
            Excel 97 files
   XF/      Macro virus. Infects Microsoft
            Excel 95 or 97 via Excel formulas
   XM/      Macro virus. Infects Microsoft
            Excel 95 files


INFIX

These designations usually appear in the middle
of a virus name. AVERT assigns these
designations,which will differ from industry
conventions.

   .CMP.    Companion file. This designates a
            companion file that the virus adds
            to an existing executable file.
            McAfee software deletes the
            companion file to prevent later
            infections.

   .MP.     Multi-partite virus. A McAfee
            designation.

   .OW.     Overwriting. This identifies a
            virus that overwrites data in a
            file, thereby irreparably
            corrupting it. This file must be
            deleted.


SUFFIX

These designations usually appear as the last
part of a virus name. A virus name can have
more than one suffix. One might designate a
variant, for example, while others give
additional information. AVERT assigns many of
these designations, which can differ from
industry conventions.

   @MM      Mass mailing distribution. This
            virus might use standard techniques
            to propagate itself, but will also,
            or in some cases primarily, use an
            e-mail system to spread.
   .A to .ZZZ Virus variant designation.
   .APP     Appended viruses. This designates a
            virus that appends its code to the
            file it infects, but fails to
            provide for correct replication.
            McAfee software detects these files
            in order to prevent false virus
            identifications.
   .CAV     Cavity virus. This designates a
            virus that copies itself into
            "cavities" (areas of all zeroes) in
            a program file.
   .CLI     Client-side component of an
            Internet Trojan-horse program.
   .DAM     Damaged file. This designates afile
            damaged or corrupted by
            aninfection
   .DR      Dropper file. This file introduces
            the virus into the host program
   .GEN     Generic detection. Native routines
            in McAfee software detect this
            virus without using specific code
            strings
   .GR      Generic detection and removal.
            Native routines in McAfee software
            detect and remove this virus
            without using specific code
            strings
   .INTD    "Intended" virus. This designates a
            virus that has most of the usual
            virus characteristics, but cannot
            replicate correctly. McAfee
            anti-virus software will detect it
            in order to prevent false
            identifications of active viruses
   .SFX     Self-extracting installation
            utility for Trojan horse programs
   .SRC     Viral source code. This ordinarily
            cannot replicate or infect files,
            but some virus droppers add this to
            files as part of the infection
            cycle. McAfee products routinely
            flag files with additional code of
            this sort for deletion
   .SVR     Server-side component of an
            Internet Trojan-horse program.


GENERIC DETECTIONS

When a scanner reports W97M/Generic@MM or
X97M/Generic@MM driver it means the engine
(4070 or later only) has detected heuristically
a highly suspicious VBA macro that is likely to
be a mass-mailing virus. The cleaning for such
viruses is also available but should be done
with extra caution - users are advised to keep
a copy of a file before cleaning and submit a
sample to AVERT.


_______________________________________________
DOCUMENTATION

This product includes the following documents:

1. This README file.

2. A CONTACT file. This file provides a list of
   phone numbers, street addresses, web
   addresses, and fax numbers for Network
   Associates offices in the United States and
   around the world. It also includes contact
   information for services, such as technical
   support, customer service, onsite training,
   the beta program, and AVERT Anti-Virus
   Emergency Response Team.


_______________________________________________
CONTACTING MCAFEE AND NETWORK ASSOCIATES

Technical Support
      http://knowledge.nai.com


McAfee Beta Program
   Beta Web Site
      www.mcafeeb2b.com/beta/

   E-mail
      avbeta@nai.com


AVERT Anti-Virus Emergency Response Team
      www.mcafeeb2b.com/naicommon/avert/default.asp


Download Site
      www.mcafeeb2b.com/naicommon/download/

      ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

   DAT File Updates
      www.mcafeeb2b.com/naicommon/download/dats/find.asp

   Product Upgrades
      www.mcafeeb2b.com/naicommon/download/upgrade/login.asp

      Valid grant number required.
      Contact Network Associates Customer
      Service


On-Site Training Information
      www.mcafeeb2b.com/services/mcafee-training/default.asp


Network Associates Customer Service
   US, Canada, and Latin America toll-free:
   Phone:   +1-888-VIRUS NO or +1-888-847-8766
            Monday - Friday, 8 a.m. - 8 p.m.,
            Central Time

   E-mail:  services_corporate_division@nai.com
   Web:     www.nai.com
            www.mcafeeb2b.com

For additional information on contacting
Network Associates and McAfee (including
toll-free numbers for other geographic areas)
see the CONTACT file that accompanied your
original product release.


_______________________________________________
COPYRIGHT AND TRADEMARK ATTRIBUTIONS

(c) 2003 Networks Associates Technology, Inc.
All Rights Reserved. No part of this
publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or
translated into any language in any form or by
any means without the written permission of
Networks Associates Technology, Inc., or its
suppliers or affiliate companies. To obtain
this permission, write to the attention of the
Network Associates legal department at: 3965
Freedom Circle, Santa Clara, California 95054,
or call +1-972-308-9960.


TRADEMARKS

Active Firewall, Active Security, Active
Security (in Katakana), ActiveHelp,
ActiveShield, AntiVirus Anyware and design,
Bomb Shelter, Certified Network Expert,
Clean-Up, CleanUp Wizard, CNX, CNX
Certification Certified Network Expert and
design, Design (stylized N), Disk Minder,
Distributed Sniffer System, Distributed Sniffer
System (in Katakana), Dr Solomons, Dr
Solomons label, Enterprise SecureCast,
Enterprise SecureCast (in Katakana), Event
Orchestrator, EZ SetUp, First Aid, ForceField,
GMT, GroupShield, GroupShield (in Katakana),
Guard Dog, HelpDesk, HomeGuard, Hunter,
LANGuru, LANGuru (in Katakana), M and design,
Magic Solutions, Magic Solutions (in Katakana),
Magic University, MagicSpy, MagicTree, McAfee,
McAfee (in Katakana), McAfee and design,
McAfee.com, MultiMedia Cloaking, Net Tools, Net
Tools (in Katakana), NetCrypto, NetScan,
NetShield, NetStalker, Network Associates,
NetXray, NotesGuard, Nuts & Bolts, Oil Change,
PC Medic, PCNotary, PrimeSupport, Recoverkey,
Recoverkey - International, Registry Wizard,
ReportMagic, Router PM, Safe & Sound,
SalesMagic, SecureCast, Service Level Manager,
ServiceMagic, SmartDesk, Sniffer, Sniffer (in
Hangul), Stalker, SupportMagic, TIS, TMEG,
Total Network Security, Total Network
Visibility, Total Network Visibility (in
Katakana), Total Service Desk, Total Virus
Defense, Trusted Mail, UnInstaller, Virex,
Virus Forum, ViruScan, VirusScan, WebScan,
WebShield, WebShield (in Katakana), WebSniffer,
WebStalker, WebWall, Whos Watching Your
Network, WinGauge, Your E-Business Defender,
ZAC 2000, Zip Manager are registered trademarks
of Network Associates, Inc. and/or its
affiliates in the US and/or other countries.
All other registered and unregistered
trademarks in this document are the sole
property of their respective owners.

This product includes or may include software
developed by the OpenSSL Project for use in the
OpenSSL Toolkit. (http://www.openssl.org/)

This product includes or may include
cryptographic software written by Eric Young.
(eay@cryptsoft.com)


LICENSE AGREEMENT

NOTICE TO ALL USERS: CAREFULLY READ THE
APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO
THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE
LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE
GRANT OR PURCHASE ORDER DOCUMENTS THAT
ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU
HAVE RECEIVED SEPARATELY AS PART OF THE
PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT
CD, OR A FILE AVAILABLE ON THE WEB SITE FROM
WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF
YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH
IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE.
IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO
NETWORK ASSOCIATES, INC. OR THE PLACE OF
PURCHASE FOR A FULL REFUND.



