21A08.TXT - Description file for 21A08.DEF
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
June 1, 1993
******************************************************************

Instructions for loading virus definitions, using Norton AntiVirus
version 2.1:

[The NAV definition update installation instructions are also
available on this disk in French, German, Italian, Swedish, and
Spanish.  Please reference the appropriate file.]

1)   Run Virus Clinic by typing NAV at the DOS prompt or clicking
on the NAV Icon from within Windows.

2)   Select "Cancel," or press <Esc> to bypass the "Scan Drives"
Screen.

3)   Select the "Definitions" menu.

4)   Select "Load from File..."

5)   If the name of the drive and directory to which you loaded the
definition file does not appear on the "Directory:" line, change to
the proper drive and directory.  The name of the definition file
should appear in the "Files" window.

6)   Select the definition file, click "OK," or press <Enter>.

7)   After the definitions have loaded, press <Enter> to exit from the
"Load Definition File Results" screen.

8)   Select "Exit" from the "Scan" menu.

9)  Reboot your computer to activate the new definitions.

******************************************************************

Note for users who are not updated through Corporate Channels:

After updating your definitions, if every file is identified as
being infected with "MtE", don't panic.  You probably do not have
a virus.  Please download the patch file, PTCH1A.ZIP (available
through CompuServe and the Symantec BBS), unzip the file, follow
the instructions included in the readme file, and then load these
definitions again.

If you are unable to download this patch file, or are still
experiencing problems after using it, please contact Symantec
Technical Support.

******************************************************************

4-Res
4-Res is a direct action appending virus that infects both COM and
EXE files.  It specifically targets COMMAND.COM on A: and C:. Each
of the COMMAND.COM files have priority for infection.  If they are
already infected or cannot be found, the first uninfected file in
the current directory will be infected.  Infected files grow by
approximately 1050 (1049) bytes.  Infected files can also be
identified by the characters "4RES" at the last four bytes of the
file, which the virus also uses to determine if it has already
infected the target file.

On any Monday the first, the virus will cause the system to crash.

4-Res can be repaired by NAV.

-----

PS-MPC (Abraxas)
Another virus created by the PS-MPC virus generation tool, Abraxas
is a direct action infector of COM and EXE files.  One COM or EXE
file in the current directory is infected with each invocation of
an infected file.  If all files in the current directory are
already infected, the virus will infect other directories including
the root directory.

Infected files grow by approximately 550 (546) bytes.  Virus code
is appended to the end of the target file.  The virus intercepts
INT 24h during execution to hide critical errors that might occur
during its attempts to infect files.  It also checks certain values
internal to the virus to determine if the file is already infected.

Abraxas attempts to overwrite 100h sectors of the current drive
starting at logical sector zero using INT 26h.	This will have no
effect on systems using partitions larger than 32Meg.

Abraxas can be repaired by NAV.

-----

Tremor
Tremor is rampant in Germany and the surrounding areas!

Tremor is a memory resident infector of COM and EXE files.  The virus
is encrypted.  The decrypting code is highly polymorphic.  Infected
files grow by exactly 4000 bytes with the viral code being added to the
end of the file.  If in memory, the size increase will not be seen by a
directory listing.  In addition, infected files will appear to be clean
if the virus is in memory.

An infected system will see a noticeable slowdown with screen output,
especially from a DIR.

The virus intercepts INT 1 (to discourage debugging), and INTs 13h, 15h,
and 21h to propagate.  The DOS function F1h is used by the virus for
self-identification in memory.	Though this function is used by Novell,
there does not appear to be any conflict.  The virus looks for the
value DEADh at a specific offset into a file to determine if it has
already infected the file.  In infecting COM files, Tremor will only
infect those that start with an E9h (jump instruction).

No special destructive code was found in the virus.

Lastly, Tremor specifically targets VSAFE.  It issues a command
which effectively turns it off.

Due to the complicated encryption, infected files cannot be repaired.

-----

(Note: File size growth is given in approximate numbers.  If a number is
enclosed in parentheses, that number would be the growth of one of the more
common variants.  As it is too easy for a virus writer to alter this number
without changing the virus significantly, do not depend on the more precise
number.  It is provided for your confidence should you encounter it, which
we hope never happens.)
