VIREX Release Notes for McAfee Virex Version 6.2 Virus Update Copyright © 2007 McAfee, Inc. All Rights Reserved. ================================================ Virus Update Release: August 1, 2007 - DAT Version: 5078 - Engine Version: 4.2.40 ================================================ IMPORTANT: Due to licensing issues, Virex 6.2 does not contain the SpeedScan or Snapshot functionality that existed in Virex 6.1. The removal of those features in Virex 6.2 affects the scanning performance so that it now compares to Virex 6.1 with the SpeedScan feature turned off. This software does not work with Virex 7.0 or later for Apple Macintosh OS X or later. WHAT'S IN THIS FILE? - What Is a Virus Update File? - New Features - Installation - Using eUpdate to install virus update files - Installing Virus Update Files Directly - Issues Related to Installation - New Viruses Detected and Removed - Generic Detection and Cleaning - Understanding Virus Names - Prefix - Infix - Suffix - Documentation - Contacting McAfee and Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement WHAT IS A VIRUS UPDATE FILE? Virus Update files contain up-to-date virus signatures and other information for Virex to use to protect your computer against the thousands of computer viruses in circulation and against the hundreds of new viruses that emerge between updates. McAfee releases new Virus Update files each month. To protect yourself against these virus threats, download and install the latest Virus Update file every month. NEW FEATURES The v4240 engine update includes this enhancement and new feature: - Improved scanning capabilities - Streamlined code for improving efficiency and scanning INSTALLATION Network Associates distributes Virus Update files as StuffIt archives. These come in two forms: a BinHexed VX070801.HQX file, and as VX070801.UPD, a straight archive file suitable for use with the eUpdate feature in Virex anti-virus software v6.2 USING EUPDATE TO INSTALL VIRUS UPDATE FILES If you use the eUpdate feature in the Virex v6.2 software, the software itself will download, extract, and install the Virus Update file. Although this works quite well for individual Macintosh computers, Network Associates recommends a different approach for medium and large networks. With this method, you use a web browser or FTP client software to download the VX070801.UPD file directly from the Network Associates FTP site. You then post the file to a central server on your network and configure all of your client computers to download the VX070801.UPD file from that central server via FTP or AppleTalk, depending on your preference or your network configuration. This allows you to control when all updates occur, to reduce network traffic on your servers, to reduce your security risks from outside your network, and to take best advantage of Network Associates server bandwidth. For more details, see the Virex User's Guide stored on the Virex CD or disc image. INSTALLING VIRUS UPDATE FILES DIRECTLY To install Virus Update files directly on to each of your client Macintosh computers, download the VX070801.HQX file from the Network Associates website or FTP site, then extract the files for installation. To do so, you'll need a copy of StuffIt Expander, StuffIt Lite, or another utility that can read and process files saved in StuffIt format. You can download the utilities you need from most electronic services. Most browser software also includes a plug-in version of StuffIt Expander that can extract the files automatically, as soon as you download them. NOTE: If you have Virex anti-virus software v6.2 installed, you can use its eUpdate feature to download and install new Virus Update files automatically. To learn how to do so, see the Virex User's Guide. To install the Virus Update file, download or copy the compressed file to your Macintosh desktop or to a temporary folder on your hard disk. Next, follow these steps: 1. Start your compression application, then use it to open and extract the Virus Definitions 2007-08-01.sit file. If you have a copy of StuffIt Expander on your desktop, you can simply drag the Virus Definitions file on top of StuffIt Expander to have the file extract automatically. 2. The extracted file will appear on your hard disk with the name Virus Definitions 2007-08-01. Double- click this file to start Virex. Virex will ask you to confirm that you want to update your Virus definitions file. 3. Click Update to continue. Virex will tell you when it has finished updating your file. 4. Click OK to return to the Virex application's main window, where you can immediately start a new scan operation. In the lower left corner of its main window, the Virex application displays the legend Virus Definitions, followed by a date. This date marks the day Network Associates produced or designated this update file for release. For the August 1, 2007 Virus Update, this date is 08/01/07 . The specific format of the date shown will depend on how you have your computer set to display dates. NEW VIRUSES DETECTED AND REMOVED Hundreds of new viruses and variants appear each month. Those which are detected and cleaned by AVERT's generic methods are added to the total virus count but they are not listed separately here. IMPORTANT NOTE This Virus Update file functions only with Virex v6.2. You cannot use this Virus Update file with earlier Virex versions or with Virex 7.0. GENERIC DETECTION AND CLEANING AVERT has developed a Generic Detection and Cleaning technique, which means that although our documentation may indicate that the number of new viruses added each release is falling, we are in fact dealing with more viruses and Trojans than ever before. This generic detection is being constantly updated, so users will still need to download regular updates as before. With the development of the generic techniques in our scanner, we reached a situation when the great majority of new macro viruses, script viruses, worms and Trojans are detected and cleaned before we receive the sample and even before they are written. For example, in October 2001, users of all currently supported engines (4.0.70 or later) have benefited from VBA generic capabilities delivered in the Virex updates. So users of these engines benefit from automatic detection and cleaning of over 90% of new and not yet known macro viruses. That is why the number of macro viruses added to the monthly updates (reported in the appropriate section of the README.TXT file) has gone down. We want to assure you that AVERT researchers process every single virus that we receive and make sure we detect everything worth detecting. UNDERSTANDING VIRUS NAMES Network Associates anti-virus software typically follows industry-wide naming conventions to identify the viruses that it detects and cleans. Occasionally, some virus names deviate from strict industry standards. The first virus with a given set of characteristics that mark it as a distinctly new entity receives a " family" name. Virus researchers draw the family name from some identifying quirk in the virus--a text string, perhaps, or a payload effect. Names for variants of that first virus consist of the family name and a suffix--.A, for example. The suffix designations continue in alphabetical order until they reach .Z. At that point, they begin again with .AA and continue until they reach .AZ. Still later variants receive the suffix .BA through .BZ, and so forth, until the suffix designations reach .ZZ. If yet another variant appears after that, it would get the suffix .AAA. As new virus strains appeared, industry naming conventions evolved to include more information. Some names, for instance, include parts that identify the platform on which the virus originated or can ?un. Macro viruses, the most prevalent of the virus types, can have a complex names that consists of a number of parts. Although the virus name might identify the platform of origin, most macro viruses are cross- platform and can run in a number of different environments. The effects of a virus infection can vary between platforms, but in a networked environment, what might have no effect on one platform can do severe damage in another. Among anti-virus vendors, virus names can include: PREFIX The prefix designates the type of file that the virus infects or the platform on which it can run. Network Associates virus names can include these prefixes: A97M/ Macro virus. Infects Microsoft Access 97 files CSC/ Corel Script virus. Infects Corel Draw scripts HLL/ File-infector or boot-sector virus. Written in a high-level programming language HTML/ Script virus. Infects HTML files IRC/ Internet Relay Chat script virus. This virus type can use early versions of the mIRC client software to distribute a virus or payload JS/ JavaScript virus or Trojan horse program O2KM/ Macro virus. Infects Microsoft Office 2000 files PP97M/ Macro virus. Infects Microsoft PowerPoint 97 files VBS/ Script virus. Infects Visual Basic scripts W32/ File-infector or boot-sector virus. Runs in 32-bit Windows environments (Windows 95, Windows 98 or Windows NT) WIN/ File-infector virus. Runs in 16-bit and 32-bit Windows environments (Windows 3.1x, Windows 95, Windows 98, or Windows NT) W95/ File-infector or boot-sector virus. Runs in Windows 95 and Windows 98 environments W97M/ Macro virus. Infects Microsoft Word 97 files WM/ Macro virus. Infects Microsoft Word 95 files X97F/ Macro virus. Infects Microsoft Excel 97 via Excel formulas X97M/ Macro virus. Infects Microsoft Excel 97 files XF/ Macro virus. Infects Microsoft Excel 95 or 97 via Excel formulas XM/ Macro virus. Infects Microsoft Excel 95 files INFIX These designations usually appear in the middle of a virus name. Network Associates assigns these designations, which will differ from industry conventions. .CMP. Companion file. This designates a companion file that the virus adds to an existing executable file. Network Associates software deletes the companion file to prevent later infections .MP. Multi-partite virus. A Network Associates designation .OW. Overwritten. This identifies a file irreparably corrupted when a virus overwrote data within it. This file must be deleted. SUFFIX These designations usually appear as the last part of a virus name. A virus name can have more than one suffix. One might designate a variant, for example, while others give additional information. Network Associates assigns many of these designations, which can differ from industry conventions. @MM Mass mailing distribution. This virus might use standard techniques to propagate itself, but it will also, or in some cases primarily, use an e-mail system to spread .A to .ZZZ Virus variant designation .APP Appended viruses. This designates a virus that appends its code to the file it infects, but that fails to provide for correct replication. Network Associates software detects these files in order to prevent false virus identifications .CAV Cavity virus. This designates a virus that copies itself into "cavities" (areas of all zeroes) in a program file. .CLI Client-side component of an Internet Trojan-horse program. ?.DAM Damaged file. This designates a file damaged or corrupted by an infection .DR Dropper file. This file introduces the virus into the host program .GEN Generic detection. Native routines in Network Associates software detect this virus without using specific code strings .GR Generic detection and removal. Native routines in Network Associates software detect and remove this virus without using specific code strings .INTD "Intended" virus. This designates a virus that has most of the usual virus characteristics, but cannot replicate correctly. Anti-virus software will detect it in order to prevent false identifications of active viruses .SVR Server-side component of an Internet Trojan-horse program. DOCUMENTATION This update includes the following documentation set: - The Virus Update Read Me file that installs within the Virex folder. A README.TXT version of the Virus Update Read Me file is available from the McAfee DAT File Updates site. See "Contacting McAfee and Network Associates" for the URL. CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal http://mysupport.nai.com Login credentials required. McAfee Security Beta Program Beta Web Site http://www.networkassociates.com/us/downloads/beta/ E-mail avbeta@nai.com Security Headquarters -- AVERT (Anti-Virus Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com Submit a Virus Sample / AVERT WebImmune https://www.webimmune.net/default.asp AVERT DAT Notification Servicehttp://vil.nai.com/vil/join-DAT-list.asp Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/mac/virex62 Product Upgrades https://secure.nai.com/us/forms/downloads/upgrades/login.asp Valid grant number required. Contact Network Associates Customer Service Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: http://www.nai.com/us/index.asp http://www.networkassociates.com/us/index.asp For additional information on contacting Network Associates and McAfee Security -- including toll-free numbers for other geographic areas -- see the contact information that is available at the end of the Virex Help file. COPYRIGHT AND TRADEMARK ATTRIBUTIONS Copyright (C) 2007 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1- 972- 963-8000. TRADEMARKS Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solom?nÍs, Dr SolomonÍs label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey Ü International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, SecurityShield, Service Level Manager, ServiceMagic, SmartDesk,Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, WhoÍs Watching Your Network, WinGauge, Your E- Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES, INC. OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: - Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). - Cryptographic software written by Eric Young and software written by Tim J. Hudson. - Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. - Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. - Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. All rights reserved. - Software written by Douglas W. Sauder. - Software developed by the Apache Software Foundation (http://www.apache.org/). - International Components for Unicode (ñICUî) Copyright (C) 1995-2002 International Business Machines Corporation and others. All rights reserved. - Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. - FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. - Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. - Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. - Software copyrighted by Expat maintainers. - Software copyrighted by The Regents of the University of California, (C) 1989. - Software copyrighted by Gunnar Ritter. - Software copyrighted by Sun Microsystems(C), Inc. - Software copyrighted by Gisle Aas. All rights reserved, (C) 1995-2003. - Software copyrighted by Michael A. Chase, (C) 1999- 2000. - Software copyrighted by Neil Winton, (C) 1995-1996. - Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. - Software copyrighted by Sean M. Burke, (C) 1999, 2000. - Software copyrighted by Martijn Koster, (C) 1995. - Software copyrighted by Brad Appleton, (C) 1996- 1999. - Software copyrighted by Michael G. Schwern, (C) 2001. - Software copyrighted by Graham Barr, (C) 1998. - Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. - Software copyrighted by Frodo Looijaard, (C) 1997. THIRD PARTY LICENSED SOFTWARE The following software components are licensed for use with McAfee Virex 6.2. Portions of Virex use Aladdin Software: Copyright 1990-1999 by Aladdin Systems, Inc. THESE SOFTWARE COMPONENTS ARE USED "AS IS". THEY SHOULD NOT BE REUSED OR REDISTRIBUTED BY THE USERS OR PURCHASERS OF VIREX. PATENT INFORMATION Protected by US Patents 6,006,035; 6,029,256; 6,035,423; 6,151,643; 6,230,288; 6,266,811; 6,269,456; 6,457,076; 6,496,975; 6,542,943; 6,594,686; 6,611,925; 6,622,150; 6,663,000; 6,668,289. V2.3.1 DBN-001-EN