Release Notes for the SuperDAT Package Installer Version 1.8.0 (c) 1992-2004 Networks Associates Technology, Inc. All Rights Reserved =============================================== Thank you for using the SuperDAT Package Installer. This file contains important information about this release. We recommend that you read the entire document. You must have a current PrimeSupport agreement in order to be entitled to download product updates and upgrades, including engine and DAT updates. By downloading any of these files, you acknowledge that you currently have a valid PrimeSupport agreement with Network Associates. _______________________________________________ WHAT'S IN THIS FILE - What are DAT Files? - What is the SuperDAT Package Installer? - What is an XDAT File? - When to use the SuperDAT Package Installer - Supported McAfee Products - New Engine Features - Using the SuperDAT Package Installer for Updates and Upgrades - About the Package Installer - Installing DAT Files and Engine Files - Running the SuperDAT Package Installer - Command-Line Options - Distributing SuperDAT Files Via Network Management Software - Modifying the SuperDAT Package to Work with AutoUpgrade - Files included with this SuperDAT Package - Testing your installation - Known Issues - New Viruses Detected and Removed - Understanding Virus Names - Prefix - Prefix for Trojan-horse Classes - Infix - Suffix - Generic Detections - Heuristic Detections - Application Detections - Documentation - Contacting McAfee Security & Network Associates - Copyright and Trademark Attributions - Trademarks - License Agreement _______________________________________________ WHAT ARE DAT FILES? Virus definition, or DAT, files contain up-to-date virus signatures and other information that our anti-virus products use to protect your computer against thousands of computer viruses and other potentially harmful software in circulation. Hundreds of new threats appear each month. Every week, we release new DAT files. We also release new DAT files when any threat is assessed by AVERT to have a medium or higher risk. To ensure that your anti-virus software can protect your system or network against the latest threats, you must download and install the latest DAT files. For their location, see "CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES". _______________________________________________ WHAT IS THE SUPERDAT PACKAGE INSTALLER? New and complex viruses can sometimes require an upgrade to the virus-scanning engine in your anti-virus software in order to respond properly to infections. Often, this required a complete product release. However, with the SuperDAT Package Installer, we provide you with a complete application that installs the virus-scanning engine and DAT files that your anti-virus software uses to detect and clean virus-infected files. The SuperDAT Package Installer minimizes the need for complex software deployments each time you receive upgrade components. It takes care of shutting down any active anti-virus scans, services, or other memory-resident software components that might interfere with your updates. The installer then copies the new files to their proper locations and enables your anti-virus software to use them immediately. The file includes the DAT files plus a program that installs them. It might also include a new virus-scanning engine and other program components. The file has a name of the format SDAT4316.EXE, where 4316 is the four-digit DAT version number such as 4321. _______________________________________________ WHAT IS AN XDAT FILE? This file has a name of the format 4316XDAT.EXE, where 4316 is the four-digit DAT version number such as 4321. The package installs updated DAT files for your anti-virus products. In a similar way to the SuperDAT Package Installer, it shuts down any active anti-virus scans, services, or other memory-resident software components that might interfere with your updates. It then copies the new files to their proper locations and enables your anti-virus software to use them immediately. However, the XDAT package updates ONLY your DAT files. So, you can download this package if you already have a current virus-scanning engine and you want to save time and bandwidth. This installer supports the same platforms and products as the SuperDAT Package Installer. _______________________________________________ WHEN TO USE THE SUPERDAT PACKAGE INSTALLER We recommend that you use the SuperDAT Package Installer to update and upgrade all supported anti-virus software versions. Although you can continue to use other update or upgrade methods, the SuperDAT Package Installer provides the easiest and most effective method. If you prefer to update only your DAT files and you want to download a smaller package, use the XDAT file instead. _______________________________________________ SUPPORTED MCAFEE PRODUCTS 1. End-node Solutions - NetShield for Microsoft Windows NT/2000 version 4.5 and later - PortalShield 1.0 - VirusScan Enterprise 7.0 - VirusScan Retail and VirusScan Professional 6.0, 6.01, 6.02, and later - VirusScan for Microsoft Windows 95/98 version 4.5 and later - VirusScan for Microsoft Windows NT/2000 version 4.5 and later - VirusScan TC for Microsoft Windows 95/98/NT/2000 version 6.0 and later - VirusScan TC 6.0 and 6.1 2. Gateway Solutions - GroupShield 4.x for Microsoft Exchange 5.5 - GroupShield 4.x for Microsoft Exchange 2000 - GroupShield 5.x for Microsoft Exchange 5.5 - GroupShield 5.x for Microsoft Exchange 2000 - GroupShield 6 for Microsoft Exchange 2000 - GroupShield 5.x for Lotus Domino – Intel - GroupShield 5.3 for Lotus Domino - WebShield SMTP 4.5 MR1a _______________________________________________ NEW ENGINE FEATURES - Support for Microsoft Office 2003 XML documents - Improved support for RAR formats - Updated support for latest ZIP file formats - Improved support for corrupt ZIP files _______________________________________________ USING THE SUPERDAT PACKAGE INSTALLER FOR UPDATES AND UPGRADES ABOUT THE PACKAGE INSTALLER The SuperDAT Package Installer is a standard application that you can double-click to start from within Microsoft Windows. The Windows 95, Windows 98, Windows ME, Windows NT, and Windows 2000 versions of the installer include a ‘wizard’. You follow the instructions in the panels to update your files. IMPORTANT: In order to upgrade the virus-scanning engine for NetShield anti-virus software for Microsoft Windows NT and VirusScan anti-virus software for Microsoft Windows NT, you MUST log on to the target computer with Administrator-level rights. If you log on to a target computer with only user-level rights, the SuperDAT Package Installer will NOT upgrade the virus-scanning engine. If you cannot log on to the target computer as an Administrator directly, you can instead use the AutoUpgrade feature included with these software products to schedule an upgrade task. AutoUpgrade uses Administrator rights when it runs a scheduled update task, but it will not use Administrator rights if you click the Update Now button. See "Modifying the SuperDAT Package to Work with AutoUpgrade" later in this file for more information. INSTALLING DAT FILES AND ENGINE FILES We distribute updates for the DAT files and engine files in a compressed format to reduce transmission time. With the SuperDAT Package Installer, these updates come packaged in a single executable file. The file has a name of the format SDAT4316.EXE, where 4316 is the four-digit DAT version number such as 4321. To prepare the SuperDAT Package Installer to update or upgrade your anti-virus software, create a temporary directory on your hard disk, then download the SDAT file from the Network Associates web site to this directory. You do not need to uncompress the file or take any other action to prepare it to run. RUNNING THE SUPERDAT PACKAGE INSTALLER Locate the program icon for the SuperDAT Package Installer, then double-click it to start the installation wizard. Follow the instructions to update your anti-virus software. NOTE: When the SuperDAT Package Installer has finished running, you may delete it from your hard disk, unless you want to keep a copy available for further update or upgrade operations. You can also run the installer from a command-line prompt, along with several options. See "Command Line Options" later in this file to learn what each option does. To run the SuperDAT Package Installer from a command prompt: 1. Click Start in the Microsoft Windows taskbar, then choose Run. 2. Type X:\SDAT4316.EXE in the Run dialog box, along with any options you want to use. Here, X: represents the drive and the path to the location where you stored the file, and 4316 represents the four-digit DAT version number, such as 4321. 3. Click OK. 4. The installer will run with the options you specify. NOTE: Some of the options do not run the installer itself; rather they provide information or extract package files. See "Command Line Options" for details. COMMAND-LINE OPTIONS The SuperDAT Package Installer has several options you can use to specify different update methods or to get information: /logfile This option tells the installer to save a log file with the file name you specify and in the location you specify. By default, the SuperDAT Package Installer creates a log file in the current working directory. Use this option to create a log file elsewhere on your hard disk. /prompt This option tells the installer to display only the Shut Down Windows dialog box when it has updated or upgraded your software. Use this option with /silent. /silent This option runs the update silently. No dialog boxes appear. /reboot If you use this option with the /silent option, the installer will restart the target computer, but only if the installer must do so in order to complete all file replacements. If you do not use this option from the command line, or do not include a similar command in your update script, the installer will NOT restart your computer. NOTE: To start using new update files immediately, some of our anti-virus products require you to restart the target computer. Others do not. Whether the installer will actually restart your computer when you use this option depends on the following: - Your anti-virus software, the platform, and the operating system. - The program components you have running when you start the installer. - The engine you have already installed. If the installer does not need to restart your computer in order to use its new files immediately, it will not do so. /e This option tells the installer to extract the files from the SuperDAT package to the directory you specify in . Use this option to validate the files from the package. This option does NOT run the installer or cause it to update your software. If you do not specify a , the installer extracts its contents to the current working directory. /v This option displays validation information for the installer on Microsoft Windows 95, Windows 98, Windows ME, Windows NT and Windows 2000 systems. This information includes the file version, time stamps drawn from the files themselves, and cyclical redundancy check (CRC) validation codes. You can compare this data with that in the SDATPACK.LST file that comes with the SuperDAT package. This option does NOT run the installer or cause it to update your software. /f This option tells the installer to use the files in its current package to update and upgrade your software, regardless of the file versions you have already installed. Use this option to "force" an update to the current file versions in order to overwrite corrupted files or enforce your anti-virus security policies. /? This option displays an description of the command-line options available for the installer. It does NOT run the installer or cause it to update your software. DISTRIBUTING SUPERDAT FILES VIA NETWORK MANAGEMENT SOFTWARE If you use our AutoUpgrade or Microsoft System Management Server (SMS) to distribute updates and upgrades, you can download package description files or script files necessary to distribute the update or upgrade package from our web site. Here, you will find these separate archive files for each type of distribution utility: SMS.ZIP Package definition (.PDF) files for use with System Management Server. AUTOUPG.ZIP Package description files for use with AutoUpgrade. MODIFYING THE SUPERDAT PACKAGE TO WORK WITH AUTOUPGRADE You must modify the SuperDAT package in order to use it with AutoUpgrade that comes with our anti-virus software. 1. Rename the file SDAT4316.EXE (for example SDAT4321.EXE) to SETUP.EXE. 2. Download the file AUTOUPG.ZIP from the Network Associates web site. NOTE: AUTOUPG.ZIP contains the file PKGDESC.INI. Extract PKGDESC.INI from the .ZIP archive, then copy both the extracted file and SETUP.EXE file to the server from which you want other computers on your network to download updated files. Both PKGDESC.INI and SETUP.EXE must be present for AutoUpgrade to download the update files correctly. If your upgrade server runs UNIX or another case-sensitive operating system, verify that you have named the PKGDESC.INI file correctly. A lower-case filename, pkgdesc.ini is expected by the AutoUpdate version in VirusScan anti-virus software for Microsoft Windows 95, Windows 98, Windows ME, Windows NT Workstation 4.0, and Windows 2000 Professional. An upper-case filename, PKGDESC.INI is expected by NetShield and version 4.0.3 of VirusScan anti-virus software for Microsoft Windows NT. 3. Create and copy a SETUP.ISS file into the directory from which you tell AutoUpgrade to download new files. SETUP.ISS is a simple text file that governs how AutoUpgrade upgrades or updates your software. You can use any standard text editor to create and save this file. If you do not want to specify any configuration options, you can simply create a zero-byte SETUP.ISS file. IMPORTANT: AutoUpgrade versions that come with version 4.0.3 anti-virus products require a SETUP.ISS file to run, whether or not the file contains any configuration options. AutoUpgrade versions that come with the version 4.5 product series (with the exception of NetShield 4.5) do not require a SETUP.ISS file to run. To specify configuration options in your SETUP.ISS file, use the following example to learn which options you may use. You can cut and paste this example directly into a text file, then edit and save the file as SETUP.ISS. [SuperDATOptions] bReboot=1 bPrompt=1 szLogFile=C:\temp\mylog.txt Here is a description of each statement in the file: - bReboot=1 This statement tells the SuperDAT Package Installer to restart the target computer if it must do so in order to finish updating or upgrading your anti-virus software. If you do not want the target computer to restart after it updates your files, set the value of bReboot= to zero, or remove the statement from SETUP.ISS. NOTE: If you do not tell the SuperDAT Package Installer to restart the target computer, either with this statement in the SETUP.ISS file, from the command line, or in an update script, it will NOT do so under any circumstances. To start using new update files immediately, some of our anti-virus products require you to restart the target computer. Others do not. Whether the SuperDAT Package Installer will actually restart your computer when you include this statement in the SETUP.ISS file depends on the following: - The anti-virus software you have installed, the platform, and the operating system. - The program components you have running when you start the SuperDAT Package Installer. - The DAT file version and the engine you have already installed. If the installer does not need to restart your computer in order to use its new files immediately, it will not do so, whether you include this statement or not. - bPrompt=1 This tells the SuperDAT Package Installer to display only the Shut Down Windows dialog box when it has updated or upgraded your software. - szLogFile= This option tells the SuperDAT Package Installer to save a log file with the file name you specify and in the location you specify. By default, the SuperDAT Package Installer creates a log file in the current working directory. FILES INCLUDED WITH THIS SUPERDAT PACKAGE SUPERDAT INSTALLER COMPONENTS GLOBALS.NSG Global variables definition file NAISCRIP.NSC Script file SDATPACK.LST Packing list and codes for use with VALIDATE.EXE GSDSUPER.DLL GroupShield for Lotus Domino support file DAT FILES SCAN.DAT Data file for virus scanning. NAMES.DAT Data file for virus names. CLEAN.DAT Data file for virus cleaning. INTERNET.DAT Data file to detect hostile Java/ActiveX objects. GENERAL ENGINE COMPONENTS MCSCAN32.DLL Virus-scanning engine SIGNLIC.TXT3rd-party license information MCTOOL.EXE Support file used to preserve last-access dates on Novell NetWare server volumes AVPARAM.DLL VirusScan 32-bit/16-bit support file PSAPI.DLL Microsoft Windows NT support library FILES FOR VIRUSSCAN ANTI-VIRUS SOFTWARE FOR MICROSOFT WINDOWS 95 AND WINDOWS 98 MCSCAN32.VXD Virus-scanning engine VSHIELD.VXDVShield scanner that runs in the background RWABS16.DLL VirusScan 16-bit support file RWABS32.DLL VirusScan 32-bit support file FILES FOR VIRUSSCAN COMMAND-LINE ANTI-VIRUS SOFTWARE LICENSE.DAT License information for use by VirusScan software MESSAGES.DAT Message contents file SCAN.EXE VirusScan command-line scanner for 32-bit environments SCANPM.EXE VirusScan command-line scanner for protected-mode environments _______________________________________________ TESTING YOUR INSTALLATION You can test the operation of the software by running the EICAR Standard Anti-virus Test File on any computer where you have installed the software. The EICAR Standard Anti-virus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation: 1. Copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 68 or 70 bytes. 2. Start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When your software scans this file, it will report finding the EICAR test file. 3. Delete the file when you have finished testing your installation to avoid alarming unsuspecting users. IMPORTANT: Please note that this file is NOT A VIRUS. ____________________________________________ KNOWN ISSUES 1. The SuperDAT log file is currently limited to a maximum length of 64K. After that point, the SuperDAT utility will continue to log events, but will truncate the file. 2. If you run the SuperDAT Package Installer to update and upgrade an existing version of VirusScan software for Windows 95 and Windows 98 (version 4.0.3, for example) then you install a later version of the same software package (version 4.5.1 for example) you must run the SuperDAT Package Installer again to ensure that you have the most recent engine files. 3. The SuperDAT Package Installer does not currently support the @ symbol used in the Novell NetWare login script. We do not create, supply, or support login scripts for individual environments. 4. The SuperDAT Package Installer works within your system's existing security structures. For Microsoft Windows NT systems, this usually means that you must have certain administrative rights to upgrade the virus-scanning engine for your anti-virus software, because you need those rights to stop and start system services. Logging on to the system with the same identity you used to install your anti-virus software should give you sufficient rights. 5. The virus-scanning engine includes Trojan-horse file detection that allows it to shut down harmful Trojan-horse processes and remove all traces of the harmful software from your computer. To enable support for this function on Windows NT systems, you must also have two separate dynamic link library (.DLL) files, PSAPI.DLL and VDMDBG.DLL, installed in the \WINNT\System32 folder on your system. VDMDBG.DLL should already be on your system, however on some NT 4.0 installations, it is possible that PSAPI.DLL may not exist. If PSAPI.DLL is not in your \WINNT\System32 folder, you should obtain a copy from Microsoft. NOTE: The PSAPI.DLL should never be copied onto a system which already has PSAPI.DLL installed. _______________________________________________ NEW VIRUSES DETECTED AND REMOVED Hundreds of new viruses and variants appear each month. Those which are detected and cleaned by AVERT's generic methods are added to the total virus count listed but they are not listed separately here. For more information on new viruses detected and removed by a specific DAT please refer to the DAT Readme page at McAfee Security HQ http://vil.nai.com/vil/DATReadme.asp McAfee software removes a virus either by deleting the infecting virus code from files or by deleting the file from your computer. _______________________________________________ UNDERSTANDING VIRUS NAMES Our anti-virus software typically follows industry-wide naming conventions to identify the viruses that it detects and cleans. Occasionally, some virus names deviate from strict industry standards. The first virus with a given set of characteristics that mark it as a distinctly new entity receives a "family" name. Virus researchers draw the family name from some identifying quirk or notation in the virus, such as a text string, or a payload effect. A family name can also include a numeric string that designates the byte size of the virus. Researchers use this name as convenient shorthand to distinguish closely allied virus variants. Names for variants within a virus family consist of the family name and a suffix - BadVirus.a, for example. The suffix continues in alphabetical order until it reaches z. Then it begins again with aa and continues to az. Still later variants receive the suffix ba through bz, and so forth, until the suffix reaches zz. If yet another variant appears after that, it will have the suffix aaa. As new virus strains appeared, industry naming conventions evolved to include more information. Some names, for instance, include parts that identify the platform on which the virus can run. Among anti-virus vendors, virus names can include a prefix, an infix and a suffix. PREFIX The prefix designates the type of file that the virus infects or the platform on which potentially harmful software can run. Viruses that infect DOS executables do not receive a prefix. Our naming convention includes the following prefixes: A97M/ Macro virus that infects Microsoft Access 97 files. APM/ Macro virus or Trojan-horse program that infects Ami Pro document and template files. Bat/ Batch-file virus or Trojan-horse program. These viruses usually run as batch or script files that affect a particular program that interprets the script or batch commands they include. They are very portable and can affect nearly any platform that can run batch or script files. The files themselves often have a BAT extension. CSC/ Corel Script virus or Trojan-horse program that infects Corel Draw document files, template files, and scripts. IRC/ Internet Relay Chat script virus. This virus type can use early versions of the mIRC client software to distribute a virus or payload. JS/ Script virus or Trojan-horse program written in JavaScript language. JV/ Potentially harmful Java application or applet. Linux/ Virus or Trojan-horse program compiled for Linux OS in ELF file format. LWP/ Potentially harmful software for Lotus WordPro. MacHC/ Virus or Trojan-horse program for Apple Macintosh HyperCard scripting language. MacOS/ Virus or Trojan-horse program for Apple Macintosh OS Versions 6-9. MSIL/ Application written using Microsoft Intermediate Language framework, also known as .NET. P98M/ Macro virus or Trojan-horse program that infects Microsoft Project documents and templates. PalmOS/ Virus or Trojan-horse program for a Palm Pilot. PDF/ File-infector of Adobe PDF files. Perl/ Script virus or Trojan-horse program written in Perl language. PHP/ Script virus or Trojan-horse program written in PHP language. PP97M/ Macro virus. Infects Microsoft PowerPoint 97 files. SunOS/ Potentially harmful software for Sun Solaris. SWF/ Potentially harmful software for Shockwave. Unix/ Program or a shell script for a version of UNIX. V5M/ Macro or script virus, or Trojan-horse program that infects Visio VBA (Visual Basic for Applications) macros or scripts. VBS/ Script virus or Trojan-horse program written in Visual Basic Script language. W16/ File-infector virus that runs in 16-bit Microsoft Windows environments (Windows 3.1x). W2K/ Potentially harmful software for 32-bit Microsoft Windows environments, specifically Windows NT, 2000 or XP. W32/ File-infector or boot-sector virus that runs in 32-bit Microsoft Windows environments (Windows 95, Windows 98 or Windows NT). W95/ File-infector virus that runs in Microsoft Windows 95, Windows 98 and Windows ME environments. W97M/ Macro virus that infects Microsoft Word 97 files. WHLP/ Potentially harmful software for 32-bit Microsoft Windows environments that targets Windows HLP files. WM/ Macro virus that infects Microsoft Word 95 files. X97M/ Macro virus that infects Microsoft Excel 97 files. XF/ Macro virus that infects Microsoft Excel 95 or 97 via Excel formulas. XM/ Macro virus that infects Microsoft Excel 95 files. PREFIX FOR TROJAN-HORSE CLASSES A name such as "BackDoor-" denotes potentially harmful software that belongs to a class of similar Trojan-horse programs. The class name is followed by extra characters to denote a family (such as BackDoor-JZ) or a name (such as BackDoor-Sub7). AdClicker- Repeatedly accesses web sites that are funded by advertising. Adware- Installs advertising software but does not ask permission. BackDoor- Provides remote access or control through the Internet or network. Dialer- Dials a phone number without asking for permission. DDoS- Operates as a Distributed Denial of Service component. Del- Deletes files. Downloader- Downloads software from the Internet, usually to deliver backdoors, password stealers, and sometimes viruses. Exploit- Uses a vulnerability or a software defect. FDoS- Denotes a Flooding Denial of Service component. KeyLog- Logs keystrokes for immediate or future transmission to the attacker. Kit- Denotes a program designed for creating a virus or Trojan-horse program. MultiDropper- Drops several Trojan-horse program or viruses (often several different ‘backdoors’). Nuke- Uses defects in software on a remote computer to bring it down. ProcKill- Terminates the processes of anti-virus and security products. May also delete files associated with such applications. PWS- Steals a password. Reboot- Reboots the computer. Reg- Modifies the Registry in an undesirable fashion without asking questions. For example, reduces the security settings or creates abnormal associations or sets. Spam- Acts as a spamming tool. Spyware- Monitors browsing habits or other behavior and sends the information out, often for unsolicited advertising. Uploader- Sends files or other data from the computer. Vtool- Denotes a program used by virus writers or hackers for developing software. Zap- Wipes all or part of a hard disk. INFIX These designations usually appear in the middle of a virus name. AVERT assigns these designations, which differ from industry conventions. .cmp. Companion file that the virus adds to an existing executable file. Our anti-virus software deletes the companion file to prevent later infections. .mp. Legacy multi-partite virus for DOS. .ow. Overwriting virus. This identifies a virus that overwrites data in a file, thereby irreparably corrupting it. This file must be deleted. SUFFIX These designations usually appear as the last part of a virus name. A virus name can have more than one suffix. One might designate a variant, for example, while others give additional information. @M Slow mailer. This virus uses an e-mail system to spread. It usually replies to an incoming message once, or attaches itself to an outgoing message, or sends to just one e-mail address. @MM Mass mailing distribution. This virus might use standard techniques to propagate itself, but also uses an e-mail system to spread. .a - .zzz Virus variants. In accordance with the CARO (Computer Anti-virus Research Organization) naming convention, the vendor-specific suffices can be preceded by a "!" character. Our software uses the following suffices: apd Appended virus. A virus that appends its code to the file it infects, but fails to provide for correct replication. bat Software component in BAT language. cav Cavity virus. This designates a virus that copies itself into "cavities" (for example, areas of all zeroes) in a program file. cfg Configuration component of an Internet Trojan-horse program (frequently of a ‘BackDoor-‘). cli Client-side component of an Internet Trojan-horse program (frequently of a ‘BackDoor-‘). dam Damaged file. A file that is damaged or corrupted by an infection. demo Program that demonstrates potentially harmful action, such as an example of how an exploit works. dr Dropper file. This file introduces the virus into the host program. gen Generic detection. Native routines in our software detect this virus without using specific code strings. ini An mIRC or pIRCH script when it is a component of another virus. intd "Intended" virus. This virus has most of the usual virus characteristics but cannot replicate correctly. irc IRC component of potentially harmful software. js Potentially harmful software component in JavaScript. kit Virus or Trojan-horse program created from a ‘virus construction kit’. p2p Potentially harmful software that uses peer-to-peer communication to function. For example, Gnutella, and Kazaa. sfx Self-extracting installation utility for Trojan-horse programs. src Viral source code. This ordinarily cannot replicate or infect files, but some virus droppers add this to files as part of the infection cycle. Our products routinely flag files with additional code of this sort for deletion. sub Substitution virus. It substitutes the host file with itself, so that all infected hosts are of the same size and are a pure virus. (That is, a subclass of overwriting viruses.) svr Server-side component of an Internet Trojan-horse program, often of a ‘backdoor’. vbs Potentially harmful software component written in Visual Basic Script language. worm A non-parasitic virus that copies itself, or a virus that propagates through a network by copying to remote computers or by sending itself out via any means of file transmission such as remote shares, peer-to-peer, instant messaging, IRC file transfers, FTP, and SMTP. GENERIC DETECTIONS Our software detects a huge amount of potentially harmful software proactively and generically. In most cases, such objects are successfully cleaned even without AVERT ever receiving a sample. Such detection is denoted by "Generic" in the name or a "gen" suffix. To submit a sample to AVERT, visit the AVERT home page. See "CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES". HEURISTIC DETECTIONS Our software detects a huge amount of new potentially harmful software heuristically. Such detection is flagged using the "New" prefix to the name (for example "New Worm" and "New Win32"). To submit any sample that was detected heuristically, visit the AVERT home page. See "CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES". APPLICATION DETECTIONS Our software detects potentially unwanted applications; they cannot be classified as viruses or Trojan-horse programs. They include some Adware, Spyware, Dialers, remote-access software that can hide itself, and other similar applications that many users do not want on their computers. Unwanted applications also include ‘jokes’ but these can be excluded from detection using scanning options. For more information, visit the AVERT home page. See "CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES". _______________________________________________ DOCUMENTATION This product includes the following documents: - This README file. - A CONTACT file. Contact information for McAfee Security and Network Associates services and resources: technical support, customer service, AVERT, beta program, and training. It also includes a list of phone numbers, street addresses, web addresses, e-mail addresses, and fax numbers for Network Associates offices in the United States and around the world. __________________________________________________________ CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal http://mysupport.nai.com Login credentials required. McAfee Security Beta Program Beta Web Site http://www.networkassociates.com/us/downloads/beta/ E-mail avbeta@nai.com Security Headquarters -- AVERT (Anti-Virus Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com Submit a Virus Sample – AVERT WebImmune https://www.webimmune.net/default.asp AVERT DAT Notification Service http://vil.nai.com/vil/join-DAT-list.asp Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/4.x Product Upgrades https://secure.nai.com/us/forms/downloads/upgrades/login.asp Valid grant number required. Contact Network Associates Customer Service Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university.htm Network Associates Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m., Central Time E-mail: services_corporate_division@nai.com Web: http://www.nai.com/us/index.asp http://www.networkassociates.com/us/index.asp For additional information on contacting Network Associates and McAfee Security – including toll-free numbers for other geographic areas -- see the CONTACT file that accompanied your original product release. __________________________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972- 963-8000. TRADEMARKS Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, SecurityShield, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES, INC. OR THE PLACE OF PURCHASE FOR A FULL REFUND. Attributions This product includes or may include: - Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). - Cryptographic software written by Eric Young and software written by Tim J. Hudson. - Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. - Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. - Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. All rights reserved. - Software written by Douglas W. Sauder. - Software developed by the Apache Software Foundation (http://www.apache.org/). - International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. All rights reserved. - Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. - FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. - Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. - Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. - Software copyrighted by Expat maintainers. - Software copyrighted by The Regents of the University of California, (C) 1989. - Software copyrighted by Gunnar Ritter. - Software copyrighted by Sun Microsystems(C), Inc. - Software copyrighted by Gisle Aas. All rights reserved, (C) 1995-2003. - Software copyrighted by Michael A. Chase, (C) 1999-2000. - Software copyrighted by Neil Winton, (C) 1995-1996. - Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. - Software copyrighted by Sean M. Burke, (C) 1999, 2000. - Software copyrighted by Martijn Koster, (C) 1995. - Software copyrighted by Brad Appleton, (C) 1996-1999. - Software copyrighted by Michael G. Schwern, (C) 2001. - Software copyrighted by Graham Barr, (C) 1998. - Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. - Software copyrighted by Frodo Looijaard, (C) 1997. Deriv. V2.3.1 DBN 146-EN