In the message "[MAGNet] RE: [Micronet] EIGHT941.D Word macro virus",
dated 2000-06-05, Greg Paschall wrote:
>Does anybody have any idea when/if this will protection will be
>wrapped into a Virex update? I have a Mac user that received the
>virus from campus in a Word attachment and opened it before she saw
>the retraction. We downloaded the latest (6/1) Virex update and
>scanned her machine, and it came up clean. Today, she sent out a new
>Word document to our entire department, and the LBL scanner tells us
>it was infected with this dumb W97M_EIGHT941.D macro virus.
At 12:49 -0700 2000-06-05, Pat McPeak wrote:
>Good question. I just sent email to NAI to request an
>updated DAT for Virex that would detect & clean this virus.
>Will post if I hear back from them.
About Virex's ability to detect W97M/EIGHT941
---------------------------------------------
According to the 'read me' files accompanying past Virex Virus
Updates, Virex's "Virus Definitions" file contain signatures which
permit Virex to detect and remove the following Microsoft Word 97
macro viruses:
W97M/EIGHT.GEN (added in Virex's Virus Update of 1999-11-01)
W97M/Eight (added in Virex's Virus Update of 1999-12-01)
It's a bit murky sorting out whether these signatures might also
pertain to the W97M/Eight941 macro virus. From what I've been able
to determine so far, it appears that W97M/Eight941 and W97M/Eight.Gen
are alternate names for the same macro virus. It is less clear
whether W97M/Eight is another synonym.
However, there is no mention in these 'read me' files of Virex's
ability -- or lack of same -- to specifically detect any of the nine
known variants of the W97M/Eight941 macro virus. From Greg's report,
at least, it would seem clear that Virex with the latest virus
definitions of 2000-06-01 does not detect the 'D' variant,
W97M/EIGHT941.D.
About Virex Virus Updates
-------------------------
Updates that add the capability to detect newly-identified viruses,
worms, and trojans to Virex, the campus's site licensed anti-virus
product for the Mac OS, are scheduled to be released once a month.
These updates generally come out on (or slightly before) the first of
each month. The next virus update is thus scheduled for July 1, 2000.
You can most conveniently obtain Virex updates via the "eUpdate"
feature of the Virex application (version 6.0 and higher). If you
wish, you can also download these updates from the campus Virex home
page at <URL:http://mac.berkeley.edu/anti-virus/virex.html>, or the
NAI and McAfee Web sites. (At least one of the latter URLs --
whichever has the latest update -- is linked from the campus Virex
home page.)
In a few occasions -- the last time was for the original WM/Melissa
in late March 1999, over a year ago -- Network Associates, Inc.
(NAI), the current vendor for Virex, has provided Virex users with an
extra driver file ("EXTRA.DAT", formerly "extra.drv") containing
signatures for one or more particularly 'hot' viruses, worms, or
trojans. This extra driver file can be copied into one's "System
Folder:Preferences:Virex Preferences Folder." By doing so, you can
supplement the signatures contained in the standard "Virus
Definitions" file until the latter is updated.
Outside of occasionally making an extra driver file available, I
don't remember any recent case where NAI has released a new, full
Virus Update for Virex outside of its regular beginning-of-the-month
schedule.
Pat, please let us know -- via the MAGNet and Micronet lists --
what you learn from your query to NAI. (If at any time you would
like me to follow-up directly with them, I'd be glad to do so.)
Virex can't detect some Windows viruses
---------------------------------------
On a related note, NAI told us last year that:
- The company maintains separate virus definitions for its Windows
(VirusScan) and Mac OS (Virex) desktop anti-virus software products.
- Virex's virus definitions will generally *only* contain signatures for
viruses, worms, and trojans *that are capable of doing damage and/or
replicating under the Mac OS*.
The practical implication? To the best of my knowledge, Virex
is not even today capable of detecting (to name two recent examples)
the HAPPY99 trojan/worm or the recent VBScript-based VBS/LoveLetter
worm and its variants, both of which were widely encountered on the
Berkeley campus. (If anyone knows of any information to the
contrary, please let me know.)
Just to be fair, Virex's virus definitions *have* typically
been updated, over time, to detect Microsoft Word macro viruses
and other cross-platform application macro viruses capable of
replicating under the Mac OS, even if their effects ('payloads')
were wholly or partly Windows-specific.
We're not pleased by this limitation on what Virex can detect.
We'd like Virex to be able to detect any viruses, worms, and trojans
that NAI deems to be of high risk, even those which may be closely
tied to Windows, because this can help campus computing support staff
more rapidly detect and respond to outbreaks. In particular, this
capability would allow Macintosh users to warn their Windows-using
correspondents of potential infections they may be harboring.
We've discussed this with NAI in the past (see below), so far
without this having resulted in product changes.
Aron Roberts
Workstation Software Support Group
---------------------------------------------------------------
On 1999-08-24 and 1999-09-15, during the Virex 6.0 beta cycle, we
requested that NAI:
> Provide more support for Macs as 'tripwire' detectors for
> PC-specific viruses.
>
> The Virex Virus Definitions generally only incorporate
> detection for viruses which can infect, or (in the case
> of some macro viruses) at least replicate, under the
> Mac OS.
>
> However, in many cases, we've found that Mac users serve
> as excellent 'tripwires' to detect PC-specific viruses,
> worms, and trojan horses sent to them as e-mail attachments
> by PC-using colleagues, both on our campus and throughout
> the Internet. Once detected, these Mac users can inform
> their colleagues that they've probably been infected, and
> urge them to update their anti-virus software.
>
> There may be much benefit in Virex detecting some of the most
> widespread -- or potentially destructive, or both -- of the
> PC-specific viruses. For instance, when the HAPPY99.EXE
> trojan was prevalent on our campus, I was pointedly asked by a
> support provider why Virex was unable to detect it, as it
> such detection might have helped slow its spread.
Unfortunately, during the Virex 6.1 beta cycle from December 1999
to February 2000, we were focusing on other product issues, and so
missed the opportunity to bring this up again. We'll continue to
harangue NAI about this in the future ...
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the Micronet Web site at <URL:http://wss-www.berkeley.edu/micronet/>.
This archive was generated by hypermail 2b29 : Mon Jun 05 2000 - 15:37:30 PDT