       Release Notes for McAfee DAT Files
            Copyright (c) 1992-2004
      Networks Associates Technology, Inc.
              All Rights Reserved

===============================================


Thank you for using our products. This file
contains important information about the
current virus definition (DAT) files. We
recommend that you read the entire document.

You must have a current PrimeSupport agreement 
in order to be entitled to download product 
updates and upgrades, including engine and DAT 
updates. By downloading any of these files,  
you acknowledge that you currently have a 
valid PrimeSupport agreement with Network 
Associates.

The DAT files supplied with this README file
are compatible with our anti-virus products
that use the version 4.3.20 (or later)
virus-scanning engine. We recommend that you
upgrade to the latest version of the
virus-scanning engine for optimal virus
detection and cleaning.


_______________________________________________
WHATS IN THIS FILE?

-  What are DAT files?
-  How we provide the DAT files
-  Which file to use
   -  When to use the XDAT file
   -  When to use the compressed DAT package
      (DAT-)
-  Installation
   -  Using the DAT Package Installer (XDAT
      file)
   -  Using the DAT ZIP or DAT TAR file to
      update VirusScan Command Line and
      VirusScan for UNIX
   -  Using the DAT ZIP or DAT TAR file to
      update other products
   -  VirusScan 4.5 for Microsoft Windows
   -  VirusScan 4.0.3 for Microsoft Windows 95
      and Windows 98
   -  VirusScan 4.0.3 for Microsoft Windows NT and
      Netshield 4.0.3 for Microsoft Windows NT
   -  Netshield for Novell NetWare
   -  GroupShield for Lotus Notes
   -  List of Virus Definition Files
   -  Testing your installation
-  New Viruses Detected and Removed
-  Understanding Virus Names
   -  Prefix
   -  Prefix for Trojan-Horse classes
   -  Infix
   -  Suffix
   -  Generic Detections
   -  Heuristic Detections
   -  Application Detections
-  Documentation
-  Contacting McAfee Security & Network
   Associates
-  Copyright and Trademark Attributions
   -  Trademarks
   -  License Agreement


_______________________________________________
WHAT ARE DAT FILES?

Virus definition, or DAT, files contain
up-to-date virus signatures and other
information that our anti-virus products use to
protect your computer against thousands of
computer viruses and other potentially harmful
software in circulation. Hundreds of new
threats appear each month. Every week, we
release new DAT files. We also release new DAT
files when any threat is assessed by AVERT to
have a medium or higher risk.

To ensure that your anti-virus software can
protect your system or network against the
latest threats, you must download and install
the latest DAT files. For their location, see
"CONTACTING MCAFEE SECURITY & NETWORK
ASSOCIATES".


_______________________________________________
HOW WE PROVIDE THE DAT FILES

We store new DAT files on our web site in
several compressed formats to reduce
transmission time:

-  Compressed DAT Package. This file contains
   the DAT files, compressed in a ZIP or tar
   file. You can extract and install them
   yourself to update most of our anti-virus
   software. The file has a name of the format
   DAT-4316.ZIP or DAT-4316.tar, where 4316 is
   the four-digit DAT version number such as
   4321.

-  DAT Package Installer, or "XDAT file". This
   file includes the DAT files plus an
   executable that installs them. The file has
   a name of the format 4316XDAT.EXE, where
   4316 is the four-digit DAT version number
   such as 4321.

-  SuperDAT Package Installer, or "SDAT file".
   This file includes the DAT files plus an
   executable that installs them. It may also
   include a new virus-scanning engine and
   other program components. The file has a
   name of the format SDAT4316.EXE, where 4316
   is the four-digit DAT version number such as
   4321.

   NOTE:
   This README file does NOT describe how to
   use the SuperDAT Package Installer. For more
   information, see the README file posted with
   that package.


_______________________________________________
WHICH FILE TO USE

WHEN TO USE THE XDAT FILE

The XDAT file makes DAT file updating quick and
simple. Unlike the SuperDAT Package Installer,
this installer does not update the
virus-scanning engine for your anti-virus
software. Hence, you can use this installer
when your engine is up-to-date and you do not
want to download the larger SuperDAT Package
Installer file.

The XDAT file is a standard application that
you can double-click to start from within
Microsoft Windows.

It installs new DAT files to keep your
anti-virus software up to date. It shuts down
any active anti-virus scans, services, or other
memory-resident software components that might
interfere with your updates. It then copies the
new files to their proper locations and enables
your anti-virus software to use them
immediately.

This installer supports the same platforms and
products as the SuperDAT Package Installer.

This installer is compatible with most of our
version 4.x anti-virus products, including most
version 4.5 product versions.

This installer does NOT support the following:

-  Any Dr Solomon Anti-Virus Toolkit product.

-  VirusScan for UNIX.

-  GroupShield for Lotus Notes.

-  NetShield for Novell NetWare.


WHEN TO USE THE COMPRESSED DAT PACKAGE (DAT-)

A compressed DAT package allows you to update
the DAT files for any supported McAfee version
4.x anti-virus product.

The difference between this package and the
installers (SDAT and XDAT files) is that you
must stop any scans or virus-scanning services
and unload any Terminate-and-Stay-Resident
(TSR) programs from your computer's memory
yourself. You must then copy the new files to
the program directory of your anti-virus
software, then restart the services or
background-scanning software that your
application uses.

Alternatively, if your anti-virus software has
an AutoUpdate feature, you can configure that
to download and install the package for you.
Version 4.5-series anti-virus software can also
use incremental DAT file updating. For more
information, see your product documentation.

The following products need the compressed DAT
package to update your anti-virus protection:

-  VirusScan for UNIX

-  GroupShield for Lotus Notes

-  WebShieldX Proxy

-  Netshield for Novell NetWare

To learn how to update these products, see
"Installation".


_______________________________________________
INSTALLATION


USING THE DAT PACKAGE INSTALLER (XDAT FILE)

1. Create a temporary directory on your hard
   disk.

2. Download the XDAT file to the temporary
   directory from our web site. For the
   location, see "Contacting McAfee Security &
   Network Associates".

3. Double-click the XDAT file to start the
   update.

4. Follow the instructions in the wizard
   panels.

   The installer then does the following:

   -  Unloads McAfee memory-resident software
      or stops services that use your current
      DAT files.

   -  Copies new DAT files to the appropriate
      program directories.

   -  Restarts the software components needed
      to continue scans with your new DAT
      files.

5. When the installer has finished updating
   your DAT files, you may delete the file you
   downloaded, unless you want to keep a copy
   available for further updates.


USING THE DAT ZIP OR DAT TAR FILE TO UPDATE
VIRUSSCAN COMMAND LINE AND VIRUSSCAN FOR UNIX

1. Create a temporary directory on your hard
   disk.

2. Download the compressed DAT file to the
   temporary directory from our web site. See
   "Contacting McAfee Security & Network
   Associates" later in this file.

   The name of the file is typically
   DAT-4316.ZIP or DAT-4316.tar, where 4316 is
   the DAT version number, such as 4321.

3. If your anti-virus software has a version of
   VShield running, enter VSHIELD /REMOVE at
   the command-line prompt.

4. Back up or rename the existing DAT files,
   which are in the program directory for your
   anti-virus software. See "List of Virus
   Definition Files" later in this file for a
   complete DAT file list.

5. Using WinZip, PKUnzip, or a similar utility,
   open the ZIP file and extract the new DAT
   files. You can save the extracted files
   directly to the program directory for your
   anti-virus software.

   To extract DAT files stored in a tar file,
   use a compression utility that can read and
   extract tar files, or follow these steps
   from a UNIX command prompt:

   1. Change to the directory into which you
      want to extract the new DAT files. This
      is the program directory for your
      anti-virus software, or a temporary
      directory from which you intend to copy
      the new files.

   2. Enter this command at the command
      prompt:

      tar xf <directory path>/dat-4316.tar

      Here, <directory path> is the path to the
      tar file you downloaded. The tar utility
      will extract the DAT files into your
      current working directory.

      NOTE:
      The syntax for the tar command might vary
      in different UNIX versions. Consult your
      manual pages or other product
      documentation for more details.

6. Copy the new DAT files to the program
   directory for the software you want to
   update. Allow the new files to replace the
   existing files.

7. If your anti-virus software includes a
   VShield component, enter VSHIELD, followed
   by the scanning options you want, at the
   command-line prompt.

   NOTE:
   When you have finished using the compressed
   DAT file, you may delete it from your hard
   disk, unless you want to keep a copy for
   further updates.


USING THE DAT ZIP OR DAT TAR FILE TO UPDATE
OTHER PRODUCTS

We recommend that you use either the SuperDAT
Installer (SDAT file), or the DAT Installer
(XDAT file) to install new DAT files. These
installers provide an easy and foolproof method
for correctly updating DAT files.

However, if you want to install new DAT files
directly from the ZIP or tar file, locate the
heading for your anti-virus product in the list
below, then follow the steps in the
corresponding section.

-  VirusScan 4.5 for Microsoft Windows95,
   Windows 98, Windows NT Workstation 4.0, and
   Windows 2000 Professional

-  VirusScan 4.0.3 for Microsoft Windows 95 and
   Windows 98

-  VirusScan 4.0.3 for Microsoft Windows NT and
   Netshield 4.0.3 for Microsoft Windows NT

-  NetShield for Novell Netware

-  GroupShield for Lotus Notes


VIRUSSCAN 4.5 FOR MICROSOFT WINDOWS

1. Create a temporary directory on your hard
   disk.

2. Download the DAT ZIP file to the temporary
   directory from our web site. For the
   location, see "Contacting McAfee Security &
   Network Associates" later in this file.

   The name of the file is typically
   DAT-4316.ZIP, where 4316 is the DAT version
   number, such as 4321.

3. Click Start in the Windows task bar, point
   to Settings, then choose Control Panel.

4. Locate the VirusScan control panel, then
   double-click it to open it.

5. Click Stop on the Service page. Leave the
   VirusScan control panel open. You need to
   return to it in a later step.

6. Back up or rename the existing DAT files
   stored in the Network Associates Common
   Files directory. If you installed VirusScan
   software to its default location, the
   directory is:

      C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.x.xx

   See "List of Virus Definition Files" later
   in this file for a complete DAT file list.

7. Using WinZip, PKUnzip, or a similar utility,
   open the ZIP file and extract the new DAT
   files.

   Save the extracted files directly to the
   Network Associates Common Files directory.
   Allow the new files to overwrite the
   existing DAT files.

8. Return to the VirusScan control panel, then
   click Start in the Service page.

   The VShield scanner and the VirusScan
   Console will start again. Your VirusScan
   software is now up to date.


VIRUSSCAN 4.0.3 FOR MICROSOFT WINDOWS 95 AND
WINDOWS 98

1. Create a temporary directory on your hard
   disk.

2. Download the compressed DAT file to the
   temporary directory from our web site. For
   the location, see "Contacting McAfee
   Security & Network Associates" later in this
   file.

   The name of the file is typically
   DAT-4316.ZIP, where 4316 is the DAT version
   number, such as 4321.

3. Right-click the VShield icon that appears in
   your Windows system tray at the bottom,
   right-hand corner of your screen to display
   the VShield shortcut menu.

4. Point to Enable, then choose System Scan to
   remove the checkmark beside the name. This
   disables the VShield System Scan module.

5. Repeat Steps 1 and 2 to disable all of the
   remaining VShield modules: E-Mail Scan,
   Download Scan, and Internet Filter.

6. Restart your computer to remove all VShield
   modules from memory.

7. Back up or rename the existing DAT files
   stored in the VirusScan program directory.
   See "List of Virus Definition Files" later
   in this file for a complete DAT file list.

8. Using WinZip, PKUnzip, or a similar utility,
   open the DAT ZIP file and extract the new
   DAT files. You can save the extracted files
   directly to the VirusScan program directory.
   Allow the new files to overwrite the
   existing DAT files.

9. Restart your computer.

10. Right-click the VShield icon that appears
   in your Windows system tray at the bottom,
   right-hand corner of your screen to display
   the VShield shortcut menu.

11. Point to Enable, then choose one of the
   listed VShield modules to add a checkmark
   beside the name. This enables that VShield
   module again.

   Begin with the System Scan module, then
   repeat Steps 9 and 10 to enable these
   remaining VShield modules: E-Mail Scan,
   Download Scan, and Internet Filter.


VIRUSSCAN 4.0.3 FOR MICROSOFT WINDOWS NT
AND NETSHIELD 4.0.3 FOR MICROSOFT WINDOWS NT

If you have Administrator rights for the server
or workstation you want to update, you can
initiate update requests at any time to
VirusScan for Windows NT and NetShield for
Windows NT:

1. Create a temporary directory on your hard
   disk.

2. Download the DAT ZIP file to the temporary
   directory from our web site. For the
   location, see "Contacting McAfee Security &
   Network Associates" later in this file.

   The name of the file is typically
   DAT-4316.ZIP, where 4316 is the DAT version
   number, such as 4321.

3. Using the AntiVirus Console, connect to the
   workstation or server you want to update.

4. Double-click the AutoUpdate task to open it,
   then click Update Now.

   The program retrieves new files from the
   location specified in the task settings, and
   installs the new files correctly.

To install new DAT files directly from a DAT
ZIP file WITHOUT using AutoUpdate:

   NOTE:
   We do not recommend this method of updating
   your DAT files.

1. Download the DAT ZIP file to a temporary
   directory from our web site. For the
   location, see "Contacting McAfee Security &
   Network Associates" later in this file.

   The name of the file is typically
   DAT-4316.ZIP, where 4316 is the DAT version
   number, such as 4321.

2. Back up or rename the existing DAT files
   stored in the program directory. See "List
   of Virus Definition Files" later in this
   file for a complete DAT file list.

3. Using WinZip, PKUnzip, or a similar utility,
   open the ZIP file, and extract the new DAT
   files.

4. Log on to the server or workstation you want
   to update. You must have Administrator
   rights for the target computer.

5. Click Start, point to Settings, then choose
   Control Panel. In the window, locate and
   double-click the Services control panel to
   open it.

   If the computer is running Windows NT 3.51,
   start Program Manager, then locate the
   Control Panels program group. Double-click
   the program group to open it, then locate
   and double-click the Services control
   panel.

6. Select the Network Associates McShield
   Service, then click Stop.

7. Copy the DAT files you extracted from the
   ZIP file to the program directory.

8. Return to the Services control panel,
   select the McShield Service, then click
   Start.

9. Close the Services control panel.

The new DAT files are used in anti-virus scans
immediately.


NETSHIELD FOR NOVELL NETWARE

To install DAT file updates directly from a ZIP
file WITHOUT using the AutoUpdate utility:

   NOTE:
   We do not recommend this method of updating
   your DAT files.

1. Create a temporary directory on your hard
   disk.

2. Download the DAT ZIP file to the temporary
   directory from our web site. For the
   location, see "Contacting McAfee Security &
   Network Associates" later in this file.

   The name of the file is typically
   DAT-4316.ZIP, where 4316 is the DAT version
   number, such as 4321.

3. Using WinZip, PKUnzip, or a similar utility,
   open the ZIP file, and extract the new DAT
   files.

4. Log on to the server you want to update. You
   must have administrator rights for the
   target server.

5. At the NetWare Console prompt, enter:

      unload netshld

6. Back up or rename the existing DAT files
   stored in your NetShield program directory.
   If you installed NetShield to the default
   program directory, the DAT files are at this
   location:

      SYS:MCAFEE\NETSHLD

   See "List of Virus Definition Files" later
   in this file for a complete DAT file list.

7. Copy the files you extracted from the
   temporary directory you created in Step 1 to
   the NetShield program directory on your
   server.

8. Enter this line at the NetWare Console
   prompt to restart the NetShield NetWare
   server software:

      netshld

   NetShield uses the new DAT files in
   anti-virus scans immediately.


GROUPSHIELD FOR LOTUS NOTES

GroupShield for Lotus Notes allows you to
download and install new DAT files with its
automatic update feature. We recommend this
method, but you can also update your DAT files
directly.

1. Create a temporary directory on your hard
   disk.

2. Download the DAT ZIP file to the temporary
   directory from our web site. For the
   location, see "Contacting McAfee Security &
   Network Associates" later in this file.

   The name of the file is typically
   DAT-4316.ZIP, where 4316 is the DAT version
   number, such as 4321.

3. Back up or rename the existing DAT files
   stored in the GSUPDATE.NSF database. See
   "List of Virus Definition Files" later in
   this file for a complete DAT file list.

4. Using WinZip, PKUnzip, or a similar utility,
   open the ZIP file and extract the new DAT
   files.

5. Start Lotus Notes, then right-click
   Workspace. From the menu that appears,
   choose Open Database.

6. Locate the database GSUPDATE.NSF, then add
   to that database those files that you
   extracted into the temporary directory you
   created in Step 1.

   GroupShield for Lotus Notes will use the new
   DAT files as soon as they replicate across
   the network. If you have partitioned Notes
   servers, you must shut down and restart each
   of the partitioned servers for the update to
   take effect.


LIST OF VIRUS DEFINITION FILES

The virus definition files (or DAT files)
included in the packages are:

   SCAN.DAT             Data file for virus
                        scanning

   NAMES.DAT            Data file for virus
                        names

   CLEAN.DAT            Data file for virus
                        cleaning

   INTERNET.DAT         Data file for detecting
                        hostile Java/ActiveX
                        objects.


TESTING YOUR INSTALLATION

You can test the operation of the software by
running the EICAR Standard AntiVirus Test File
on any computer where you have installed the
software. The EICAR Standard AntiVirus Test
File is a combined effort by anti-virus vendors
throughout the world to implement one standard
by which customers can verify their anti-virus
installations.

To test your installation:

1. Copy the following line into its own file,
   then save the file with the name EICAR.COM.

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

   The file size will be 68 or 70 bytes.

2. Start your anti-virus software and allow it
   to scan the directory that contains
   EICAR.COM.

   When your software scans this file, it will
   report finding the EICAR test file.

3. Delete the file when you have finished
   testing your installation to avoid alarming
   unsuspecting users.

   IMPORTANT:
   Please note that this file is NOT A VIRUS.


_______________________________________________
NEW VIRUSES DETECTED AND REMOVED

Hundreds of new viruses and variants appear
each month. Those which are detected and
cleaned by AVERT's generic methods are added to
the total virus count listed but they are not
listed separately here.

For more information on new viruses detected
and removed by a specific DAT please refer
to the DAT Readme page at McAfee Security HQ

http://vil.nai.com/vil/DATReadme.asp
McAfee software removes a virus either by
deleting the infecting virus code from files or
by deleting the file from your computer.

_______________________________________________
UNDERSTANDING VIRUS NAMES

Our anti-virus software typically follows
industry-wide naming conventions to identify
the viruses that it detects and cleans.
Occasionally, some virus names deviate from
strict industry standards.

The first virus with a given set of
characteristics that mark it as a distinctly
new entity receives a "family" name. Virus
researchers draw the family name from some
identifying quirk or notation in the virus,
such as a text string, or a payload effect.

A family name can also include a numeric string
that designates the byte size of the virus.
Researchers use this name as convenient
shorthand to distinguish closely allied virus
variants.

Names for variants within a virus family
consist of the family name and a suffix -
BadVirus.a, for example. The suffix continues
in alphabetical order until it reaches z. Then
it begins again with aa and continues to az.
Still later variants receive the suffix ba
through bz, and so forth, until the suffix
reaches zz. If yet another variant appears
after that, it will have the suffix aaa.

As new virus strains appeared, industry naming
conventions evolved to include more
information. Some names, for instance, include
parts that identify the platform on which the
virus can run.

Among anti-virus vendors, virus names can
include a prefix, an infix and a suffix.


PREFIX

The prefix designates the type of file that the
virus infects or the platform on which
potentially harmful software can run. Viruses
that infect DOS executables do not receive a
prefix. Our naming convention includes the
following prefixes:

   A97M/    Macro virus that infects Microsoft
            Access 97 files.

   APM/     Macro virus or Trojan-horse program
            that infects Ami Pro document and
            template files.

   Bat/     Batch-file virus or Trojan-horse
            program. These viruses usually run
            as batch or script files that
            affect a particular program that
            interprets the script or batch
            commands they include. They are
            very portable and can affect nearly
            any platform that can run batch or
            script files. The files themselves
            often have a BAT extension.

   CSC/     Corel Script virus or Trojan-horse
            program that infects Corel Draw
            document files, template files, and
            scripts.

   IRC/     Internet Relay Chat script virus.
            This virus type can use early
            versions of the mIRC client
            software to distribute a virus or
            payload.

   JS/      Script virus or Trojan-horse
            program written in JavaScript
            language.

   JV/      Potentially harmful Java
            application or applet.

   Linux/   Virus or Trojan-horse program
            compiled for Linux OS in ELF file
            format.

   LWP/     Potentially harmful software for
            Lotus WordPro.

   MacHC/   Virus or Trojan-horse program for
            Apple Macintosh HyperCard scripting
            language.

   MacOS/   Virus or Trojan-horse program for
            Apple Macintosh OS Versions 6-9.

   MSIL/    Application written using Microsoft
            Intermediate Language framework,
            also known as .NET.

   P98M/    Macro virus or Trojan-horse program
            that infects Microsoft Project
            documents and templates.

   PalmOS/  Virus or Trojan-horse program for a
            Palm Pilot.

   PDF/     File-infector of Adobe PDF files.

   Perl/    Script virus or Trojan-horse
            program written in Perl language.

   PHP/     Script virus or Trojan-horse
            program written in PHP language.

   PP97M/   Macro virus. Infects Microsoft
            PowerPoint 97 files.

   SunOS/   Potentially harmful software for
            Sun Solaris.

   SWF/     Potentially harmful software for
            Shockwave.

   Unix/    Program or a shell script for a
            version of UNIX.

   V5M/     Macro or script virus, or
            Trojan-horse program that infects
            Visio VBA (Visual Basic for
            Applications) macros or scripts.

   VBS/     Script virus or Trojan-horse
            program written in Visual Basic
            Script language.

   W16/     File-infector virus that runs in
            16-bit Microsoft Windows
            environments (Windows 3.1x).

   W2K/     Potentially harmful software for
            32-bit Microsoft Windows
            environments, specifically Windows
            NT, 2000 or XP.

   W32/     File-infector or boot-sector virus
            that runs in 32-bit Microsoft
            Windows environments (Windows 95,
            Windows 98 or Windows NT).

   W95/     File-infector virus that runs in
            Microsoft Windows 95, Windows 98
            and Windows ME environments.

   W97M/    Macro virus that infects Microsoft
            Word97 files.

   WHLP/    Potentially harmful software for
            32-bit Microsoft Windows
            environments that targets Windows
            HLP files.

   WM/      Macro virus that infects Microsoft
            Word 95 files.

   X97M/    Macro virus that infects Microsoft
            Excel 97 files.

   XF/      Macro virus that infects Microsoft
            Excel 95 or 97 via Excel formulas.

   XM/      Macro virus that infects Microsoft
            Excel 95 files.


PREFIX FOR TROJAN-HORSE CLASSES

A name such as "BackDoor-" denotes potentially
harmful software that belongs to a class of
similar Trojan-horse programs. The class name
is followed by extra characters to denote a
family (such as BackDoor-JZ) or a name (such as
BackDoor-Sub7).

   AdClicker-
            Repeatedly accesses web sites that
            are funded by advertising.

   Adware-  Installs advertising software but
            does not ask permission.

   BackDoor-
            Provides remote access or control
            through the Internet or network.

   Dialer-  Dials a phone number without asking
            for permission.

   DDoS-    Operates as a Distributed Denial of
            Service component.

   Del-     Deletes files.

   Downloader-
            Downloads software from the
            Internet, usually to deliver
            backdoors, password stealers, and
            sometimes viruses.

   Exploit- Uses a vulnerability or a software
            defect.

   FDoS-    Denotes a Flooding Denial of
            Service component.

   KeyLog-  Logs keystrokes for immediate or
            future transmission to the
            attacker.

   Kit-     Denotes a program designed for
            creating a virus or Trojan-horse
            program.

   MultiDropper-
            Drops several Trojan-horse program
            or viruses (often several different
            backdoors).

   Nuke-    Uses defects in software on a
            remote computer to bring it down.

   ProcKill-
            Terminates the processes of
            anti-virus and security products.
            May also delete files associated
            with such applications.

   PWS-     Steals a password.

   Reboot-  Reboots the computer.

   Reg-     Modifies the Registry in an
            undesirable fashion without asking
            questions. For example, reduces the
            security settings or creates
            abnormal associations or sets.

   Spam-    Acts as a spamming tool.

   Spyware- Monitors browsing habits or other
            behavior and sends the information
            out, often for unsolicited
            advertising.

   Uploader-Sends files or other data from the
            computer.

   Vtool-   Denotes a program used by virus
            writers or hackers for developing
            software.

   Zap-     Wipes all or part of a hard disk.


INFIX

These designations usually appear in the middle
of a virus name. AVERT assigns these
designations, which differ from industry
conventions.

   .cmp.    Companion file that the virus adds
            to an existing executable file. Our
            anti-virus software deletes the
            companion file to prevent later
            infections.

   .mp.     Legacy multi-partite virus for
            DOS.

   .ow.     Overwriting virus. This identifies
            a virus that overwrites data in a
            file, thereby irreparably
            corrupting it. This file must be
            deleted.


SUFFIX

These designations usually appear as the last
part of a virus name. A virus name can have
more than one suffix. One might designate a
variant, for example, while others give
additional information.

   @M       Slow mailer. This virus uses an
            e-mail system to spread. It usually
            replies to an incoming message
            once, or attaches itself to an
            outgoing message, or sends to just
            one e-mail address.

   @MM      Mass mailing distribution. This
            virus might use standard techniques
            to propagate itself, but also uses
            an e-mail system to spread.

   .a - .zzz Virus variants.


In accordance with the CARO (Computer
Anti-virus Research Organization) naming
convention, the vendor-specific suffices can be
preceded by a "!" character. Our software uses
the following suffices:


   apd      Appended virus. A virus that
            appends its code to the file it
            infects, but fails to provide for
            correct replication.

   bat      Software component in BAT
            language.

   cav      Cavity virus. This designates a
            virus that copies itself into
            "cavities" (for example, areas of
            all zeroes) in a program file.

   cfg      Configuration component of an
            Internet Trojan-horse program
            (frequently of a BackDoor-).

   cli      Client-side component of an
            Internet Trojan-horse program
            (frequently of a BackDoor-).

   dam      Damaged file. A file that is
            damaged or corrupted by an
            infection.

   demo     Program that demonstrates
            potentially harmful action, such as
            an example of how an exploit
            works.

   dr       Dropper file. This file introduces
            the virus into the host program.

   gen      Generic detection. Native routines
            in our software detect this virus
            without using specific code
            strings.

   ini      An mIRC or pIRCH script when it is
            a component of another virus.

   intd     "Intended" virus. This virus has
            most of the usual virus
            characteristics but cannot
            replicate correctly.

   irc      IRC component of potentially
            harmful software.

   js       Potentially harmful software
            component in JavaScript.

   kit      Virus or Trojan-horse program
            created from a virus construction
            kit.

   p2p      Potentially harmful software that
            uses peer-to-peer communication to
            function. For example, Gnutella and
            Kazaa.

   sfx      Self-extracting installation
            utility for Trojan-horse programs.

   src      Viral source code. This ordinarily
            cannot replicate or infect files,
            but some virus droppers add this to
            files as part of the infection
            cycle. Our products routinely flag
            files with additional code of this
            sort for deletion.

   sub      Substitution virus. It substitutes
            the host file with itself, so that
            all infected hosts are of the same
            size and are a pure virus. (That
            is, a subclass of overwriting
            viruses.)

   svr      Server-side component of an
            Internet Trojan-horse program,
            often of a backdoor.

   vbs      Potentially harmful software
            component written in Visual Basic
            Script language.

   worm     A non-parasitic virus that copies
            itself, or a virus that propagates
            through a network by copying to
            remote computers or by sending
            itself out via any means of file
            transmission such as remote shares,
            peer-to-peer, instant messaging,
            IRC file transfers, FTP, and SMTP.


GENERIC DETECTIONS

Our software detects a huge amount of
potentially harmful software proactively and
generically. In most cases, such objects are
successfully cleaned even without AVERT ever
receiving a sample. Such detection is denoted
by "Generic" in the name or a "gen" suffix.

To submit a sample to AVERT, visit the AVERT
home page. See "CONTACTING MCAFEE SECURITY &
NETWORK ASSOCIATES".


HEURISTIC DETECTIONS

Our software detects a huge amount of new
potentially harmful software heuristically.
Such detection is flagged using the "New"
prefix to the name (for example "New Worm" and
"New Win32").

To submit any sample that was detected
heuristically, visit the AVERT home page. See
"CONTACTING MCAFEE SECURITY & NETWORK
ASSOCIATES".


APPLICATION DETECTIONS

Our software detects potentially unwanted
applications; they cannot be classified as
viruses or Trojan-horse programs. They include
some Adware, Spyware, Dialers, remote-access
software that can hide itself, and other
similar applications that many users do not
want on their computers. Unwanted applications
also include jokes but these can be excluded
from detection using scanning options.

For more information, visit the AVERT home
page. See "CONTACTING MCAFEE SECURITY & NETWORK
ASSOCIATES".


_______________________________________________
DOCUMENTATION

This product includes the following documents:

-  This README file.

-  A CONTACT file.
   Contact information for McAfee Security and
   Network Associates services and resources:
   technical support, customer service, AVERT,
   beta program, and training. It also includes
   a list of phone numbers, street addresses,
   web addresses, e-mail addresses, and fax
   numbers for Network Associates offices in
   the United States and around the world.


__________________________________________________________
CONTACTING MCAFEE SECURITY & NETWORK ASSOCIATES

Technical Support
    Home Page
       http://www.networkassociates.com/us/support/

    KnowledgeBase Search
       https://knowledgemap.nai.com/phpclient/homepage.aspx

    PrimeSupport Service Portal
       http://mysupport.nai.com

Login credentials required.


McAfee Security Beta Program
    Beta Web Site
       http://www.networkassociates.com/us/downloads/beta/

    E-mail
       avbeta@nai.com


Security Headquarters -- AVERT (Anti-Virus Emergency
Response Team)
    Home Page
       http://www.networkassociates.com/us/security/home.asp

    Virus Information Library
       http://vil.nai.com

    Submit a Virus Sample - AVERT WebImmune
       https://www.webimmune.net/default.asp

    AVERT DAT Notification Service
       http://vil.nai.com/vil/join-DAT-list.asp


Download Site
    Home Page
       http://www.networkassociates.com/us/downloads/

    DAT File and Engine Updates
       http://www.networkassociates.com/us/downloads/updates/

       ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

    Product Upgrades
       https://secure.nai.com/us/forms/downloads/upgrades/login.asp

Valid grant number required.
Contact Network Associates Customer Service


Training
    McAfee Security University
       http://www.networkassociates.com/us/services/education/mcafee/university.htm


Network Associates Customer Service
    US, Canada, and Latin America toll-free:
   Phone:     +1-888-VIRUS NO or +1-888-847-8766
              Monday - Friday, 8 a.m. - 8 p.m.,
              Central Time

   E-mail:    services_corporate_division@nai.com
   Web:       http://www.nai.com/us/index.asp
              http://www.networkassociates.com/us/index.asp


For additional information on contacting Network
Associates and McAfee Security - including toll-free
numbers for other geographic areas -- see the
CONTACT file that accompanied your original product
release.


__________________________________________________________
COPYRIGHT AND TRADEMARK ATTRIBUTIONS 

Copyright (C) 2004 Networks Associates
Technology, Inc. All Rights Reserved. No part of
this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or
translated into any language in any form or by any
means without the written permission of Networks
Associates Technology, Inc., or its suppliers or
affiliate companies. To obtain this permission,
write to the attention of the Network Associates
legal department at:
5000 Headquarters Drive, Plano, Texas 75024, or call
+1-972- 963-8000.


TRADEMARKS

Active Firewall, Active Security, Active Security
(in Katakana), ActiveHelp, ActiveShield, AntiVirus
Anyware and design, Appera, AVERT, Bomb Shelter,
Certified Network Expert, Clean-Up, CleanUp Wizard,
ClickNet, CNX, CNX Certification Certified Network
Expert and design, Covert, Design (stylized N), Disk
Minder, Distributed Sniffer System, Distributed
Sniffer System (in Katakana), Dr Solomons, Dr
Solomons label, E and Design, Entercept, Enterprise
SecureCast, Enterprise SecureCast (in Katakana),
ePolicy Orchestrator, Event Orchestrator (in
Katakana), EZ SetUp, First Aid, ForceField, GMT,
GroupShield, GroupShield (in Katakana), Guard Dog,
HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia,
InfiniStream, Intrusion Prevention Through
Innovation, IntruShield, IntruVert Networks,
LANGuru, LANGuru (in Katakana), M and design, Magic
Solutions, Magic Solutions (in Katakana), Magic
University, MagicSpy, MagicTree, McAfee, McAfee (in
Katakana), McAfee and design, McAfee.com, MultiMedia
Cloaking, NA Network Associates, Net Tools, Net
Tools (in Katakana), NetAsyst, NetCrypto,
NetOctopus, NetScan, NetShield, NetStalker, Network
Associates, Network Performance Orchestrator,
NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change,
PC Medic, PCNotary, PortalShield, Powered by
SpamAssassin, PrimeSupport, Recoverkey, Recoverkey -
International, Registry Wizard, Remote Desktop,
ReportMagic, RingFence, Router PM, Safe & Sound,
SalesMagic, SecureCast, SecureSelect,
SecurityShield, Service Level Manager, ServiceMagic,
SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller,
SpamAssassin, Stalker, SupportMagic, ThreatScan,
TIS, TMEG, Total Network Security, Total Network
Visibility, Total Network Visibility (in Katakana),
Total Service Desk, Total Virus Defense, Trusted
Mail, UnInstaller, VIDS, Virex, Virus Forum,
ViruScan, VirusScan, WebScan, WebShield, WebShield
(in Katakana), WebSniffer, WebStalker, WebWall,
What's The State Of Your IDS?, Whos Watching Your
Network, WinGauge, Your E-Business Defender, ZAC
2000, Zip Manager are registered trademarks or
trademarks of Network Associates, Inc. and/or its
affiliates in the US and/or other countries.
Sniffer(R) brand products are made only by Network
Associates, Inc. All other registered and
unregistered trademarks herein are the sole property
of their respective owners.


LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE
LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU
PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND
CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF
YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE
ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED
LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT
ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A
BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE
AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED
THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF
THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE
PRODUCT TO NETWORK ASSOCIATES, INC. OR THE PLACE OF
PURCHASE FOR A FULL REFUND.


Attributions

This product includes or may include:

-   Software developed by the OpenSSL Project for
    use in the OpenSSL Toolkit
    (http://www.openssl.org/).

-   Cryptographic software written by Eric Young and
    software written by Tim J. Hudson.

-   Some software programs that are licensed (or
    sublicensed) to the user under the GNU General
    Public License (GPL) or other similar Free
    Software licenses which, among other rights,
    permit the user to copy, modify and redistribute
    certain programs, or portions thereof, and have
    access to the source code.  The GPL requires
    that for any software covered under the GPL
    which is distributed to someone in an executable
    binary format, that the source code also be made
    available to those users.  For any such software
    covered under the GPL, the source code is made
    available on this CD.  If any Free Software
    licenses require that Network Associates provide
    rights to use, copy or modify a software program
    that are broader than the rights granted in this
    agreement, then such rights shall take
    precedence over the rights and restrictions
    herein.

-   Software originally written by Henry Spencer,
    Copyright 1992, 1993, 1994, 1997 Henry Spencer.

-   Software originally written by Robert Nordier,
    Copyright (C) 1996-7 Robert Nordier. All rights
    reserved.

-   Software written by Douglas W. Sauder.

-   Software developed by the Apache Software
    Foundation (http://www.apache.org/).

-   International Components for Unicode ("ICU")
    Copyright (C) 1995-2002 International Business
    Machines Corporation and others. All rights
    reserved.

-   Software developed by CrystalClear Software,
    Inc., Copyright (C) 2000 CrystalClear Software,
    Inc.

-   FEAD(R) Optimizer(R) technology, Copyright
    Netopsystems AG, Berlin, Germany.

-   Outside In(R) Viewer Technology (C) 1992-2001
    Stellent Chicago, Inc. and/or Outside In(R) HTML
    Export, (C) 2001 Stellent Chicago, Inc.

-   Software copyrighted by Thai Open Source
    Software Center Ltd. and Clark Cooper, (C) 1998,
    1999, 2000.

-   Software copyrighted by Expat maintainers.

-   Software copyrighted by The Regents of the
    University of California, (C) 1989.

-   Software copyrighted by Gunnar Ritter.

-   Software copyrighted by Sun Microsystems(C),
    Inc.

-   Software copyrighted by Gisle Aas. All rights
    reserved, (C) 1995-2003.

-   Software copyrighted by Michael A. Chase, (C)
    1999-2000.

-   Software copyrighted by Neil Winton, (C)
    1995-1996.

-   Software copyrighted by RSA Data Security, Inc.,
    (C) 1990-1992.

-   Software copyrighted by Sean M. Burke, (C) 1999,
    2000.

-   Software copyrighted by Martijn Koster, (C)
    1995.

-   Software copyrighted by Brad Appleton, (C)
    1996-1999.

-   Software copyrighted by Michael G. Schwern, (C)
    2001.

-   Software copyrighted by Graham Barr, (C) 1998.

-   Software copyrighted by Larry Wall and Clark
    Cooper, (C) 1998-2000.

-   Software copyrighted by Frodo Looijaard, (C)
    1997.


Deriv 2.3.1

DBN 146-EN


