Symantec Provides Tool to Detect and Remove Destructive W32.Kriz Virus

W32.Kriz Virus Attempts to Wipe Out Computer Systems on Christmas Day

CUPERTINO, Calif. - Dec. 19, 2000 - Symantec Corp. (NASDAQ: SYMC) today announced the availability of a tool that can be downloaded and run to detect and remove W32.Kriz. W32.Kriz is a destructive virus that renders the system inoperable on Christmas day by wiping out all hard drives and attempting to erase the BIOS, an essential set of computer instructions that is stored on a chip and provides communication between the operating system and the hardware.

Users should scan their system prior to December 25 and on Christmas Day. The current virus definitions will detect this virus either through LiveUpdate or by download from www.symantec.com/avcenter. For users not running an anti-virus program, visit the site to run an online scanning tool to detect the virus. If their system is infected, users can download the utility tool to remove the virus from their system.

W32.Kriz was first discovered over a year ago, but has not been widespread until recently. In a rare, but increasingly common occurrence, the virus infected several common computer worms including Happy99.worm and W32.hllw.bymer.worm, allowing the two to propagate rapidly as one destructive unit. If no action is taken, the Symantec AntiVirus Research Center (SARC) expects to see high numbers of damage reports from all parts of the world on December 25. The payload is very similar to the CIH virus, which triggered on April 26, 1999 and 2000 causing worldwide damage. The CIH virus was also circulating in the wild for more than a year before it caused major destruction.

"To be completely protected from the destructive W32.Kriz virus, users should scan their system prior to December 25 and on Christmas Day using the utility program available on the SARC Web site," said Carey Nachenberg, chief researcher at SARC. "Symantec specifically created this utility to detect and remove the W32.Kriz virus from infected systems, ensuring customers uninterrupted use of their systems throughout the holiday season. SARC researchers will be working throughout the holidays to analyze new viruses and to provide our customers with protection."

W32.Kriz Virus Characteristics
W32.Kriz is a Windows 9x/NT virus, which infects Portable Executable (PE) Windows files. The virus goes resident into memory, attempting to infect any files that are opened by the user or applications. Additionally, the virus modifies the KERNEL32.DLL file, a critical operating system file that enables the virus to spread throughout the system, and attempts to corrupt some PE files, requiring them to be replaced by known, clean backups or from the installation package.

Payload
On December 25th, the virus will attempt to flash the BIOS of the computer, preventing the computer from booting up properly and in most cases, requiring the user to replace the hardware. The virus will also begin overwriting files on all available drives including mapped network drives, floppy drives and RAM disks. The payload is very similar to W95.CIH virus.

Symantec AntiVirus Research Center
SARC is one of the industry's largest dedicated teams of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.

About Symantec
Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, vulnerability assessment, intrusion prevention, Internet content and e-mail filtering, remote management technologies and security services to enterprises around the world. Symantec's Norton brand of consumer security products leads the market in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit our Web site at www.symantec.com.

Symantec's Canadian operations are headquartered in Toronto with offices in Montreal, Ottawa, Calgary and Vancouver. For more information on Symantec products or current promotions, contact the Canadian office at (416) 441-3676 or access Symantec's Canadian Web site at www.symantec.ca. Symantec is an active member of the Canadian Alliance Against Software Theft (CAAST).

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site.

Brands and products referenced herein are the trademarks or registered trademarks of their respective holders.

AXENT, AXENT Technologies, the AXENT logo, Enterprise Security Manager, trust level management, and Lifecycle Security are trademarks or registered trademarks, in the United States and certain other countries, of AXENT Technologies, Inc. or its subsidiaries. Symantec is a registered trademark of Symantec Corporation.

FORWARD LOOKING STATEMENT: This press release contains forward-looking statements that involve known and unknown risks, uncertainties and other factors that may cause our actual results, levels of activity, performance or achievements to differ materially from results expressed or implied by this press release. Such risk factors include, among others: the risk that the Symantec and AXENT businesses will not be integrated successfully; the costs related to the merger; the difficulty of developing and marketing products that compete effectively with others and other economic, business, competitive and/or regulatory factors affecting Symantec's business generally. Actual results may differ materially from those contained in the forward-looking statements in this press release. Additional information concerning these and other risk factors is contained in the Risk Factors sections of the Company's previously filed Form 10-K for the year ended March 31, 2000 and Form 10-Q for the quarter ended September 30, 2000.