Re: [OctDev] my virusscanner found a Worm in octave.exe

[scott carter nk]

Hmm, looks like it possibly is a spurious detection, since F-secure
apparently recognized it as a spurious detection in their scanner:

http://meldingen-ict.tudelft.nl/nc/en/maintenance-and-bug-report/item/article/f-secure-melding-over-trojan-trojanwin32vbdkn/

I would completely agree with the spurious detection theory except for two
facts:

1) I've used Avira's AntiVir for several years and I have found it to be:
a) _substantially_ more sensitive than either Symantec or PC-illin (the two
commercial antivirus programs I have experience with).
b) I have yet to experience a spurious detection with AntiVir (though Octave
may be it - AntiVir's detection algorithm is heuristic and it's definitely
possible for it to create a false positive).

2) The same scan (AntiVir) detected multiple seemingly infected files in my
XP system restore area.  The details are fairly opaque (files in XP's system
restore area just get system names in an ever-increasing sequence; I'm not
knowledgeable enough to "manually" walk the data structures back to the
original filename and location), so it's possible that those detections were
just copies of octave.exe in the restore area.

I'm sorry that I don't have a sandbox machine to help figure this out.


Michael Goffioul-2 wrote:
> 
> I'm a little bit puzzled by these results. I scanned octave.exe through
> http://virscan.org and only 2 (out of 36) AV detected the Zhelatin worm:
> Antivir and Ikarus. From user reports, the previous 3.0.0 version also
> has the same problem, but this release dates back from December 2007
> and has been downloaded more than 70,000 times. Is it imaginable that
> a worm was present at that time and that nobody detected it during
> 6 months...? All this makes me think there's a higher probability that
> this is a false positive detection.
> 
> Michael.
> 
> 
> On Fri, Jun 20, 2008 at 10:55 PM, scott carter nk <address@hidden> wrote:
>>
>> I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the
>> latest
>> VDFs (7.0.4.218 and 7.0.4.232).
>> Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe,
>> and
>> octave-3.0.1.exe
>> For me the installer itself (octave-3.0.1-setup.exe and
>> octave-3.0.0-setup.exe) do not trigger a detection.
>> I found several copies at what was apparently a Trojan dropper which had
>> the
>> same virus signature detection at several points in my System Restore
>> checkpoint files, all created since I installed 3.0.0 (but some older
>> than
>> my installation of 3.0.1)
>>
>> Note - neither Symantec nor Trend Micro (web-based scan versions of each)
>> report a detection.
>>
>> Note: installing from the VS2008 installer
>> (octave-3.0.1-vs2008-setup.exe) I
>> do not repeat not get any detections.
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Re%3A--OctDev--my-virusscanner-found-a-Worm-in-octave.exe-tp18035615p18062844.html
Sent from the Octave - Maintainers mailing list archive at Nabble.com.