Anti Virus False Positives and the Hunt for Shai Hulud
- Hi all,
A couple of people wrote to me saying their Anti Virus software
reported that the "learning" directory of the java code is infected
with a worm, W32.Sircam.Worm@mm to be precise.
Symantec's description of the worm is here
As far as I know this is not true and the code on the site is clean
(but see below) . This is what I did to track down any infestation
1.I have Norton Anti Virus on my Windows system (I do most of my
development on Linux) and a full system scan did not reveal this worm.
2.I downloaded the zip file from the AIMA site and ran a scan on it.
Still "No Infection found".
3.I then visually inspected the code. Since the zip file contains
only, txt, xml, java and class files (and no executable files) I am
not able to make out how the code could be infected. (the SYmantec
description seems to indicate that the worm travels via email with an
executable attachment being the carrier.)
4.I uploaded the zip file from the aima site as an attachment to an
email using a yahoo account(Yahoo scans all attachments for
viruses/worms ) and yahoo reported an "all clear " as well.
5.I ran the symantec worm removing
which specifically checks for this worm and found nothing , on the
code on my development machine and the code on the AIMA site
At this point I think one of the following is happening (a) an
antivirus product is delivering a false positive (b)The Symantec
Norton Anti Virus product is broken and does not detect an infection
or (c) the zip file is being infected after being downloaded onto an
infected PC.The fact that aima.zip is often the first zip file
encountered in a search may have something to do with this? (d)
Smething really weird is happening and I have no clue what.
As far as I can make out, the code on my machine and that on the aima
site are not (repeat NOT) infected. However I am not an expert on
security and I could be wrong. I request anyone encountering this
phenomenon to kindly mail me with details of
(a)what antivirus software they are using
(b) the exact message the AV tool pops up
(c) the infected file's name if the tool points to a particular file
as being infected.
A generic report of " your code is infected. Please help" is next to
You may want to try run the worm removal tool and re download the zip
file from the website. If your AV tool reports the zip file as
infected *as you download*, please write to *me* ( and NOT to this
forum) at magesmail@.... Any help much appreciated.