Loading ...
Sorry, an error occurred while loading the content.

Anti Virus False Positives and the Hunt for Shai Hulud

Expand Messages
  • Ravi Mohan
    Hi all, A couple of people wrote to me saying their Anti Virus software reported that the learning directory of the java code is infected with a worm,
    Message 1 of 1 , Nov 3 6:38 AM
      Hi all,
      A couple of people wrote to me saying their Anti Virus software
      reported that the "learning" directory of the java code is infected
      with a worm, W32.Sircam.Worm@mm to be precise.
      Symantec's description of the worm is here

      As far as I know this is not true and the code on the site is clean
      (but see below) . This is what I did to track down any infestation

      1.I have Norton Anti Virus on my Windows system (I do most of my
      development on Linux) and a full system scan did not reveal this worm.

      2.I downloaded the zip file from the AIMA site and ran a scan on it.
      Still "No Infection found".

      3.I then visually inspected the code. Since the zip file contains
      only, txt, xml, java and class files (and no executable files) I am
      not able to make out how the code could be infected. (the SYmantec
      description seems to indicate that the worm travels via email with an
      executable attachment being the carrier.)

      4.I uploaded the zip file from the aima site as an attachment to an
      email using a yahoo account(Yahoo scans all attachments for
      viruses/worms ) and yahoo reported an "all clear " as well.

      5.I ran the symantec worm removing
      which specifically checks for this worm and found nothing , on the
      code on my development machine and the code on the AIMA site

      At this point I think one of the following is happening (a) an
      antivirus product is delivering a false positive (b)The Symantec
      Norton Anti Virus product is broken and does not detect an infection
      or (c) the zip file is being infected after being downloaded onto an
      infected PC.The fact that aima.zip is often the first zip file
      encountered in a search may have something to do with this? (d)
      Smething really weird is happening and I have no clue what.

      As far as I can make out, the code on my machine and that on the aima
      site are not (repeat NOT) infected. However I am not an expert on
      security and I could be wrong. I request anyone encountering this
      phenomenon to kindly mail me with details of

      (a)what antivirus software they are using
      (b) the exact message the AV tool pops up
      (c) the infected file's name if the tool points to a particular file
      as being infected.

      A generic report of " your code is infected. Please help" is next to

      You may want to try run the worm removal tool and re download the zip
      file from the website. If your AV tool reports the zip file as
      infected *as you download*, please write to *me* ( and NOT to this
      forum) at magesmail@.... Any help much appreciated.

    Your message has been successfully submitted and would be delivered to recipients shortly.