GORDON@chmeds.ac.nz (Gordon Findlay) (02/27/91)
I just downloaded the latest version of McAffee's SCAN (v74B) and tried it. It gives a false positive (I HOPE it's a false positive!) on a NZ program KILLER.COM, which is a little .COM file for removing variations on the Stoned virus. Scanv74B reports the Invader virus. I assume it's a false positive as the file is only 799 bytes long, and the Invader virus is reported as adding 4096 bytes to .COM files; modifying the boot sector, and hooking interrupts (Thanks, Patricia Hoffman, for your VIRSUSSUM work). None of these has happened. I don't know how far KILLER.COM has travelled - it is a public domain program widely distributed in NZ; it may have spread as widely as Stoned, who knows? This false positive is definitely something for people to be aware of. Gordon Findlay GORDON@CHMEDS.AC.NZ
cctr132@csc.canterbury.ac.nz (Nick FitzGerald) (03/01/91)
In Virus-L V4 #32 GORDON@CHMEDS.AC.NZ (Gordon Findlay) wrote: >I just downloaded the latest version of McAffee's SCAN (v74B) and >tried it. > >It gives a false positive (I HOPE it's a false positive!) on a NZ >program KILLER.COM, which is a little .COM file for removing >variations on the Stoned virus. Scanv74B reports the Invader virus. It's a false postive alright. Seems that the code sequence in the INVADER that SCAN looks for is also *legitimately* present in KILLER. My guess is that it is part of the code that does the absolute disk reads and/or writes that is likely to be present in both the virus and KILLER. Anyone who has KILLER shouldn't be using it any more. Apart from the "annoyance" value of the false SCAN report, it does not detect or fix the STONED-2 virus. NOSTONE (an update of KILLER), is aware of both strains of the STONED, and doesn't set off the false alarm when SCANned. >I assume it's a false positive as the file is only 799 bytes long, and >the Invader virus is reported as adding 4096 bytes to .COM files; >modifying the boot sector, and hooking interrupts (Thanks, Patricia >Hoffman, for your VIRSUSSUM work). None of these has happened. Sounds like good reasoning to me. As I said above, its likely the absolute disk read/write code is the same in the virus and KILLER. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337