<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
On March 3, 2010 Norbert Preining wrote:<br>
<pre><blockquote type="cite"><pre>On Mi, 03 Mär 2010, Linda C M Gross wrote:
><i> C:\texlive\2009\bin\win32\dviout.exe
</i>><i> C:\texlive\2009\bin\win32\psv.exe
</i>><i> C:\texlive\2009\bin\win32\texworks.exe
</i>
If the files have the following md5sums:
d132caed244851b1a944221921611235 dviout.exe
4ea3886315f590856e6d921c54aca0f2 psv.exe
e9c1687a5375f6ad5b5e76172c46bf37 texworks.exe
and sizes
dviout.exe* 3584
psv.exe* 13824
texworks.exe* 178688
then they don't have a virus, but your anti virus program is just reporting
a fals positive.
I am quite sure that it is that way, meaning that this is a false
positive. Detecting a virus is heuristics, and it seems it failed here.
but you never know ;-)
Best wishes
Norbert
</pre></blockquote>
I, too, get alerts from Sophos and so I copied the Windows .exe's and .dlls to my Linux box and scanned them with 3 other AVs.
F-Prot found nothing, but ClamAV and AVG both reported the same files as Sophos: dviout.exe, psv.exe, and texworks.exe
It is somewhat disconcerting that 3 out of 4 antivirus scanners tested pick out the same 3 files. Are the scanners all using the same (false) signatures. [I would
expect that would lead to patent/copyright problems...]
Details on my scans:
SophosAV: (on Win XP)
[General]
Endpoint security and control = 9
Current user rights = Sophos Administrator
[Anti-virus and HIPS]
-[ Software]
Sophos Anti-Virus 9.0.5
Release status Full
On-access status Enabled
Detection engine 3.6.0
Detection data 4.52G
Virus data date 4/5/2010
Items detected 1544100
Detection identities 171
HIPS rules version 3.2.0
HIPS configuration version 1.0.4
Last updated 4/8/2010 4:25:09 PM
Finds Malware/Virus
dviout.exe: Mal/Dorf-I
psv.exe: Mal/Dorf-I
texworks.exe: Mal/Dorf-I
------------------------------------------------------------------
(On Gentoo Linux):
ClamAV ClamAV 0.95.3/10716/Wed Apr 7 19:01:36 2010
dualxeon:~/tmp/tlwin$clamscan *|grep -v OK
./dviout.exe: Trojan.Dropper-3840 FOUND
./psv.exe: Trojan.Dropper-3840 FOUND
./texworks.exe: Trojan.Dropper-3840 FOUND
-----------------------------------------------------------
F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)
FRISK Software International (C) Copyright 1989-2007
Engine version: 4.4.4.56
Virus signatures: 2010040817367d38c25834848a2c65806ae6271f603c
dualxeon:~/tmp/tlwin$fpscan *
[finds nothing]
-------------------------------------------------------------------
AVG command line Anti-Virus scanner
Copyright (c) 2009 AVG Technologies CZ
Virus database version: 270.14.133/2612
Virus database release date: Sun, 10 Jan 2010 11:35:00 -08:00
dualxeon:~/tmp/tlwin$avgscan *
tlwin/dviout.exe Virus identified I-Worm/Nuwar.L
tlwin/psv.exe Virus identified I-Worm/Nuwar.L
tlwin/texworks.exe Virus identified I-Worm/Nuwar.L
---------------------------------------------------------------------
Maybe this is worth another look.
Thanks,
-Peter Denisevich
</pre>
<br>
</body>
</html>