[tex-live] Virus alerts from TL2009 (again)

Peter Denisevich pdenis2 at comcast.net
Fri Apr 9 04:15:32 CEST 2010

On March 3, 2010 Norbert Preining wrote:

> On Mi, 03 Mär 2010, Linda C M Gross wrote:
> >/  C:\texlive\2009\bin\win32\dviout.exe
> />/  C:\texlive\2009\bin\win32\psv.exe
> />/  C:\texlive\2009\bin\win32\texworks.exe
> /
> If the files have the following md5sums:
> d132caed244851b1a944221921611235  dviout.exe
> 4ea3886315f590856e6d921c54aca0f2  psv.exe
> e9c1687a5375f6ad5b5e76172c46bf37  texworks.exe
> and sizes
> dviout.exe* 3584
> psv.exe* 13824
> texworks.exe* 178688
> then they don't have a virus, but your anti virus program is just reporting
> a fals positive.
> I am quite sure that it is that way, meaning that this is a false
> positive. Detecting a virus is heuristics, and it seems it failed here.
> but you never know ;-)
> Best wishes
> Norbert

I, too, get alerts from Sophos and so I copied the Windows .exe's and .dlls to my Linux box and scanned them with 3 other AVs.
F-Prot found nothing, but ClamAV and AVG both reported the same files as Sophos: dviout.exe, psv.exe, and texworks.exe

It is somewhat disconcerting that 3 out of 4 antivirus scanners tested pick out the same 3 files.  Are the scanners all using the same (false) signatures.  [I would
expect that would lead to patent/copyright problems...]

Details on my scans:

SophosAV: (on Win XP)

Endpoint security and control =  9
Current user rights =  Sophos Administrator

[Anti-virus and HIPS]
-[ Software]
Sophos Anti-Virus 9.0.5
Release status Full
On-access status Enabled
Detection engine 3.6.0
Detection data 4.52G
Virus data date 4/5/2010
Items detected 1544100
Detection identities 171
HIPS rules version 3.2.0
HIPS configuration version 1.0.4
Last updated 4/8/2010 4:25:09 PM

Finds Malware/Virus

dviout.exe: Mal/Dorf-I
psv.exe:    Mal/Dorf-I
texworks.exe: Mal/Dorf-I

(On Gentoo Linux):

ClamAV ClamAV 0.95.3/10716/Wed Apr  7 19:01:36 2010

dualxeon:~/tmp/tlwin$clamscan *|grep -v OK

./dviout.exe: Trojan.Dropper-3840 FOUND
./psv.exe: Trojan.Dropper-3840 FOUND
./texworks.exe: Trojan.Dropper-3840 FOUND

F-PROT Antivirus version (built: 2008-04-28T16-44-10)
FRISK Software International (C) Copyright 1989-2007

Engine version:
Virus signatures: 2010040817367d38c25834848a2c65806ae6271f603c

dualxeon:~/tmp/tlwin$fpscan *

[finds nothing]
AVG command line Anti-Virus scanner
Copyright (c) 2009 AVG Technologies CZ

Virus database version: 270.14.133/2612
Virus database release date: Sun, 10 Jan 2010 11:35:00 -08:00

dualxeon:~/tmp/tlwin$avgscan *

tlwin/dviout.exe  Virus identified I-Worm/Nuwar.L
tlwin/psv.exe  Virus identified I-Worm/Nuwar.L
tlwin/texworks.exe  Virus identified I-Worm/Nuwar.L


Maybe this is worth another look.


-Peter Denisevich

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tug.org/pipermail/tex-live/attachments/20100408/5fe9c9e5/attachment-0001.html>

More information about the tex-live mailing list