Date:	Wed, 21 Apr 1999 10:55:20 +0200
From:	Hans-Bernhard Broeker <broeker AT physik DOT rwth-aachen DOT de>
Message-Id:	<199904210855.KAA08451@acp3bf.physik.rwth-aachen.de>
To:	peter DOT claessens AT student DOT kuleuven DOT ac DOT be
Cc:	djgpp AT delorie DOT com
Subject:	Re: Download site
Newsgroups:	comp.os.msdos.djgpp
Organization:	RWTH Aachen, III. physikalisches Institut B
X-Newsreader:	TIN [version 1.2 PL2]
Reply-To:	djgpp AT delorie DOT com

In article <371D22A6 DOT 67CE927E AT student DOT kuleuven DOT ac DOT be> you wrote:
> I had a similar problem. My scanner (it was TBAV I think) reported that
> several executables downloaded from the djgpp site were infected by an
> 'unknown virus'. I assumed it was a false alarm, I know that some virus
> scanners don't like compilers, but since it kept bugging me about it I
> removed the scanned and installed Winguard, which doesn't complain about
> anything.
> Was my assumption about the alert being a false hit too early?

Could have been. It's hard to tell, or may be impossible, without
knowing what made the scanner cry 'unknown virus', which is a rather
unusual result from a scanning engine. They normally search for known
viruses, so there must have been some heuristical method, and the
engine should at least optionally give reasons *why* it thinks there's
a virus.

Of course, the first thing to do would be to re-check the scanner
itself: virus signatures up-to-date? How old, exactly, are they -- the
newer, the higher the odds of a false alarm.  At least, you could have
waited a while and then checked if a new update of TBAV, or a
different scanner, still claims that there is a virus. Telling the
TBAV makers about this suspected false positive would also have been a
good idea.

An immediate test is also possible:

From someone else's computer (which has no virus infection; check!,
boot off a write-protected floppy, if possible) repeat the download of
some of the suspicious packages, and unpack some of the files that are
said to be infected to a floppy. Write-protect that floppy, and take
it home. Do not remove the write-protection under any circumstance,
until you're sure that the alarm was a false positive. Now, do two
checks:

1) a binary file-compare to see if the files on the floppy are identical
to the ones on your harddisk.  ('fc /b' does that).

2) a virus-scan of the floppy files with the scanner that reported
your hard disk files to be infected.

If test 1) says 'identical', and 2) says the floppy is infected, that
leaves open only two choices: false alarm, or the *original* files at
the download files are infected. So you should email all your findings
to the site administrator (DJ, for the case of DJGPP tools).

For someone with the necessary knowledge, it can even be possible to
study the suspicious programs' behaviour in a controlled 'laboratory'
environment, to check if the suspected infection does, indeed, spread.
but this should really be left to a true 'hacker'.

--
Hans-Bernhard Broeker (broeker AT physik DOT rwth-aachen DOT de)
Even if all the snow were burnt, ashes would remain.

- Raw text -