Re: [OctDev] my virusscanner found a Worm in octave.exe

View: New views

5 Messages — Rating Filter: Alert me

	Re: [OctDev] my virusscanner found a Worm in octave.exe by Michael Goffioul-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Jun 19, 2008 at 11:25 PM, Danny Schneider <Danny_Schneider_Hessen@...> wrote: > Hi, > > I don't know if this is the right channel for this information, but > perhaps somebody of you can direct it the right way... > > My virus scanner just reported that octave.exe contains a Virus/Worm > named Zhelatin.aan.13 > > it was found in octave-3.0.0.exe and octave.exe > > I downloaded it from sourceforge. > > Can anybody confirm the disease? Apparently, this problem appeared recently as this problem has been reported a few time since the beginning of this week. My virsu scanner does not detect any problem, so I would like to request some feedback from other Windows users 1) Is this worm new? 2) What AV software detect it? 3) Could anyone with McAfee or Norton check the executables (the latest VS2008 executable was built on a regularly updated McAfee-protected system) 4) Could people who detected the worm check older executables? (like the 2.9.x series) Thanks, Michael.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by Michael Goffioul-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 20, 2008 at 9:00 PM, Michael Goffioul <michael.goffioul@...> wrote: > Apparently, this problem appeared recently as this problem has > been reported a few time since the beginning of this week. My > virsu scanner does not detect any problem, so I would like to request > some feedback from other Windows users > > 1) Is this worm new? > > 2) What AV software detect it? > > 3) Could anyone with McAfee or Norton check the executables > (the latest VS2008 executable was built on a regularly updated > McAfee-protected system) > > 4) Could people who detected the worm check older executables? > (like the 2.9.x series) Additional info: the first report was about the installer executable (not the installed octave.exe). Could people also check recent (3.0.x) and older (2.9.x) installers? Michael.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by scott carter nk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the latest VDFs (7.0.4.218 and 7.0.4.232). Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe, and octave-3.0.1.exe For me the installer itself (octave-3.0.1-setup.exe and octave-3.0.0-setup.exe) do not trigger a detection. I found several copies at what was apparently a Trojan dropper which had the same virus signature detection at several points in my System Restore checkpoint files, all created since I installed 3.0.0 (but some older than my installation of 3.0.1) Note - neither Symantec nor Trend Micro (web-based scan versions of each) report a detection. Note: installing from the VS2008 installer (octave-3.0.1-vs2008-setup.exe) I do not repeat not get any detections. Michael Goffioul-2 wrote: On Fri, Jun 20, 2008 at 9:00 PM, Michael Goffioul <michael.goffioul@gmail.com> wrote: > Apparently, this problem appeared recently as this problem has > been reported a few time since the beginning of this week. My > virsu scanner does not detect any problem, so I would like to request > some feedback from other Windows users > > 1) Is this worm new? > > 2) What AV software detect it? > > 3) Could anyone with McAfee or Norton check the executables > (the latest VS2008 executable was built on a regularly updated > McAfee-protected system) > > 4) Could people who detected the worm check older executables? > (like the 2.9.x series) Additional info: the first report was about the installer executable (not the installed octave.exe). Could people also check recent (3.0.x) and older (2.9.x) installers? Michael.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by Michael Goffioul-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm a little bit puzzled by these results. I scanned octave.exe through http://virscan.org and only 2 (out of 36) AV detected the Zhelatin worm: Antivir and Ikarus. From user reports, the previous 3.0.0 version also has the same problem, but this release dates back from December 2007 and has been downloaded more than 70,000 times. Is it imaginable that a worm was present at that time and that nobody detected it during 6 months...? All this makes me think there's a higher probability that this is a false positive detection. Michael. On Fri, Jun 20, 2008 at 10:55 PM, scott carter nk <scott@...> wrote: > > I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the latest > VDFs (7.0.4.218 and 7.0.4.232). > Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe, and > octave-3.0.1.exe > For me the installer itself (octave-3.0.1-setup.exe and > octave-3.0.0-setup.exe) do not trigger a detection. > I found several copies at what was apparently a Trojan dropper which had the > same virus signature detection at several points in my System Restore > checkpoint files, all created since I installed 3.0.0 (but some older than > my installation of 3.0.1) > > Note - neither Symantec nor Trend Micro (web-based scan versions of each) > report a detection. > > Note: installing from the VS2008 installer (octave-3.0.1-vs2008-setup.exe) I > do not repeat not get any detections.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by scott carter nk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hmm, looks like it possibly is a spurious detection, since F-secure apparently recognized it as a spurious detection in their scanner: http://meldingen-ict.tudelft.nl/nc/en/maintenance-and-bug-report/item/article/f-secure-melding-over-trojan-trojanwin32vbdkn/ I would completely agree with the spurious detection theory except for two facts: 1) I've used Avira's AntiVir for several years and I have found it to be: a) _substantially_ more sensitive than either Symantec or PC-illin (the two commercial antivirus programs I have experience with). b) I have yet to experience a spurious detection with AntiVir (though Octave may be it - AntiVir's detection algorithm is heuristic and it's definitely possible for it to create a false positive). 2) The same scan (AntiVir) detected multiple seemingly infected files in my XP system restore area. The details are fairly opaque (files in XP's system restore area just get system names in an ever-increasing sequence; I'm not knowledgeable enough to "manually" walk the data structures back to the original filename and location), so it's possible that those detections were just copies of octave.exe in the restore area. I'm sorry that I don't have a sandbox machine to help figure this out. Michael Goffioul-2 wrote: I'm a little bit puzzled by these results. I scanned octave.exe through http://virscan.org and only 2 (out of 36) AV detected the Zhelatin worm: Antivir and Ikarus. From user reports, the previous 3.0.0 version also has the same problem, but this release dates back from December 2007 and has been downloaded more than 70,000 times. Is it imaginable that a worm was present at that time and that nobody detected it during 6 months...? All this makes me think there's a higher probability that this is a false positive detection. Michael. On Fri, Jun 20, 2008 at 10:55 PM, scott carter nk <scott@nklab.com> wrote: > > I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the latest > VDFs (7.0.4.218 and 7.0.4.232). > Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe, and > octave-3.0.1.exe > For me the installer itself (octave-3.0.1-setup.exe and > octave-3.0.0-setup.exe) do not trigger a detection. > I found several copies at what was apparently a Trojan dropper which had the > same virus signature detection at several points in my System Restore > checkpoint files, all created since I installed 3.0.0 (but some older than > my installation of 3.0.1) > > Note - neither Symantec nor Trend Micro (web-based scan versions of each) > report a detection. > > Note: installing from the VS2008 installer (octave-3.0.1-vs2008-setup.exe) I > do not repeat not get any detections.

	Re: [OctDev] my virusscanner found a Worm in octave.exe by Michael Goffioul-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Jun 19, 2008 at 11:25 PM, Danny Schneider <Danny_Schneider_Hessen@...> wrote: > Hi, > > I don't know if this is the right channel for this information, but > perhaps somebody of you can direct it the right way... > > My virus scanner just reported that octave.exe contains a Virus/Worm > named Zhelatin.aan.13 > > it was found in octave-3.0.0.exe and octave.exe > > I downloaded it from sourceforge. > > Can anybody confirm the disease? Apparently, this problem appeared recently as this problem has been reported a few time since the beginning of this week. My virsu scanner does not detect any problem, so I would like to request some feedback from other Windows users 1) Is this worm new? 2) What AV software detect it? 3) Could anyone with McAfee or Norton check the executables (the latest VS2008 executable was built on a regularly updated McAfee-protected system) 4) Could people who detected the worm check older executables? (like the 2.9.x series) Thanks, Michael.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by Michael Goffioul-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 20, 2008 at 9:00 PM, Michael Goffioul <michael.goffioul@...> wrote: > Apparently, this problem appeared recently as this problem has > been reported a few time since the beginning of this week. My > virsu scanner does not detect any problem, so I would like to request > some feedback from other Windows users > > 1) Is this worm new? > > 2) What AV software detect it? > > 3) Could anyone with McAfee or Norton check the executables > (the latest VS2008 executable was built on a regularly updated > McAfee-protected system) > > 4) Could people who detected the worm check older executables? > (like the 2.9.x series) Additional info: the first report was about the installer executable (not the installed octave.exe). Could people also check recent (3.0.x) and older (2.9.x) installers? Michael.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by scott carter nk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the latest VDFs (7.0.4.218 and 7.0.4.232). Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe, and octave-3.0.1.exe For me the installer itself (octave-3.0.1-setup.exe and octave-3.0.0-setup.exe) do not trigger a detection. I found several copies at what was apparently a Trojan dropper which had the same virus signature detection at several points in my System Restore checkpoint files, all created since I installed 3.0.0 (but some older than my installation of 3.0.1) Note - neither Symantec nor Trend Micro (web-based scan versions of each) report a detection. Note: installing from the VS2008 installer (octave-3.0.1-vs2008-setup.exe) I do not repeat not get any detections. Michael Goffioul-2 wrote: On Fri, Jun 20, 2008 at 9:00 PM, Michael Goffioul <michael.goffioul@gmail.com> wrote: > Apparently, this problem appeared recently as this problem has > been reported a few time since the beginning of this week. My > virsu scanner does not detect any problem, so I would like to request > some feedback from other Windows users > > 1) Is this worm new? > > 2) What AV software detect it? > > 3) Could anyone with McAfee or Norton check the executables > (the latest VS2008 executable was built on a regularly updated > McAfee-protected system) > > 4) Could people who detected the worm check older executables? > (like the 2.9.x series) Additional info: the first report was about the installer executable (not the installed octave.exe). Could people also check recent (3.0.x) and older (2.9.x) installers? Michael.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by Michael Goffioul-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm a little bit puzzled by these results. I scanned octave.exe through http://virscan.org and only 2 (out of 36) AV detected the Zhelatin worm: Antivir and Ikarus. From user reports, the previous 3.0.0 version also has the same problem, but this release dates back from December 2007 and has been downloaded more than 70,000 times. Is it imaginable that a worm was present at that time and that nobody detected it during 6 months...? All this makes me think there's a higher probability that this is a false positive detection. Michael. On Fri, Jun 20, 2008 at 10:55 PM, scott carter nk <scott@...> wrote: > > I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the latest > VDFs (7.0.4.218 and 7.0.4.232). > Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe, and > octave-3.0.1.exe > For me the installer itself (octave-3.0.1-setup.exe and > octave-3.0.0-setup.exe) do not trigger a detection. > I found several copies at what was apparently a Trojan dropper which had the > same virus signature detection at several points in my System Restore > checkpoint files, all created since I installed 3.0.0 (but some older than > my installation of 3.0.1) > > Note - neither Symantec nor Trend Micro (web-based scan versions of each) > report a detection. > > Note: installing from the VS2008 installer (octave-3.0.1-vs2008-setup.exe) I > do not repeat not get any detections.
	Re: [OctDev] my virusscanner found a Worm in octave.exe by scott carter nk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hmm, looks like it possibly is a spurious detection, since F-secure apparently recognized it as a spurious detection in their scanner: http://meldingen-ict.tudelft.nl/nc/en/maintenance-and-bug-report/item/article/f-secure-melding-over-trojan-trojanwin32vbdkn/ I would completely agree with the spurious detection theory except for two facts: 1) I've used Avira's AntiVir for several years and I have found it to be: a) _substantially_ more sensitive than either Symantec or PC-illin (the two commercial antivirus programs I have experience with). b) I have yet to experience a spurious detection with AntiVir (though Octave may be it - AntiVir's detection algorithm is heuristic and it's definitely possible for it to create a false positive). 2) The same scan (AntiVir) detected multiple seemingly infected files in my XP system restore area. The details are fairly opaque (files in XP's system restore area just get system names in an ever-increasing sequence; I'm not knowledgeable enough to "manually" walk the data structures back to the original filename and location), so it's possible that those detections were just copies of octave.exe in the restore area. I'm sorry that I don't have a sandbox machine to help figure this out. Michael Goffioul-2 wrote: I'm a little bit puzzled by these results. I scanned octave.exe through http://virscan.org and only 2 (out of 36) AV detected the Zhelatin worm: Antivir and Ikarus. From user reports, the previous 3.0.0 version also has the same problem, but this release dates back from December 2007 and has been downloaded more than 70,000 times. Is it imaginable that a worm was present at that time and that nobody detected it during 6 months...? All this makes me think there's a higher probability that this is a false positive detection. Michael. On Fri, Jun 20, 2008 at 10:55 PM, scott carter nk <scott@nklab.com> wrote: > > I found it in 3.0.0 and 3.0.1 with Avira AntiVir, but only with the latest > VDFs (7.0.4.218 and 7.0.4.232). > Files that are detected are all in /bin: octave.exe, octave-3.0.0.exe, and > octave-3.0.1.exe > For me the installer itself (octave-3.0.1-setup.exe and > octave-3.0.0-setup.exe) do not trigger a detection. > I found several copies at what was apparently a Trojan dropper which had the > same virus signature detection at several points in my System Restore > checkpoint files, all created since I installed 3.0.0 (but some older than > my installation of 3.0.1) > > Note - neither Symantec nor Trend Micro (web-based scan versions of each) > report a detection. > > Note: installing from the VS2008 installer (octave-3.0.1-vs2008-setup.exe) I > do not repeat not get any detections.