I re-posted this after removing KL's telephone number. It is
commercial, but then again it is Usenet.
Art, from KL:
***quote***
Hello.
This file is clear.
Sincerely yours,
Pavel Zelensky
Virus analyst
Kaspersky Lab Ltd
Moscow, Russia
Tel/Fax: +n (nnn) nnn-nnnn
E-mail: (e-mail address removed)
Internet:
http://www.kaspersky.com,
http://www.viruslist.com
***endquote***
Thanks for the info, Ron. Clearly, by "clear" Pavel has stated
that the neutered froggie is harmless, which, of course, it is.
The situation reminds me of a subject that interested me a
great deal some years back when Nick Fitzgerald posted on
acv regularly. Nick accused KAV of being a "crud detector".
Among the various kinds of crud that exists in virus collections
(nowdays malware collections) is the (somewhat botched)
disinfected file virus which has some semblence of a signature
left in the file, yet it's unviable (no longer capable of infecting
other files and "spreading").
Stupid vxers who don't know any better include such non-viable
and harmless samples in their collections of "virii" which are
or were offered for download from their "skull and crossbones"
web sites
Naive testers of av products will unknowingly
include such crud in their test beds and penalize av products
that don't alert on them even though the alerts are actually
false positives. It's said that even the best of collections
usually include at least a small percentage of crud that
hasn't been culled out.
McAfee DOS and F-Prot DOS had their own unique ways
of handling the "testing game" and crud. McAfee av is
based on the former Dr. Solomon scan engine that NAI
purchased. Dr. Solomon av was all the rage as THE BEST
av of them all some years ago. McAfee DOS (and Dr. Solomon)
had/has a detection mechanism built into it such that when it finds
itself being testing in a collection (after so many contiguous
detections) it switches to "crud detection" mode. Experienced
testers know to use the /VID switch to disable that delightful
"feature"
F-Prot uses a different method whereby a
/COLLECT switch can be set, and Frisk used to insist
that it be used when tested. With the /COLLECT switch
on, F-Prot will do amazingly well at distingushing crud
from viable malware (which it identifies as "exact"), and
it reports crud very descriptively. In fact, F-Prot is so
good at this, that it's often used as a "first cut" tool in
separating crud out of test collections.
If you get the idea that av, generally speaking, cannot
really separate viable from non-viable code, you're
right. Most av can't, though there are a few like
Norman that can "sandbox" malware to check for
viability. Frisk's /COLLECT switch doesn't operate that
way ... it simply causes F-prot to recognize and
describe likely crud and known crud ... but F-prot
doesn't actually establish viability versus non-viability.
Now, my neutered froggy is a good example of a
purposely created "crud file". I took the original
infested file into a hex editor and I over-wrote
the malicious code appendage with a constant ...
simply a repetition of some same byte over the
most of it and then I truncated at some point,
reducing the original file length. But I left the
"MZ" (ASCII) header intact and in the same
location, just after the End of Image marker.
That's enough of a "signature" to trigger my
JPG-SCAN proggy, and the idea is that the
neutered froggy can be used as a check on
my scanner ... it should alert.
However, mainstream av should not alert since
there is no malicious code at all in the neutered
froggie. One would expect something a bit more
sophisticated in the way of detection from
mainstream av. So the fact that KAV alerts is a
bit surprising, in a way. I would hope that they
do redesign their sig and remove the FP. But
who knows? Maybe since I have this file up
publically, they might know about it and want
to alert on it since it could wind up in test
collections. No doubt Kaspersky plays the
"testing game" by purposely alerting on all
kinds of crud
Personally, I don't have any problem with the
idea that KAV might be choosing to alert on this
example of "known crud". I've used Kaspersky
scanners for many years, and I can barely remember
back to the last time their scanner produced a
a FP or questionable alert on some file on one of
my machines. I simply don't see their "Super Crud
Detection" capabilty as any kind of actual problem
in my own experience. Possibly others might have
botched virus disinfections that KAV and some others
(falsely) alert on. But I doubt if it's a probem of any
major significance. In fact, I've argued that at least
some crud detections shouldn't be classified as
"real" false positives, though strictly speaking they
are FPs. I've argued that testing agencies could
have a separate category for this sort of thing.
File-AV and Web-AV still don't like the frog. Let's see what
happens overnight.
FWIW, from Virus Total:
STATUS: FINISHED
Complete scanning result of "Neutered_Frog.jpg", received in
VirusTotal at 07.31.2006, 03:32:08 (CET).
Antivirus Version Update Result
AntiVir 6.35.1.0 07.30.2006 no virus found
Authentium 4.93.8 07.29.2006 no virus found
Avast 4.7.844.0 07.29.2006 no virus found
AVG 386 07.28.2006 no virus found
BitDefender 7.2 07.31.2006 no virus found
CAT-QuickHeal 8.00 07.29.2006 no virus found
ClamAV devel-20060426 07.31.2006 no virus found
DrWeb 4.33 07.30.2006 no virus found
eTrust-InoculateIT 23.72.82 07.30.2006 no virus found
eTrust-Vet 12.6.2314 07.28.2006 Win32/Vxidl
Ewido 4.0 07.30.2006 no virus found
Fortinet 2.77.0.0 07.30.2006 no virus found
F-Prot 3.16f 07.28.2006 no virus found
F-Prot4 4.2.1.29 07.28.2006 no virus found
Ikarus 0.2.65.0 07.28.2006 no virus found
Kaspersky 4.0.2.24 07.31.2006 Trojan-Downloader.Win32.Tibs.gc
McAfee 4817 07.28.2006 no virus found
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1684 07.29.2006 no virus found
Norman 5.90.23 07.28.2006 no virus found
Panda 9.0.0.4 07.30.2006 no virus found
Sophos 4.08.0 07.30.2006 no virus found
Symantec 8.0 07.31.2006 no virus found
TheHacker 5.9.8.183 07.30.2006 no virus found
UNA 1.83 07.28.2006 no virus found
VBA32 3.11.0 07.31.2006 no virus found
VirusBuster 4.3.7:9 07.30.2006 no virus found
Aditional Information
File size: 1738 bytes
MD5: 1e0cc6a87918a4c24cb94a8b28b323d7
SHA1: ff8e78489a667d8b06ac085e134f0bfd9c7a110c
As you say, we shall see. Want to place bets one way
or the other on KAV removing the FP? I'd call it 50/50.
I wouldn't bet more than a cup of coffee one way or
the other
And I won't be surprised either way, though
I have to say I guess I'd be most surprised if they do
remove the FP. I'd actually call it 60/40 in favor of
them continuing to alert on the neutered froggy.
Art
http://home.epix.net/~artnpeg
