X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
References: <48CF791C DOT 1060801 AT sellers DOT com>
Subject: RE: Kaspersky reports WORM in Coreutils 6.7-1 and 6.7-2
Date: Tue, 16 Sep 2008 11:00:54 +0100
Message-ID: <008601c917e3$1bc414a0$9601a8c0@CAM.ARTIMI.COM>
MIME-Version: 1.0
Content-Type: text/plain; 	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <48CF791C.1060801@sellers.com>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

John Sellers wrote on 16 September 2008 10:15:

> (I am VERY tired right now so any I typed here might have typos.)
> Today I ran a scan with Kaspersky Internet Security 2009, and it
> reported that a couple of files in the install\cygwin directories were
> infected by Net_Worm.win32.sassor.be.

  It reported wrong.

> My system is WindowsXP Media edition
> 
> These were:
> 
> 
>
C:\install\cygwin\package\http%3a%2f%2fmirrors.kernel.org%2fsourceware%2fcygwi
n\release\coreutils\coreutils-6.7-1.tar.bz2
>
C:\install\cygwin\package\http%3a%2f%2fmirrors.kernel.org%2fsourceware%2fcygwi
n\release\coreutils\coreutils-6.7-2.tar.bz2
> 
> 
> and more specifically:
> 
>   coreutils-6.7-2//user/bin/gkill.exe
> 
> I know these are old releases so I am assuming everything is OK.  

  Given that those files are old, and have been around your drive for some
time, and suddenly start detecting, you can infer one of two things:

- they're the same as they always have been and it's the AV signature that has
changed.
- they've changed and are now tripping an existing (or perhaps new) signature.

  Given that sasser is a worm that transfers itself in whole from one PC to
another, and not a virus that infects or modifies existing files to attach
itself (and in particular not files way down in a compressed archive), there
is zero chance that these files have become sasser-infected.

  Therefore the signatures have changed and this is a false positive.

> I
> deleted these to tar files and I assume that won't hurt my
> installation.  right?

  Setup.exe will offer to redownload them if you ever want to reinstall, I
think.

  Still, you'd be doing all the other Cygwin+Kapersky users a favour if you
reported the false positive.  Kapersky might update their signatures and save
them the trouble you've been through.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/