Hi Kurt, www.virustotal.com/analisis/b97305ed784aa31390f07840b8d8fe578a473d8612693b1a255520b4d870e535-1181473738
already shows an analysis of the suspicious filetype dll file. Executable files exist in lib/locale.so, plugins/ ssavers/ and of course in the ndn Linux executable itself. Clamscan Linux only finds the dll suspicious, though. Results: Antivir 1226, Avast Krile-5880, ClamAV DOS.PS-MPC.Gen1, Fortinet suspicious, Webwasher 1226, received 2007.06.10 ... I requested a re-analyis and now virustotal says: a-squared Virus.Krile.5880!IK, AhnLab-V3 Win-Trojan/Xema.variant, AntiVir 1226, Avast Krile-5880, ClamAV DOS.Benediction, GData Krile-5880, Ikarus Virus.Krile.5880, Artemis!2dff4f88a041, McAfee-GW Virus.1226, Panda suspicious, Sophos Mal/Generic-A. This still means that many well-known scanners have nothing to complain about the file - Prevx, Symantec, Trendmicro, Kaspersky, DrWeb, BitDefender, AVG... to mention a few. name viradd virsiz rawdsiz ntrpy md5 CODE32 0x1000 0x152c0 0x15400 6.23 0f8a49f974e93c4d91e050f9c697210e CONST32 0x17000 0x21274 0xde00 6.18 f8f86c23fa95d8cb9fcd2d2dfe55a17f .idata 0x39000 0x14 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b .edata 0x3a000 0xc4 0x200 2.26 84eeb05e282546c09bef340e22a339b5 .reloc 0x3b000 0x1790 0x1800 6.77 54dedf3f810cd3a6b7e5c69eff9cdb3c This leaves a kind of mixed feeling, so I looked inside the file: NDN filetype detection plugin 1.0, 2001 based on GetTyp 1998 by Philip Helger / PHaX ... it finds a number of un-unpackable exe packers, so it probably also looks as if it is un-unpackable itself to antivirus which do not look closely? Some URLs: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74420 Xema - but then more scanners would see it as Xema. http://vil.nai.com/vil/content/v_4137.htm Krile - would be 5880 bytes and from 1997, overwrites first 5880 bytes of victim, puts original in encrypted form at end McAfee would detect it, but it says only 1226... http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=vis&idvirus=3 The 1226 virus would steal information but is from 1990, which means it would be unlikely to even know internet? It would be polymorphic as well and would block some pages, which again makes no sense for such an old virus... As the name says, 1226 would be 1226 bytes in size. Maybe the NDN people can change the file to make sure nobody thinks it would be a virus. While they are at it, they can check it for viruses themselves, too... They probably should reduce the number of "protector" and "hackish packer" detections, if you ask me. Eric > I have again downloaded: ndn_2_31_3836_bin_lnx.tgz; I got it from: > http://ndn.muxe.com , which was furnished to me by rugxulo... ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
