Speaking of the false positives inundation, how on earth plain text files compiled by me (on the floppy disks and usb) within the research antiviral info websites could be superimposed with the code similar to the nasty malware? Bearing in mind that the utilised MS Notepad was supposed to strip all the programming lingo, down to the bare ASCII code. Yet in reality some of my *.txt files were laced with the viral scent, courtesy of the closely monitored internet in the public libraries.

Lately, my offline utilised desktop (167MHz 64MB RAM 2GB HDD Win98SE) was equipped with the ClamWin anti-virus utility, leading to the following consequences:

Scan Started Mon Jul 06 19:48:49 2009
-------------------------------------------------------------------------------

c:\WINDOWS\WIN386.SWP: Permission denied
c:\Pc-User\Utils-2\USB threads.txt: Worm.Autorun-1792 FOUND
c:\Pc-User\Utils-2\Jun20tag.txt: VBS.Netlog.a FOUND
c:\Pc-User\Utils-2\Encyclopaedia of Computer Viruses.txt: Boot.Diskkiller FOUND

----------- SCAN SUMMARY -----------
Known viruses: 572138
Engine version: 0.95.2
Scanned directories: 974
Scanned files: 19790
Infected files: 3
Data scanned: 2641.87 MB
Data read: 1662.11 MB (ratio 1.59:1)
Time: 26864.890 sec (447 m 44 s)


Scan Started Tue Jul 07 03:40:01 2009
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***

*** Scanned 10 processes - 97 modules ***
*** Computer Memory Scan Completed ***

C:\Pc-User\Utils-2\USB threads.txt: Worm.Autorun-1792 FOUND
C:\Pc-User\Utils-2\USB threads.txt: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\USB threads.txt.infected'
C:\Pc-User\Utils-2\Jun20tag.txt: VBS.Netlog.a FOUND
C:\Pc-User\Utils-2\Jun20tag.txt: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\Jun20tag.txt.infected'
C:\Pc-User\Utils-2\Encyclopaedia of Computer Viruses.txt: Boot.Diskkiller FOUND
C:\Pc-User\Utils-2\Encyclopaedia of Computer Viruses.txt: moved to 'C:\WINDOWS\All Users\.clamwin\quarantine\Encyclopaedia of Computer Viruses.txt.infected'

----------- SCAN SUMMARY -----------
Known viruses: 572138
Engine version: 0.95.2
Scanned directories: 23
Scanned files: 628
Infected files: 3
Data scanned: 100.70 MB
Data read: 37.07 MB (ratio 2.72:1)
Time: 1517.810 sec (25 m 17 s)

Besides which ClamWin scanner issued momentary warnings each time towards the end of the scan session -- regrettably scrolled before one could read it. Followed immediately by the canvassed scan summary. Apparently contradicted by the virustotal analysis, except for the ClamWin false positive. As a result I would appreciate pertinent probe into anomaly, as well as having submitted files for scrutiny, sanitised in turn. Thanks a lot for keeping up with the good works!

PS: Safe Mode ClamWin scan was aborted due to the warning popup, apropos video corruption, besides some other consequences, if one proceeded. Which didn't happen with Dr.Web or earlier installed Avast home edition of a very heavy footprint. Bloating Win386.swp to 130MB from 28MB, vs ClamWin 40MB in idle mode. Obviously offline desktop user such as myself couldn't cope with the protracted bootups. So Avast had to go, because there wasn't any other way to disable it.

I suggest you submit the files in question to the Jotti free scanning service to see what other antivirus scanners say about them. It could be that some text you have is just similar to the text in some virus code. Virus signatures can consist of text, file hashes, or binary code--anything a sigmaker can grab from today's packed and highly obfuscated malware.

Avast usually works pretty well. I have used it in the past with good results.

Regards,

autorun.inf, vbs code, html etc signatures are plain ascii so they will match even in a .txt file

Hello GuitarBob and Sherpya! Your prompt response has been much appreciated! As advised having submitted suspect files to Jotti's free scanning service: https://virus scan.jotti.org. Which reinforced scanning results by the https://www.virustotal.com ..."USB threads.txt" file was found to contain IS/Autorun by the Frisk F-Prot Antivirus, versus detection Worm.Autorun-1792 code by the ClamAV.

"Encyclopaedia of Computer Viruses.txt" file was found to contain Boot.Booter.a by the Cpsecure, versus detection Boot.Diskkiller code by the ClamAV. Subsequently submitted "Jun20tag.txt" file was found to contain Worm.VBS.Netlog.A by the Cpsecure; VBS.Netlog by the Quick Heal and VBS/Netlog.P by the Frisk F-Prot Antivirus, versus detection VBS.Netlog.a code by the ClamAV.

Hence having uploaded these viral codes laced files to Clam AV https://www.clamav.net/sendvirus lab. In return having received prompt reply from Michael Cichosz. Whose expert analysis (this code was used by Worm.Kido aka Worm.Conficker and detected as Worm.Autorun-1792) pinpointed the precise spot within the "USB threads.txt" file. Nevertheless having deleted a larger chunk of the text, instead of a sole passage. Just to excise such a nasty code all together! At last ClamWin free scanner onboard and subsequently Jotti's multi-scanner demonstrated clean scans outcome.

Thus saving 99% of the (780KB) research into USB related problems!

Yet to my surprise when I went back to the https://forums.whirlpool.net.au/forum-replies.cfm?t=1115784 to copy anew, previously excised article (from my file): "USB drive disabled. Autorun.inf Virus"! Amazingly txt-mode copied file was found via Jotti's multi-scan to be laced with the malicious Worm/AutoRun by the Grisoft AVG Anti-Virus and IS/Autorun by the Frisk F-Prot Antivirus, versus detected Worm.Autorun-1792 code by the ClamAV.

To be precise within the following text:

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Forums » Windows » USB drive disabled. Autorun.inf Virus

User #178924 1172 posts
Shpox
?
Whirlpool Enthusiast O.P.
...

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

What a sheer paradox for the highly acclaimed Information Technology website to list articles laced with the malicious viral codes! Or was it something more sinister? Perhaps pertinent URL's scan https://forums.whirlpool.net.au/forum-replies.cfm?t=1115784 would be warranted in the circumstances! In the meantime, I am eagerly awaiting for the further analysis outcome -- into remaining TXT files, submitted to the Clam AV lab.

The autorun.inf worms and some other script-based viruses just consist of text, as Sherpya said. Anything with similar text to one in the Clam signature database would trigger an infection alert by Clam/Win. For example, that Dictionary of Computer Viruses listed the exact wording of a Clam signature (which was prepared from an on-screen notice the virus produced). It's best to just paraphrase something like that--not to copy the exact same wording in an informative publication.

Regards,

Hi there,
before i start to go on 1st the mail i sent as a reply to mr.braun:
+++
Dear customer,

you sent us following file and Description:
---
Original filename: USB threads.txt (size:780207)

Description: MS Notepad generated TXT files -- laced with the viral code? Speaking of the false positives inundation, how on earth plain text files compiled by me (on the floppy disks and usb) within the research antiviral info websites could be superimposed with the code similar to the nasty malware? Bearing in mind that the utilised MS Notepad was supposed to strip all the programming lingo, down to the bare ASCII code. Yet in reality some of my *.txt files were laced with the viral scent, courtesy of the closely monitored internet in the public libraries. Lately, my offline utilised desktop (167MHz 64MB RAM 2GB HDD Win98SE) was equipped with the ClamWin anti-virus utility, leading to the following consequences: Scan Started Mon Jul 06 19:48:49 2009 ------------------------------------------------------------------------------- c:\WINDOWS\WIN386.SWP: Permission denied c:\Pc-User\Utils-2\USB threads.txt: Worm.Autorun-1792 FOUND c:\Pc-User\Utils-2\Jun20tag.txt:
---

i took a look on this sample and found Malicious Code in this section:
---
https://forums.whirlpool.net.au/forum-replies.cfm?t=1115784

Forums » Windows » USB drive disabled. Autorun.inf Virus

User #178924 1172 posts
Shpox
?
Whirlpool Enthusiast O.P.
...


---
this code was used by Worm.Kido aka Worm.Conficker and detected as "Worm.Autorun-1792", when you remove this code and scan this textfile again you will see that its undetected by clamav.

i hope that i could help and answer your question with this mail.


regards

Michael Cichosz

Sigmaker for ClamAV
+++

i am not sure if you got my mail, but if you misunderstand me, then i am sorry for that.
Here :"https://forums.whirlpool.net.au/forum-replies.cfm?t=1115784
" you can find the autorun-wormcode used in Worm.Kido, i mean this lines:
***
;12k2d4okw2adiXq97awL532acseALwkILldd8j0iiAa8osA8jriisqs9sa34olj3KK4SjolK4ljakLK4D7L5i7lSiswafAlk32wq0d2a6f3JkeK3o4Jkwakrd
[AutoRun]
;9qoSqsKrD0di00sLkHZ2DodLojsj2iwaaa3k2w
open=m9ma.exe
;ikLaa4ased402LZ3sJdIKLilLo
shell\open\Command=m9ma.exe
;slpJDo435Xf7i32ad2w9k2adlSlk2d4
shell\open\Default=1
;5A2lLajw1d8AZfl0ial43akcDk7J303afmrdDwwo743LiAwl93aqKDaO2icjDaLJdkdsoo9rC
shell\explore\Command=m9ma.exe
;wkl30armfZawe9kDldwp2as3D5Sq5k3wLaS80Cjd72DiHqKe5

***
i thought when i add these lines to my reply mail, it could be possible that my provider will block this mail, so i added the url.
when you copy/paste these lines into a texteditor,save it and upload it to virustotal.com, you will get this result:
a-squared 4.5.0.24 2009.07.17 Trojan.AutorunINF!IK
AhnLab-V3 5.0.0.2 2009.07.17 -
AntiVir 7.9.0.220 2009.07.17 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.17 IS/Autorun
Avast 4.8.1335.0 2009.07.16 VBS:Malware-gen
AVG 8.5.0.387 2009.07.17 Worm/AutoRun
BitDefender 7.2 2009.07.17 Trojan.AutorunINF.Gen
CAT-QuickHeal 10.00 2009.07.17 -
ClamAV 0.94.1 2009.07.17 Worm.Autorun-1792
Comodo 1677 2009.07.17 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.07.17 -
eSafe 7.0.17.0 2009.07.16 -
eTrust-Vet 31.6.6621 2009.07.17 INF/Frethog
F-Prot 4.4.4.56 2009.07.17 -
F-Secure 8.0.14470.0 2009.07.17 -
Fortinet 3.120.0.0 2009.07.17 -
GData 19 2009.07.17 Trojan.AutorunINF.Gen
Ikarus T3.1.1.64.0 2009.07.17 Trojan.AutorunINF
Jiangmin 11.0.800 2009.07.17 -
K7AntiVirus 7.10.794 2009.07.16 -
Kaspersky 7.0.0.125 2009.07.17 -
McAfee 5678 2009.07.16 Generic!atr
McAfee+Artemis 5678 2009.07.16 Generic!atr
McAfee-GW-Edition 6.8.5 2009.07.17 -
Microsoft 1.4803 2009.07.17 Worm:Win32/Autorun.gen!inf
NOD32 4253 2009.07.17 -
Norman 6.01.09 2009.07.16 -
nProtect 2009.1.8.0 2009.07.17 -
Panda 10.0.0.14 2009.07.16 W32/Lineage.KHE.worm
PCTools 4.4.2.0 2009.07.16 -
Prevx 3.0 2009.07.17 -
Rising 21.38.42.00 2009.07.17 -
Sophos 4.43.0 2009.07.17 Mal/AutoInf-A
Sunbelt 3.2.1858.2 2009.07.17 INF.Autorun (v)
Symantec 1.4.4.12 2009.07.17 -
TheHacker 6.3.4.3.369 2009.07.16 -
TrendMicro 8.950.0.1094 2009.07.17 -
VBA32 3.12.10.8 2009.07.16 -
ViRobot 2009.7.17.1841 2009.07.17 INF.Autorun.465
VirusBuster 4.6.5.0 2009.07.16 INF.Autorun.Gen

you see clamav was able to detec this lines in your text, its not a false positive because malicious codelines where found inside this file.

i hope that i could answer your question.

Michael

� Welcome on board Michael. Undoubtedly ClamAV & ClamWin users on this forum being enriched by having direct input from the IT expert himself. On my part I am grateful for your detailed explanation, while having no qualms that my "USB threads.txt" file submitted to https://www.clamav.net/sendvirus lab for analysis was found to be laced with the malicious viral code. Detected by Clam Anti-Virus program, while the extracted raw code of the scripted malware evidently triggered 17 positives during the https://www.virustotal.com multi-scan.

Having said that, imperative would be to trace the actual source of the infection which contaminated my "USB threads.txt" file, when I added: "USB drive disabled. Autorun.inf Virus" debated topic. Launched by "Shpox" forum user within the (highly acclaimed information technology website) whirlpool.net. Who have some serious questions to answer! How such a malicious script imbedded itself within his personal account details?

Imperative would be to find out also which part of the "Encyclopaedia of Computer Viruses.txt" file contained malicious Boot.Diskkiller code, detected by the ClamAV scanner. Having designated this file as such, simply because it contained informative data on the subject matter. It took me some considerable time to gather within the limited internet sessions in public libraries. I was about to browse it, when ClamWin reported malevolent contamination.

Speaking of which, none of my other files, created over the years, were affected (apart from the "Jun20tag.txt" and "Jul09thu.txt files). It has been most recent phenomenon, malicious codes proliferation. What intended to create panic among the ill prepared PC users. Hence your timely intervention, Michael, could possibly lead to the identification and apprehension of the nasty culprits.

GuitarBob, undoubtedly it will surprise many to find out that merely googling for the specific name of the virus, worm etc ... may invoke malicious malware into action. A couple of my files "Jun20tag.txt" and "Jul09thu.txt", picked up quite a few nasty codes, when I sought info apropos.

Concerning provocative file name ... I've renamed its copy, to no avail.

Sherpya your input has been much appreciated, in spite of belated response on my part. Due to the sporadic access to the internet within the public libraries. Hopefully your clarification on the issue in question, to inform many that the plain text ASCII code files may contain autorun.inf, vbs code, html, etc signatures. Even actual malignancies, such as autorun.inf worms and some other script-based viruses, accentuated by Bob.

Thanks a lot to both of you and ClamAV Michael Cichosz!

That's it, no further feedback?

Apropos "Jun20tag.txt", "Jul09thu.txt" and particularly sought after the result of the examination my "Encyclopaedia of Computer Viruses.txt" file.

Were they false positive or laced with the viral code?

Where are you Michael?

Now that I've caught your attention, certainly one is longing to know the outcome in regard of the rest submitted files for scrutiny to ClamAV team. Whose tremendous mission has been much appreciated.

Leo, those submitted files should have been taken care of by now. I would resubmit them if they haven't been yet, as they must have dropped through the cracks--it happens sometimes.

You probably need to be careful when you repeat the exact message that a virus puts on screen, as you did in the encyclopedia. It is probably best to paraphrase the message--don't repeat it exactly. This is because the same exact message may have been used in a signature. Most virus code is now packed, compressed, and further obfuscated. Clam AV can't always completely unpack the virus code, and sometimes a message or string is all that is available. This is especially true in email signatures. I once did a sig for an email containing an Angelina Jole virus attachment, and some academic sent someone an email message about Angelina Jole, describing her virtues, and warning him about the circulating email, and he warned him about the message it contained, and he repeated the exact same words that I had used in my sig. He couldn't understand why his email was picked up as containing a virus!

Regards,