I have ClamXAV (v1.0.7b) installed on my Mac G4. I also have Virtual PC 7 running Windows XP Professional on Mac, as well. Over the weekend, ClamXAV found Trojan.Bat.FormatC-6 on my 5.6 GB Windows XP Professional disk image used by Virtual PC. Unfortunately, it considers the XP disk image to be one big file, so I cannot tell me precisely where this Trojan is. To do that, I would need to boot XP and search for it there, which I did. I installed the latest ClamWin on it (0.90.2.1) and had it search my entire C Drive, which took almost 44 hours. After all that, it reported, in bright green, "Infected files: 0."

I have no idea what to make of this or what to do about it.

Why should my Mac ClamXAV say my XP disk image is infected with a specific Trojan, while ClamWin running on the supposedly infected XP says if found no infected files at all?

I've also found next to nothing about Trojan.Bat.FormatC-6 on Google. Assuming ClamXAV is correct, and it IS there, I'd be happy to search for it while in XP manually, if needed, but I haven't got a clue what to look for. Suggestions would be very much appreciated.

JC

Trojan.Bat.FormatC-6 is an extremely "loose" signature. I believe it would be heavily prone to false positives. The signature basically checks every file for the following two strings:

"ctty nul"
"format c: /autotest /q /u"

A virtual PC disk image contains many things other than files, including swap files, caches, other sorts of miscellaneous memory that may not neccesarily be present on the "c:" drive inside of the virtual machine.

You're actually going to be less effective scanning a virtual pc disk image in this way because most of the signatures expect to be scanning files that are executable in nature, and have signatures at exact locations in the files.

VPC disk images are not executables they're giant images. All of those offsets and file type checks inside of the definitions get tossed out the window when you scan in this fashion.

Well, this is a big relief. I thank you.

Normally I don't check my XP disk images with ClamXAV. I omitted a few details in my posting, hoping to keep things brief, but perhaps I shouldn't have.

This all began with my wanting to save a base XP disk image to a DVD over the weekend. Unfortunately, I found all of my backup copies were already too big. In order to make one of them fit, I found I needed to "zero out" the available space in XP, and then have Virtual PC "reclaim" that space in the XP disk image. At that point, I dragged the smallest (and oldest) backup XP disk image from my backup drive onto my Mac desktop. Since I have ClamXAV watching my Mac desktop (among other places), that immediately resulted in ClamXAV scanning the XP disk image backup -- and thats when the Trojan.Bat.FormatC-6 turned up. So, not only did I need to shrink the XP disk image before burning it to a DVD, but now I apparently had to rid it of this Trojan.Bat.FormatC-6, as well.

Just for the record, I had installed ClamWin on my XP about a year ago (in place of AOL's Security Edition, which I thought was bogging XP down), but it was not on the oldest XP disk image backup I was going to try to shrink, which is why I had to install it over the weekend, in order to have it try to hunt down this Trojan.Bat.FormatC-6.

Well, at least now I know it's safe to save the XP disk image to a DVD finally. Plus, now I know my XP is in fact, clean. But, just in case I forget all this, I'll be sure to save a copy of your explanation on the DVD to remind me. javascript:emoticon('')

Thanks again.

JC