Path: utzoo!censor!geac!torsqnt!lethe!yunexus!ists!helios.physics.utoronto.ca!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!elroy.jpl.nasa.gov!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: GORDON@chmeds.ac.nz (Gordon Findlay)
Newsgroups: comp.virus
Subject: SCANv74B false positive (PC)
Message-ID: <0014.9102271603.AA00262@ubu.cert.sei.cmu.edu>
Date: 27 Feb 91 11:07:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 19
Approved: krvw@sei.cmu.edu

I just downloaded the latest version of McAffee's SCAN (v74B) and
tried it.

It gives a false positive (I HOPE it's a false positive!) on a NZ
program KILLER.COM, which is a little .COM file for removing
variations on the Stoned virus. Scanv74B reports the Invader virus.

I assume it's a false positive as the file is only 799 bytes long, and
the Invader virus is reported as adding 4096 bytes to .COM files;
modifying the boot sector, and hooking interrupts (Thanks, Patricia
Hoffman, for your VIRSUSSUM work). None of these has happened.

I don't know how far KILLER.COM has travelled - it is a public domain
program widely distributed in NZ; it may have spread as widely as
Stoned, who knows?  This false positive is definitely something for
people to be aware of.

Gordon Findlay
GORDON@CHMEDS.AC.NZ