Why war-ftpd.exe ???

[Blackfoot]

Why is War-ftpd now being flagged as a worm ( Win32:CIH-G@dam )? I have used this for almost 15 years with no problem, and I checked the exe against my catalog of backups, and it has not had any code injected into it.
This is a nice "just run" app, (can even be used as a portable on a stick); a very good, simple, ftp server to quickly share files with a friend, or to send files back and forth to work.
Why all of a sudden is this being called a worm?
Thanks for reading,
Dave.
 

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

[Blackfoot]

Thanks for the info, I never sent it to the chest, but I will do that later and submit it to avast! for their evaluation. AVG and AntiVir flagged it too, but what is interesting is the way Kaspersky listed it, here's the link.

http://www.virustotal.com/file-scan/report.html?id=852bde7af83d12f03bb08f1140c6d4f5651910c207245b30f7416565ed0a02ad-1291862293

[DavidR]

There has been a case of this recently in the forum, so do a forum search in the viruses and worms for Win32:CIH-G and you should find it.

That too was in an old file which had remnants of the CIH virus in it, effectively it hadn't been removed fully and the file was corrupt. It would appear that this is the same.

[Blackfoot]

As you requested, I did a search for "Win32:CIH-G" and it only pulled up this thread. Also, before posting this thread, I did a search for war-ftpd to make sure I wasn't making a duplicate post.
I checked my catalog, and I have a copy of this on CD from 1998 that shows the same size to the byte, it will be a few days before I can get to this CD, (its at another location), but I will run an md5 check to see if they are the same. I don't recall ever getting hit by a virus while the ftp server was running though, and it has been about a year since I have run it. Avast! only recently flagged this, and it is the only file on my system to get flagged.
Also just ran a copy of it in VMware, seems to function normally.
I'll get a copy of this to Avast! tomorrow, I am curious to see what their virus lab has to say about it.
Thanks!
 

[Milos]

Hello,
it is similar issue as here:
http://forum.avast.com/index.php?topic=66950
and answer is same:
http://forum.avast.com/index.php?topic=66950.msg565097#msg565097

more info about CIH:
http://en.wikipedia.org/wiki/CIH_%28computer_virus%29

Milos