blony

McAfee virus scan started while I was working and, unusually, infected files began accumulating. The virus was identified as W95/CTX and I began looking for information, capturing and scouring a snapshot of running processes (I use Cygwin's version of GNU Unix tools, 'ls -aW' into a file to get a quick snapshot to search from within Vim - a great, free Windows descendant of VI), searching for the culprit files, etc.

The toll was mounting quickly - a disaster in the making; many development files and libraries were tagged as infected and I'm already behind. But it smelled fishy; the files were unusual, deep in reputable dot net assembly libraries, deep into Visual Studio, Cygnus, Gimp, Vim - some of which I was using. The most unusual thing I'd done lately was connect via wireless for a while to test a router trying to isolate an ethernet connection for one of the systems on the home network. But that didn't even take me outside the dsl modem firewall.

As the number of infected files rolled past 100, I found the link (click on this post title link) that began to make me breath easier. McAfee had released a DAT earlier in the day (DAT 4715, March 10, 2006) that falsely detected W95/CTX!

I went to the McAfee forum topic for breaking virus news and it was LOCKED! With nothing regarding the faulty DAT! What the hail? Who, me? McAfee?

I halted the scan, opting to quarantine nothing and checked the DAT level. It was current [4716]. So I started the scan again and, though it's still running, it's finding no virus. I have to think the scheduled scan began using the faulty DAT [4715] and that the updated DAT file arrived while the scan was ongoing.

It cost me a couple of hours I can't afford and I was angry with McAfee for not providing a warning - not even on their breaking virus news forum. But I'm relieved enough to temper the anger with appreciation the fix was out and in my system by the time I discovered I was on a wild goose chase. The symptom to look for is the absence of a 4 digit qualifier after the virus name: the false detection is simply W95/CTX; a genuine detection will be W95/CTX-nnnn