[Zlib-devel] Fwd: Avast reports minigzip_d.exe is infected
Jan Seiffert
kaffeemonster at googlemail.com
Tue Sep 20 09:23:41 EDT 2011
2011/9/20 Cosmin Truta <cosmin at cs.toronto.edu>:
> MinGW puts some small initialization code in the executable, for the
> benefit of Java (gcj) and C++ (g++), which, for C apps, is never used.
> It's innocuous, and the space occupied is very little. Could that
> trigger the attention of an antivirus? It's odd, because that code
> isn't just in minigzip_d.exe. All the PE executables (zlib1.dll,
> example_d.exe, minigzip_d.exe) have that in.
>
I would guess that some virus uses some self compress by zlib and they
accidentally added some zlib code to the signature.
But your guess is as good as mine.
> Could it be possible that minigzip_d.exe carried a real virus? I'd
> have to re-download the precise MinGW tool versions that I used when I
> built the DLL package, so that I can rebuild and compare.
>
You can't.
At least not bitexact as you need for a simple hash-compare or binary compare.
GCC has a "seed" for every compile, and it can alter the output in
little ways, from Metadata (i think the time of compile ends up in the
binary, at least by altering the seed) right down to instruction
sequence in certain cases (ex. it is mostly unimportant in which order
registers are push-/poped in the pro-/epilogue).
The GCC guys "pin" the seed to a fixed value if they need to compare stuff.
See the GCC manual under "-frandom-seed"
> Sincerely,
> Cosmin
>
Greetings
Jan
More information about the Zlib-devel
mailing list