McAfee update: File SK_det.mcs is corrupt
in [Viruses]
|
From: Cautious Nerd on 27 Mar 2005 09:01 While updating McAfee definitions, I got this message: File SK_det.mcs is corrupt. Downloading complete file again. I don't normally expect files to be corrupt in Win2K/SP4/NTFS, especially with proper shutdown (or mostly, hibernation). Of course, I let it download again and am rescanning. I wonder if it is overly paranoid to suspect that it resulted from malware? I realize that anything is possible, but I'm wondering about likelihood. Any thoughts? Cautious Nerd
From: Robert Moir on 27 Mar 2005 18:03 Cautious Nerd wrote: > While updating McAfee definitions, I got this message: > > File SK_det.mcs is corrupt. > Downloading complete file again. > > I don't normally expect files to be corrupt in Win2K/SP4/NTFS, > especially with proper shutdown (or mostly, hibernation). > Of course, I let it download again and am rescanning. I wonder > if it is overly paranoid to suspect that it resulted from malware? > I realize that anything is possible, but I'm wondering about > likelihood. Any thoughts? This is more properly a question for McAfee tech support, but if it reports corrupt files in the context of a download, I would suggest it could be saying that the downloaded file is what is corrupt.
From: David H. Lipman on 27 Mar 2005 18:19 From: "Cautious Nerd" <Cautious(a)Nerds-R-Us.com> | While updating McAfee definitions, I got this message: | | File SK_det.mcs is corrupt. | Downloading complete file again. | | I don't normally expect files to be corrupt in Win2K/SP4/NTFS, | especially with proper shutdown (or mostly, hibernation). | Of course, I let it download again and am rescanning. I wonder | if it is overly paranoid to suspect that it resulted from malware? | I realize that anything is possible, but I'm wondering about | likelihood. Any thoughts? | | Cautious Nerd I suggest posting this query on the McAfee support board. http://forums.mcafeehelp.com/index.php -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Norman L. DeForest on 29 Mar 2005 03:21 On Sun, 27 Mar 2005, Cautious Nerd wrote: > While updating McAfee definitions, I got this message: > > File SK_det.mcs is corrupt. > Downloading complete file again. > > I don't normally expect files to be corrupt in Win2K/SP4/NTFS, > especially with proper shutdown (or mostly, hibernation). > Of course, I let it download again and am rescanning. I wonder > if it is overly paranoid to suspect that it resulted from malware? > I realize that anything is possible, but I'm wondering about > likelihood. Any thoughts? Right-click on the file, select "Properties" and note the *exact* file size in bytes. Then bring up the Windows calculator, select Scientific, enter the number as a decimal number and convert it to hexadecimal. See if the last three digits are all zero. If they are, you may have run afoul of a Windows bug that truncates downloads to the next lowest multiple of the download buffer size. Fetching the EditPad Pro Demo from the distributor's website, http://download.jgsoft.com/editpad/SetupEditPadProDemo.exe I tried Internet Explorer, PC-Lynx, two versions of links, and three versions of Firefox. I also tried Lynx on a Unix machine and wget and GetBot on the Windows machine. IE, PC-LYNX, and all versions of Firefox truncated the file at a multiple of 2000 hexadecimal. An earlier version of links corrupted the file by changing all linefeeds to carriage-return/linefeed pairs even though binary download was selected. A later version of links, wget, GetBot and the version of Lynx on the Unix machine all downloaded the file with no corruption or truncation. A detailed record of my results (files numbered after download so I could keep them separate and keep track of them; if you try downloading the same file your file sizes may differ if a newer build is now available): SETUPEDI EXE 1,942,590 08-16-04 1:57p SETUPEDI.EXE Fetched with lynx on CCN[1] and downloaded via ZModem SETUPE~2 EXE 1,941,504 08-16-04 11:47a SetupEditPadProDemo2.exe Downloaded with Firefox 0.8 SETUPE~3 EXE 1,942,590 08-09-04 5:52a SetupEditPadProDemo3.exe Downloaded with wget SETUPE~4 EXE 1,941,504 08-16-04 12:27p SetupEditPadProDemo4.exe Downloaded with Firefox 0.8 again SETUPE~5 EXE 1,941,504 08-16-04 1:16p SetupEditPadProDemo5.exe Downloaded with Firefox 0.9.3 SETUPE~6 EXE 1,941,504 08-18-04 2:44a SetupEditPadProDemo6.exe Downloaded with Firefox 0.8 once again SETUPE~7 EXE 1,941,504 08-18-04 3:03a SetupEditPadProDemo7.exe Downloaded with Firefox 0.9.3 again SETUPE~8 EXE 1,942,590 08-09-04 5:52a SetupEditPadProDemo8.exe Downloaded with wget again SETUPE~9 EXE 1,941,504 08-18-04 6:00a SetupEditPadProDemo9.exe Downloaded with Internet Explorer SETUPE~1 EXE 1,941,504 08-18-04 6:27a SetupEditPadProDemo10.exe Downloaded with PC-LYNX SETUP~10 EXE 1,942,590 08-18-04 7:02a SetupEditPadProDemo11.exe Downloaded with GetBot SETUP~11 EXE 1,949,953 08-18-04 7:36a SetupEditPadProDemo12.exe Downloaded with links [sic] 0.83 (has different icon) SETUP~12 EXE 1,942,590 08-18-04 7:59a SetupEditPadProDemo13.exe Downloaded with links [sic] 0.98 SETUPE14 EXE 1,942,590 08-18-04 11:55p SETUPE14.EXE Fetched with lynx on CCN[1] and downloaded via ZModem, again SETUP~13 EXE 1,949,953 08-18-04 10:21p SetupEditPadProDemo15.exe Downloaded with links [sic] 0.83 (has different icon), again SETUP~14 EXE 1,942,590 08-09-04 5:52a SetupEditPadProDemo16.exe Downloaded with wget with user-agent string set to same one as used by links 0.83 -- at same time as download below. SETUP~15 EXE 1,949,953 08-19-04 4:24a SetupEditPadProDemo17.exe Downloaded with links [sic] 0.83 (has different icon), again, this time with wget simultaneously fetching the same file with the same user-agent string from the same IP address (see above) 1,942,590 decimal is hexadecimal 1DA43E (the correct file size) 1,941,504 decimal is hexadecimal 1DA000 (file truncated) 1,949,953 decimal is hexadecimal 1DC101 (file corrupted by invalid end-of-line conversion) Footnote(s): [1] CCN: The Chebucto Community Net, which offers PPP accounts and dial-up text-only accounts with lynx 2.7ac as the "shell". A download through the text account first downloads the file to the local server then lynx offers the user the options of (a) saving it to the user's account filespace, (b) downloading with Kermit, or (c) downloading with ZModem. I chose the latter. Filename truncated to DOS 8.3 name since I use a DOS-based terminal program. I'm not sure what the solution is unless you can fetch the upgrades with wget. -- ">> consider moving away from Front Page...." ">To what? Any suggestions?" "Naked bungee-jumping. It's less humiliating <g>" -- Matt Probert in alt.www.webmaster, March 20, 2005
From: Cautious Nerd on 29 Mar 2005 07:49
"Norman L. DeForest" wrote: > On Sun, 27 Mar 2005, Cautious Nerd wrote: > > > While updating McAfee definitions, I got this message: > > > > File SK_det.mcs is corrupt. > > Downloading complete file again. > > > > I don't normally expect files to be corrupt in Win2K/SP4/NTFS, > > especially with proper shutdown (or mostly, hibernation). > > Of course, I let it download again and am rescanning. I wonder > > if it is overly paranoid to suspect that it resulted from malware? > > I realize that anything is possible, but I'm wondering about > > likelihood. Any thoughts? > > Right-click on the file, select "Properties" and note the *exact* > file size in bytes. Then bring up the Windows calculator, select > Scientific, enter the number as a decimal number and convert it to > hexadecimal. See if the last three digits are all zero. > > If they are, you may have run afoul of a Windows bug that truncates > downloads to the next lowest multiple of the download buffer size. Hi, Norman, The last 2 hex digits are not zero. I suspect that this is not the problem, because it hasn't repeated itself. But thanks for pointing it out as a possible cause. C. Nerd > Fetching the EditPad Pro Demo from the distributor's website, > http://download.jgsoft.com/editpad/SetupEditPadProDemo.exe > I tried Internet Explorer, PC-Lynx, two versions of links, and three > versions of Firefox. I also tried Lynx on a Unix machine and wget and > GetBot on the Windows machine. > > IE, PC-LYNX, and all versions of Firefox truncated the file at a multiple > of 2000 hexadecimal. An earlier version of links corrupted the file by > changing all linefeeds to carriage-return/linefeed pairs even though > binary download was selected. A later version of links, wget, GetBot and > the version of Lynx on the Unix machine all downloaded the file with no > corruption or truncation. > > A detailed record of my results (files numbered after download so > I could keep them separate and keep track of them; if you try > downloading the same file your file sizes may differ if a newer > build is now available): > > SETUPEDI EXE 1,942,590 08-16-04 1:57p SETUPEDI.EXE > Fetched with lynx on CCN[1] and downloaded via ZModem > > SETUPE~2 EXE 1,941,504 08-16-04 11:47a SetupEditPadProDemo2.exe > Downloaded with Firefox 0.8 > > SETUPE~3 EXE 1,942,590 08-09-04 5:52a SetupEditPadProDemo3.exe > Downloaded with wget > > SETUPE~4 EXE 1,941,504 08-16-04 12:27p SetupEditPadProDemo4.exe > Downloaded with Firefox 0.8 again > > SETUPE~5 EXE 1,941,504 08-16-04 1:16p SetupEditPadProDemo5.exe > Downloaded with Firefox 0.9.3 > > SETUPE~6 EXE 1,941,504 08-18-04 2:44a SetupEditPadProDemo6.exe > Downloaded with Firefox 0.8 once again > > SETUPE~7 EXE 1,941,504 08-18-04 3:03a SetupEditPadProDemo7.exe > Downloaded with Firefox 0.9.3 again > > SETUPE~8 EXE 1,942,590 08-09-04 5:52a SetupEditPadProDemo8.exe > Downloaded with wget again > > SETUPE~9 EXE 1,941,504 08-18-04 6:00a SetupEditPadProDemo9.exe > Downloaded with Internet Explorer > > SETUPE~1 EXE 1,941,504 08-18-04 6:27a SetupEditPadProDemo10.exe > Downloaded with PC-LYNX > > SETUP~10 EXE 1,942,590 08-18-04 7:02a SetupEditPadProDemo11.exe > Downloaded with GetBot > > SETUP~11 EXE 1,949,953 08-18-04 7:36a SetupEditPadProDemo12.exe > Downloaded with links [sic] 0.83 (has different icon) > > SETUP~12 EXE 1,942,590 08-18-04 7:59a SetupEditPadProDemo13.exe > Downloaded with links [sic] 0.98 > > SETUPE14 EXE 1,942,590 08-18-04 11:55p SETUPE14.EXE > Fetched with lynx on CCN[1] and downloaded via ZModem, again > > SETUP~13 EXE 1,949,953 08-18-04 10:21p SetupEditPadProDemo15.exe > Downloaded with links [sic] 0.83 (has different icon), again > > SETUP~14 EXE 1,942,590 08-09-04 5:52a SetupEditPadProDemo16.exe > Downloaded with wget with user-agent string set to same one > as used by links 0.83 -- at same time as download below. > > SETUP~15 EXE 1,949,953 08-19-04 4:24a SetupEditPadProDemo17.exe > Downloaded with links [sic] 0.83 (has different icon), again, > this time with wget simultaneously fetching the same file > with the same user-agent string from the same IP address > (see above) > > 1,942,590 decimal is hexadecimal 1DA43E (the correct file size) > 1,941,504 decimal is hexadecimal 1DA000 (file truncated) > 1,949,953 decimal is hexadecimal 1DC101 (file corrupted by invalid > end-of-line conversion) > > Footnote(s): > [1] CCN: The Chebucto Community Net, which offers PPP accounts and > dial-up text-only accounts with lynx 2.7ac as the "shell". A > download through the text account first downloads the file to the > local server then lynx offers the user the options of (a) saving > it to the user's account filespace, (b) downloading with Kermit, > or (c) downloading with ZModem. I chose the latter. Filename > truncated to DOS 8.3 name since I use a DOS-based terminal program. > > I'm not sure what the solution is unless you can fetch the upgrades with > wget. > > -- > ">> consider moving away from Front Page...." > ">To what? Any suggestions?" > "Naked bungee-jumping. It's less humiliating <g>" > -- Matt Probert in alt.www.webmaster, March 20, 2005 |