Sender: Windows NTBugtraq Mailing List From: Weld Pond Subject: Re: Alert: W32.NewApt.Worm being sent to NTBugtraq subscribers To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM OK, you said not to reply but I have further proof that the antivirus companies are just copying each others data without thinking about it. A funny thing happened on Nov 19, 1999. A l0phtcrack customer emailed our support address to complain that Trend Micro's antivirus program was detecting a "virus" in the l0phtcrack 2.52 executable file. It detected something called the TROJ_L0PHTCRACK virus. The customer wanted to make sure they were not infected. Trend Micro had included a TROJ_L0PHTCRACK signature in their version 610 signature file. Then on Dec 16 we got another message from a customer complaining that NAI's VirusScan with the version 4056 signature file was now detecting the "Lophtcrack" (sic) virus. The program actually pops up a message box stating "The file l0phtcrack.XXX on YYY is infected with the virus Lophtcrack. Unable to clean file." L0phtCrack was first released in 1997 and the latest version was released in Jan. 1999. Is it a coincidence that both AV vendors are just getting around to deciding L0phtCrack is a virus/trojan? I don't think so. My hypothesis is someone at Trend Micro decided it was a virus and NAI blindly copied their data. But who really knows. L0phtCrack is obviously neither a trojan or virus. These AV messages are erroneous. -weld