[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1817379213.20041006142535@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
Dear bipin gautam,
This issue was really discussed in the past and was fixed in Kaspersky
Antivirus.
http://www.security.nnov.ru/search/document.asp?docid=4061
I do work for iDefense. They pay for Mozilla bugs more than Mozilla
does. But not in this case. As you can see
-=-=-=- Quote -=-=-=-
IX. CREDIT
Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
-=-=-=- End -=-=-=-
I never submitted any antiviral bugs to iDefense, but both iDefense and
Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
good well known problem.
--Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure@...ts.netsys.com:
bg> hi iDEFENSE,
bg> What a coincidence, This is what i was talking about
bg> with few others in the list... a day
bg> back!!! I myself saw this behavoir...... (i was a few
bg> days short) hay guys you were telling me, "Antiviral
bg> vendors aware about this problem, it was discussed in
bg> past." so??? iDEFENSE took away my upcomming advisort.
bg> )O;
bg> 3APA3A, do you work for iDEFENSE???????
bg> ANYWAYS, this isn't a first time a advisory has
bg> coinside with other........
bg> cheese,
bg> bipin
bg> --- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote:
>> Dear bipin gautam,
>>
>> Actually my super antivirus easily detects
>> eicar in nul.con. For
>> example, for c:\NUL.CON\eicar.com
>>
>> try
>>
>> antieicar \\.\c:\NUL.CON\eicar.com
>>
>> Antiviral vendors aware about this problem, it was
>> discussed in past.
>>
>> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
>> to full-disclosure@...ts.netsys.com:
>>
>>
>> >> OK. I just wrote new super antivirus. It's
>> >> databases currently consist
>> >> from only eicar.com signature (I'm very new
>> in
>> >> this business) but it
>> >> 100% detects EICAR in the file with removed
>> >> permissions :)
>> >>
>> >> http://www.security.nnov.ru/files/antieicar.zip
>>
>> >> Now, there is at least one antivirus to break
>> your
>> >> statement :)
>> >>
>>
>>
>> bg> good example 3APA3A to teach those software
>> companies
>> bg> howto,
>>
>> bg> anyways... here is a archive,
>>
>> bg> http://www.geocities.com/visitbipin/antiPOC.zip
>>
>> bg> Extract the archive by using "DEFAULT ZIP
>> MANAGER" of
>> bg> windows xp. It will create a file "NULL.con" (O;
>> bg> within which there is a "eicar test string
>> file".
>>
>> bg> I don't think your super AV will detect the
>> "eicar
>> bg> test string file" withing "NULL.con" folder???
>> :)
>>
>> bg> anyways... let me know HOW? when you figure out
>> to how
>> bg> to delete "NULL.con" directory.
>>
>>
>> The problem specifically exists in attempts to scan
>> files and
>> directories named as reserved MS-DOS devices.
>> Reserved MS-DOS device
>> names are a hold over from the original days of
>> Microsoft DOS. The
>> reserved MS-DOS device names represent devices such
>> as the first printer
>> port (LPT1) and the first serial communication port
>> (COM1). Sample
>> reserved MS-DOS device names include AUX, CON, PRN,
>> COM1 and LPT1. If a
>> virus stores itself in a reserved device name it can
>> avoid detection by
>> Symantec Norton AntiVirus when the system is
>> scanned. Symantec Norton
>> AntiVirus will scan the files and folders containing
>> the virus and fail
>> to detect or report them. reserved device names can
>> be creating with
>> standard Windows utilities by specifying the full
>> Universal Naming
>> Convention (UNC) path. The following command will
>> successfully copy a
>> file to the reserved device name 'aux' on the C:\
>> drive:
>>
>> copy source \\.\C:\aux
>>
>>
bg> _______________________________
bg> Do you Yahoo!?
bg> Declare Yourself - Register online to vote today!
bg> http://vote.yahoo.com
bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
~/ZARAZA
?? ? ??????, ??????, ?????????? ???????????? ??? ?????? ???????. (????)
Powered by blists - more mailing lists