[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <445e3a82.1df1ae7c.1f79.1771@mx.gmail.com>
Date: Sun May 7 19:20:59 2006
From: debasis.mohanty.listmails at gmail.com (Debasis Mohanty)
Subject: RE: Panda Antivirus Enterprise Secure,
Norton Antivirus 2005 and the virus "I Love You"
Singnature based analysis doesn't apply well incase of script based worms /
virii. The issues here seems to be lack of feature to do an appropriate
analysis of script based worms.
Symantec is able to block it because, in addition to signature matching it
is also trying to figure out what the script is upto. In this kind of real
time analysis, AV usually look for any kind of possible malicious activity
by the script by intercepting wsh or wscript calls. For example - If a .vbs
, .hta or .wsh file is opened a system then the AV (with real-time
protection) usually look for the presence FileSystemObject calls or
something similar in the file and then block it from getting executed. It
prompts the user to either allow it of disallow it. It may happen that it
sometimes blocks valid scripts with valid calls to fso but like any other
security products these kind of false positives do sneak in.
I am rather surprised that Panda AV doesn't have this basic feature to block
such scripts and is relying only upon signature based analysis.
Have you also tried this test with Pest Control?? I guess they do have a
nice real time protection.
-d
________________________________
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Niklas
Sent: Saturday, May 06, 2006 10:46 AM
To: Joxean Koret
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure,Norton
Antivirus 2005 and the virus "I Love You"
Symantec 10 corp. immediately detetcts this as Loveletter.CI through real
time protection when accessing the file within the arhive.
/N
On 5/4/06, Joxean Koret <joxeankoret@...oo.es> wrote:
Sorry, the email was sended without the attachment.
---
Regards,
Joxean Koret
> Attached goes a working "I Love You" virus in which
> I
> changed ONLY the variable "dirsystem" with the name
> "kk2" (The file attached have the extension
> ".txt.gz",
> otherwise, with the .vbs extension the file will be
> locked by all the most populars anti-viral
> toolkits).
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y m?viles desde 1 c?ntimo por minuto.
http://es.voice.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists