Full Disclosure mailing list archives
Re[2]: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 6 Oct 2004 14:25:35 +0400
Dear bipin gautam, This issue was really discussed in the past and was fixed in Kaspersky Antivirus. http://www.security.nnov.ru/search/document.asp?docid=4061 I do work for iDefense. They pay for Mozilla bugs more than Mozilla does. But not in this case. As you can see -=-=-=- Quote -=-=-=- IX. CREDIT Kurt Seifried (kurt[at]seifried.org) is credited with this discovery. -=-=-=- End -=-=-=- I never submitted any antiviral bugs to iDefense, but both iDefense and Kurt Seifried may read security lists. Yes, Kurt tested Symantec against good well known problem. --Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure () lists netsys com: bg> hi iDEFENSE, bg> What a coincidence, This is what i was talking about bg> with few others in the list... a day bg> back!!! I myself saw this behavoir...... (i was a few bg> days short) hay guys you were telling me, "Antiviral bg> vendors aware about this problem, it was discussed in bg> past." so??? iDEFENSE took away my upcomming advisort. bg> )O; bg> 3APA3A, do you work for iDEFENSE??????? bg> ANYWAYS, this isn't a first time a advisory has bg> coinside with other........ bg> cheese, bg> bipin bg> --- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
Dear bipin gautam, Actually my super antivirus easily detects eicar in nul.con. For example, for c:\NUL.CON\eicar.com try antieicar \\.\c:\NUL.CON\eicar.com Antiviral vendors aware about this problem, it was discussed in past. --Saturday, October 2, 2004, 9:57:52 PM, you wrote to full-disclosure () lists netsys com:OK. I just wrote new super antivirus. It's databases currently consist from only eicar.com signature (I'm very newinthis business) but it 100% detects EICAR in the file with removed permissions :) http://www.security.nnov.ru/files/antieicar.zipNow, there is at least one antivirus to breakyourstatement :)bg> good example 3APA3A to teach those software companies bg> howto, bg> anyways... here is a archive, bg> http://www.geocities.com/visitbipin/antiPOC.zip bg> Extract the archive by using "DEFAULT ZIP MANAGER" of bg> windows xp. It will create a file "NULL.con" (O; bg> within which there is a "eicar test string file". bg> I don't think your super AV will detect the "eicar bg> test string file" withing "NULL.con" folder??? :) bg> anyways... let me know HOW? when you figure out to how bg> to delete "NULL.con" directory.
The problem specifically exists in attempts to scan files and directories named as reserved MS-DOS devices. Reserved MS-DOS device names are a hold over from the original days of Microsoft DOS. The reserved MS-DOS device names represent devices such as the first printer port (LPT1) and the first serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a virus stores itself in a reserved device name it can avoid detection by Symantec Norton AntiVirus when the system is scanned. Symantec Norton AntiVirus will scan the files and folders containing the virus and fail to detect or report them. reserved device names can be creating with standard Windows utilities by specifying the full Universal Naming Convention (UNC) path. The following command will successfully copy a file to the reserved device name 'aux' on the C:\ drive: copy source \\.\C:\aux
bg> _______________________________ bg> Do you Yahoo!? bg> Declare Yourself - Register online to vote today! bg> http://vote.yahoo.com bg> _______________________________________________ bg> Full-Disclosure - We believe in it. bg> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability idlabs-advisories (Oct 05)
- Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability bipin gautam (Oct 05)
- Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability Kurt Seifried (Oct 05)
- Re[2]: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability 3APA3A (Oct 06)
- Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability 3APA3A (Oct 06)
- Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability bipin gautam (Oct 05)