Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Bypass Virus Checking
From: bsides () TOWERY COM (Brock Sides)
Date: Tue, 1 Feb 2000 14:46:13 -0600


NAV 4.0 running on NT successfully detects the EICAR test file even if
it's residing in RECYCLED.

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com

On Sun, 30 Jan 2000, Neil Bortnak wrote:

1.Background
------------

Under Win95/98 the Recycle Bin is a system designed to make it easy for
users to "undelete" files. When a user deletes from the GUI, the file is
not really deleted but moved to a folder named "RECYCLED" located at the
root of that volume. If the folder does not exist, possibly because
nothing has ever been deleted on that volume, the directory is created.
The file is then renamed and information about the file's original name
and location are stored in an index file. When you look at the recycle
bin through the GUI, Windows reads the index files from each volume and
displays their contents. It does not display a raw directory listing.
You cannot easily access a raw directory listing through the GUI. When
you empty the recycle bin, Windows deletes all of the files in the
RECYCLED directories that have a corresponding entry in one of the
indexes. Therefore a file stored in a RECYCLED directory via DOS or a
program will not show up anywhere in the GUI and will not be deleted
when you empty the Recycle Bin.

[snip]

4. Notes on NT
--------------

The exploit works great under NT. The anti-virus folk make the same
exclusions with NT checkers, presumably to deal with dual boot systems.
NT's default permissions allow this to work even when the machine is not
dual boot and has NTFS on all drives because EVERYONE can create
directories at the root. Just make a \RECYCLED directory and away you
go.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]