Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
From: bipin gautam <visitbipin () yahoo com>
Date: Tue, 5 Oct 2004 20:02:46 -0700 (PDT)

hi iDEFENSE,

What a coincidence, This is what i was talking about
with few others in the list... a day 
back!!! I myself saw this behavoir...... (i was a few
days short) hay guys you were telling me, "Antiviral
vendors aware about this problem, it was discussed in
past." so??? iDEFENSE took away my upcomming advisort.
)O;

3APA3A, do you work for iDEFENSE???????

ANYWAYS, this isn't a first time a advisory has
coinside with other........

cheese,
bipin

--- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:

Dear bipin gautam,

Actually  my  super  antivirus  easily  detects 
eicar  in  nul.con. For
example, for c:\NUL.CON\eicar.com

try

antieicar \\.\c:\NUL.CON\eicar.com

Antiviral vendors aware about this problem, it was
discussed in past.

--Saturday, October 2, 2004, 9:57:52 PM, you wrote
to full-disclosure () lists netsys com:

 
OK.  I  just wrote new super antivirus. It's
databases currently consist
from  only  eicar.com  signature  (I'm very new
in
this business) but it
100% detects EICAR in the file with removed
permissions :)

http://www.security.nnov.ru/files/antieicar.zip

Now, there is at least one antivirus to break
your
statement :)



bg> good example 3APA3A to teach those software
companies
bg> howto, 

bg> anyways... here is a archive, 

bg> http://www.geocities.com/visitbipin/antiPOC.zip

bg> Extract the archive by using "DEFAULT ZIP
MANAGER" of
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string
file". 

bg> I don't think your super AV will detect the
"eicar
bg> test string file" withing "NULL.con" folder???
:)

bg> anyways... let me know HOW? when you figure out
to how
bg> to delete "NULL.con" directory.



The problem specifically exists in attempts to scan
files and
directories named as reserved MS-DOS devices.
Reserved MS-DOS device
names are a hold over from the original days of
Microsoft DOS. The
reserved MS-DOS device names represent devices such
as the first printer
port (LPT1) and the first serial communication port
(COM1). Sample
reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1. If a
virus stores itself in a reserved device name it can
avoid detection by
Symantec Norton AntiVirus when the system is
scanned. Symantec Norton
AntiVirus will scan the files and folders containing
the virus and fail
to detect or report them. reserved device names can
be creating with
standard Windows utilities by specifying the full
Universal Naming
Convention (UNC) path. The following command will
successfully copy a
file to the reserved device name 'aux' on the C:\
drive:

    copy source \\.\C:\aux




                
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]