Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re[2]: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
Date: Wed, 6 Oct 2004 14:25:35 +0400

Dear bipin gautam,

This  issue  was really discussed in the past and was fixed in Kaspersky


I  do  work  for  iDefense.  They pay for Mozilla bugs more than Mozilla
does. But not in this case. As you can see

-=-=-=- Quote -=-=-=-

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
-=-=-=-  End -=-=-=-

I  never submitted any antiviral bugs to iDefense, but both iDefense and
Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
good well known problem.

--Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure () lists netsys com:

bg> hi iDEFENSE,

bg> What a coincidence, This is what i was talking about
bg> with few others in the list... a day 
bg> back!!! I myself saw this behavoir...... (i was a few
bg> days short) hay guys you were telling me, "Antiviral
bg> vendors aware about this problem, it was discussed in
bg> past." so??? iDEFENSE took away my upcomming advisort.
bg> )O;

bg> 3APA3A, do you work for iDEFENSE???????

bg> ANYWAYS, this isn't a first time a advisory has
bg> coinside with other........

bg> cheese,
bg> bipin

bg> --- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:

Dear bipin gautam,

Actually  my  super  antivirus  easily  detects 
eicar  in  nul.con. For
example, for c:\NUL.CON\eicar.com


antieicar \\.\c:\NUL.CON\eicar.com

Antiviral vendors aware about this problem, it was
discussed in past.

--Saturday, October 2, 2004, 9:57:52 PM, you wrote
to full-disclosure () lists netsys com:

OK.  I  just wrote new super antivirus. It's
databases currently consist
from  only  eicar.com  signature  (I'm very new
this business) but it
100% detects EICAR in the file with removed
permissions :)


Now, there is at least one antivirus to break
statement :)

bg> good example 3APA3A to teach those software
bg> howto, 

bg> anyways... here is a archive, 

bg> http://www.geocities.com/visitbipin/antiPOC.zip

bg> Extract the archive by using "DEFAULT ZIP
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string

bg> I don't think your super AV will detect the
bg> test string file" withing "NULL.con" folder???

bg> anyways... let me know HOW? when you figure out
to how
bg> to delete "NULL.con" directory.

The problem specifically exists in attempts to scan
files and
directories named as reserved MS-DOS devices.
Reserved MS-DOS device
names are a hold over from the original days of
Microsoft DOS. The
reserved MS-DOS device names represent devices such
as the first printer
port (LPT1) and the first serial communication port
(COM1). Sample
reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1. If a
virus stores itself in a reserved device name it can
avoid detection by
Symantec Norton AntiVirus when the system is
scanned. Symantec Norton
AntiVirus will scan the files and folders containing
the virus and fail
to detect or report them. reserved device names can
be creating with
standard Windows utilities by specifying the full
Universal Naming
Convention (UNC) path. The following command will
successfully copy a
file to the reserved device name 'aux' on the C:\

    copy source \\.\C:\aux

bg> _______________________________
bg> Do you Yahoo!?
bg> Declare Yourself - Register online to vote today!
bg> http://vote.yahoo.com

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html

Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]