mailing list archives
Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 6 Oct 2004 14:25:35 +0400
Dear bipin gautam,
This issue was really discussed in the past and was fixed in Kaspersky
I do work for iDefense. They pay for Mozilla bugs more than Mozilla
does. But not in this case. As you can see
-=-=-=- Quote -=-=-=-
Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
-=-=-=- End -=-=-=-
I never submitted any antiviral bugs to iDefense, but both iDefense and
Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
good well known problem.
--Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure () lists netsys com:
bg> hi iDEFENSE,
bg> What a coincidence, This is what i was talking about
bg> with few others in the list... a day
bg> back!!! I myself saw this behavoir...... (i was a few
bg> days short) hay guys you were telling me, "Antiviral
bg> vendors aware about this problem, it was discussed in
bg> past." so??? iDEFENSE took away my upcomming advisort.
bg> 3APA3A, do you work for iDEFENSE???????
bg> ANYWAYS, this isn't a first time a advisory has
bg> coinside with other........
bg> --- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
Dear bipin gautam,
Actually my super antivirus easily detects
eicar in nul.con. For
example, for c:\NUL.CON\eicar.com
Antiviral vendors aware about this problem, it was
discussed in past.
--Saturday, October 2, 2004, 9:57:52 PM, you wrote
to full-disclosure () lists netsys com:
OK. I just wrote new super antivirus. It's
databases currently consist
from only eicar.com signature (I'm very new
this business) but it
100% detects EICAR in the file with removed
Now, there is at least one antivirus to break
bg> good example 3APA3A to teach those software
bg> anyways... here is a archive,
bg> Extract the archive by using "DEFAULT ZIP
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string
bg> I don't think your super AV will detect the
bg> test string file" withing "NULL.con" folder???
bg> anyways... let me know HOW? when you figure out
bg> to delete "NULL.con" directory.
The problem specifically exists in attempts to scan
directories named as reserved MS-DOS devices.
Reserved MS-DOS device
names are a hold over from the original days of
Microsoft DOS. The
reserved MS-DOS device names represent devices such
as the first printer
port (LPT1) and the first serial communication port
reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1. If a
virus stores itself in a reserved device name it can
avoid detection by
Symantec Norton AntiVirus when the system is
scanned. Symantec Norton
AntiVirus will scan the files and folders containing
the virus and fail
to detect or report them. reserved device names can
be creating with
standard Windows utilities by specifying the full
Convention (UNC) path. The following command will
successfully copy a
file to the reserved device name 'aux' on the C:\
copy source \\.\C:\aux
bg> Do you Yahoo!?
bg> Declare Yourself - Register online to vote today!
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html
Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен)
Full-Disclosure - We believe in it.