|
Security Incidents
mailing list archives
RE: strange windows behaviour.
From: J Mike Rollins <rollins () wfu edu>
Date: Thu, 9 Oct 2003 12:58:59 -0400 (EDT)
We are in the process of sending information to the vendor.
In summary:
will be caught: rundll32 c:\directory\trojan.dll,params
will not be caught: rundll32 c:\directory:trojan.dll,params
On Thu, 9 Oct 2003, Schmehl, Paul L wrote:
-----Original Message-----
From: J Mike Rollins [mailto:rollins () wfu edu]
Sent: Thursday, October 09, 2003 10:13 AM
To: Schmehl, Paul L
Cc: incidents () securityfocus com
Subject: RE: strange windows behaviour.
I have just tested the ideas expressed here and have to
report that streams can still be a threat.
When I try to make a copy of the dll stored within the
stream, the virus scanning software does find it.
However, when I run the contents of the dll stream by using
rundll32 the program is not caught by the virus scanning
software. And the trojan continues to execute undetected.
So, I believe this to be a serious threat.
Have you sent the results of your testing to your AV vendor? It could
easily be a problem with your AV rather than a problem with the general
principle of on access scanning being able to catch the trojan.
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
Mike
Network Operations and Security, Wake Forest University
======================================================================
J. Mike Rollins rollins () wfu edu
Wake Forest University http://www.wfu.edu/~rollins
Winston-Salem, NC work: (336) 758-1938
======================================================================
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- RE: strange windows behaviour., (continued)
|
Intro
