Re: Bypass Virus Checking

[bsides () TOWERY COM (Brock Sides)]

NAV 4.0 running on NT successfully detects the EICAR test file even if
it's residing in RECYCLED.

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com

On Sun, 30 Jan 2000, Neil Bortnak wrote:

> 1.Background
> ------------
>
> Under Win95/98 the Recycle Bin is a system designed to make it easy for
> users to "undelete" files. When a user deletes from the GUI, the file is
> not really deleted but moved to a folder named "RECYCLED" located at the
> root of that volume. If the folder does not exist, possibly because
> nothing has ever been deleted on that volume, the directory is created.
> The file is then renamed and information about the file's original name
> and location are stored in an index file. When you look at the recycle
> bin through the GUI, Windows reads the index files from each volume and
> displays their contents. It does not display a raw directory listing.
> You cannot easily access a raw directory listing through the GUI. When
> you empty the recycle bin, Windows deletes all of the files in the
> RECYCLED directories that have a corresponding entry in one of the
> indexes. Therefore a file stored in a RECYCLED directory via DOS or a
> program will not show up anywhere in the GUI and will not be deleted
> when you empty the Recycle Bin.

[snip]

> 4. Notes on NT
> --------------
>
> The exploit works great under NT. The anti-virus folk make the same
> exclusions with NT checkers, presumably to deal with dual boot systems.
> NT's default permissions allow this to work even when the machine is not
> dual boot and has NTFS on all drives because EVERYONE can create
> directories at the root. Just make a \RECYCLED directory and away you
> go.