Full Disclosure mailing list archives
RE: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You"
From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Sun, 7 May 2006 23:49:13 +0530
Singnature based analysis doesn't apply well incase of script based worms / virii. The issues here seems to be lack of feature to do an appropriate analysis of script based worms. Symantec is able to block it because, in addition to signature matching it is also trying to figure out what the script is upto. In this kind of real time analysis, AV usually look for any kind of possible malicious activity by the script by intercepting wsh or wscript calls. For example - If a .vbs , .hta or .wsh file is opened a system then the AV (with real-time protection) usually look for the presence FileSystemObject calls or something similar in the file and then block it from getting executed. It prompts the user to either allow it of disallow it. It may happen that it sometimes blocks valid scripts with valid calls to fso but like any other security products these kind of false positives do sneak in. I am rather surprised that Panda AV doesn't have this basic feature to block such scripts and is relying only upon signature based analysis. Have you also tried this test with Pest Control?? I guess they do have a nice real time protection. -d ________________________________ From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Niklas Sent: Saturday, May 06, 2006 10:46 AM To: Joxean Koret Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure,Norton Antivirus 2005 and the virus "I Love You" Symantec 10 corp. immediately detetcts this as Loveletter.CI through real time protection when accessing the file within the arhive. /N On 5/4/06, Joxean Koret <joxeankoret () yahoo es> wrote: Sorry, the email was sended without the attachment. --- Regards, Joxean Koret > Attached goes a working "I Love You" virus in which > I > changed ONLY the variable "dirsystem" with the name > "kk2" (The file attached have the extension > ".txt.gz", > otherwise, with the .vbs extension the file will be > locked by all the most populars anti-viral > toolkits). Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Joxean Koret (May 04)
- <Possible follow-ups>
- RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Joxean Koret (May 04)
- Re: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Thiago H. Pojda (May 04)
- RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Peter van den Houten (May 04)
- Re: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" <...> (May 04)
- Re: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Thiago H. Pojda (May 04)
- Re: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Niklas (May 05)
- RE: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Debasis Mohanty (May 07)
- RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Joxean Koret (May 04)
- Re: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Joxean Koret (May 06)