RE: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You"

["Debasis Mohanty" <debasis.mohanty.listmails () gmail com>]

Singnature based analysis doesn't apply well incase of script based worms /
virii. The issues here seems to be lack of feature to do an appropriate
analysis of script based worms. 

Symantec is able to block it because, in addition to signature matching it
is also trying to figure out what the script is upto. In this kind of real
time analysis, AV usually look for any kind of possible malicious activity
by the script by intercepting wsh or wscript calls. For example - If a .vbs
, .hta or .wsh file is opened a system then the AV (with real-time
protection) usually look for the presence FileSystemObject calls or
something similar in the file and then block it from getting executed. It
prompts the user to either allow it of disallow it. It may happen that it
sometimes blocks valid scripts with valid calls to fso but like any other
security products these kind of false positives do sneak in.

I am rather surprised that Panda AV doesn't have this basic feature to block
such scripts and is relying only upon signature based analysis. 

Have you also tried this test with Pest Control?? I guess they do have a
nice real time protection. 


-d 


________________________________

From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Niklas
Sent: Saturday, May 06, 2006 10:46 AM
To: Joxean Koret
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure,Norton
Antivirus 2005 and the virus "I Love You"


Symantec 10 corp. immediately detetcts this as Loveletter.CI through real
time protection when accessing the file within the arhive.
 
/N

 
On 5/4/06, Joxean Koret <joxeankoret () yahoo es> wrote: 

        Sorry, the email was sended without the attachment.
        
        ---
        Regards,
        Joxean Koret
        
        > Attached goes a working "I Love You" virus in which 
        > I
        > changed ONLY the variable "dirsystem" with the name
        > "kk2" (The file attached have the extension
        > ".txt.gz",
        > otherwise, with the .vbs extension the file will be 
        > locked by all the most populars anti-viral
        > toolkits).
        
        Disclaimer:
        ~~~~~~~~~~~
        
        The information in this advisory and any of its
        demonstrations is provided "as is" without any
        warranty of any kind.
        
        I am not liable for any direct or indirect damages
        caused as a result of using the information or
        demonstrations provided in any part of this
        advisory.
        
        
--------------------------------------------------------------------------- 
        
        Contact:
        ~~~~~~~~
        
               Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
        
        
        
        ______________________________________________ 
        LLama Gratis a cualquier PC del Mundo.
        Llamadas a fijos y móviles desde 1 céntimo por minuto.
        http://es.voice.yahoo.com
        
        _______________________________________________ 
        Full-Disclosure - We believe in it.
        Charter: http://lists.grok.org.uk/full-disclosure-charter.html
        Hosted and sponsored by Secunia - http://secunia.com/
        
        
        



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/