Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

[bipin gautam <visitbipin () yahoo com>]

hi iDEFENSE,

What a coincidence, This is what i was talking about
with few others in the list... a day 
back!!! I myself saw this behavoir...... (i was a few
days short) hay guys you were telling me, "Antiviral
vendors aware about this problem, it was discussed in
past." so??? iDEFENSE took away my upcomming advisort.
)O;

3APA3A, do you work for iDEFENSE???????

ANYWAYS, this isn't a first time a advisory has
coinside with other........

cheese,
bipin

--- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:

> Dear bipin gautam,
>
> Actually  my  super  antivirus  easily  detects 
> eicar  in  nul.con. For
> example, for c:\NUL.CON\eicar.com
>
> try
>
> antieicar \\.\c:\NUL.CON\eicar.com
>
> Antiviral vendors aware about this problem, it was
> discussed in past.
>
> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
> to full-disclosure () lists netsys com:
>
>  
> > > OK.  I  just wrote new super antivirus. It's
> > > databases currently consist
> > > from  only  eicar.com  signature  (I'm very new
> in
> > > this business) but it
> > > 100% detects EICAR in the file with removed
> > > permissions :)
> > >
> > > http://www.security.nnov.ru/files/antieicar.zip
>
> > > Now, there is at least one antivirus to break
> your
> > > statement :)
>
>
> bg> good example 3APA3A to teach those software
> companies
> bg> howto, 
>
> bg> anyways... here is a archive, 
>
> bg> http://www.geocities.com/visitbipin/antiPOC.zip
>
> bg> Extract the archive by using "DEFAULT ZIP
> MANAGER" of
> bg> windows xp. It will create a file "NULL.con" (O;
> bg> within which there is a "eicar test string
> file". 
>
> bg> I don't think your super AV will detect the
> "eicar
> bg> test string file" withing "NULL.con" folder???
> :)
>
> bg> anyways... let me know HOW? when you figure out
> to how
> bg> to delete "NULL.con" directory.

> The problem specifically exists in attempts to scan
> files and
> directories named as reserved MS-DOS devices.
> Reserved MS-DOS device
> names are a hold over from the original days of
> Microsoft DOS. The
> reserved MS-DOS device names represent devices such
> as the first printer
> port (LPT1) and the first serial communication port
> (COM1). Sample
> reserved MS-DOS device names include AUX, CON, PRN,
> COM1 and LPT1. If a
> virus stores itself in a reserved device name it can
> avoid detection by
> Symantec Norton AntiVirus when the system is
> scanned. Symantec Norton
> AntiVirus will scan the files and folders containing
> the virus and fail
> to detect or report them. reserved device names can
> be creating with
> standard Windows utilities by specifying the full
> Universal Naming
> Convention (UNC) path. The following command will
> successfully copy a
> file to the reserved device name 'aux' on the C:\
> drive:
>
>     copy source \\.\C:\aux


                
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html