Re[2]: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear bipin gautam,

This  issue  was really discussed in the past and was fixed in Kaspersky
Antivirus.

http://www.security.nnov.ru/search/document.asp?docid=4061

I  do  work  for  iDefense.  They pay for Mozilla bugs more than Mozilla
does. But not in this case. As you can see

-=-=-=- Quote -=-=-=-
IX. CREDIT

Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
-=-=-=-  End -=-=-=-

I  never submitted any antiviral bugs to iDefense, but both iDefense and
Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
good well known problem.

--Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure () lists netsys com:

bg> hi iDEFENSE,

bg> What a coincidence, This is what i was talking about
bg> with few others in the list... a day 
bg> back!!! I myself saw this behavoir...... (i was a few
bg> days short) hay guys you were telling me, "Antiviral
bg> vendors aware about this problem, it was discussed in
bg> past." so??? iDEFENSE took away my upcomming advisort.
bg> )O;

bg> 3APA3A, do you work for iDEFENSE???????

bg> ANYWAYS, this isn't a first time a advisory has
bg> coinside with other........

bg> cheese,
bg> bipin

bg> --- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:

> > Dear bipin gautam,
> >
> > Actually  my  super  antivirus  easily  detects 
> > eicar  in  nul.con. For
> > example, for c:\NUL.CON\eicar.com
> >
> > try
> >
> > antieicar \\.\c:\NUL.CON\eicar.com
> >
> > Antiviral vendors aware about this problem, it was
> > discussed in past.
> >
> > --Saturday, October 2, 2004, 9:57:52 PM, you wrote
> > to full-disclosure () lists netsys com:
> >
> >  
> > > > OK.  I  just wrote new super antivirus. It's
> > > > databases currently consist
> > > > from  only  eicar.com  signature  (I'm very new
> > in
> > > > this business) but it
> > > > 100% detects EICAR in the file with removed
> > > > permissions :)
> > > >
> > > > http://www.security.nnov.ru/files/antieicar.zip
> >
> > > > Now, there is at least one antivirus to break
> > your
> > > > statement :)
> >
> >
> > bg> good example 3APA3A to teach those software
> > companies
> > bg> howto, 
> >
> > bg> anyways... here is a archive, 
> >
> > bg> http://www.geocities.com/visitbipin/antiPOC.zip
> >
> > bg> Extract the archive by using "DEFAULT ZIP
> > MANAGER" of
> > bg> windows xp. It will create a file "NULL.con" (O;
> > bg> within which there is a "eicar test string
> > file". 
> >
> > bg> I don't think your super AV will detect the
> > "eicar
> > bg> test string file" withing "NULL.con" folder???
> > :)
> >
> > bg> anyways... let me know HOW? when you figure out
> > to how
> > bg> to delete "NULL.con" directory.

> > The problem specifically exists in attempts to scan
> > files and
> > directories named as reserved MS-DOS devices.
> > Reserved MS-DOS device
> > names are a hold over from the original days of
> > Microsoft DOS. The
> > reserved MS-DOS device names represent devices such
> > as the first printer
> > port (LPT1) and the first serial communication port
> > (COM1). Sample
> > reserved MS-DOS device names include AUX, CON, PRN,
> > COM1 and LPT1. If a
> > virus stores itself in a reserved device name it can
> > avoid detection by
> > Symantec Norton AntiVirus when the system is
> > scanned. Symantec Norton
> > AntiVirus will scan the files and folders containing
> > the virus and fail
> > to detect or report them. reserved device names can
> > be creating with
> > standard Windows utilities by specifying the full
> > Universal Naming
> > Convention (UNC) path. The following command will
> > successfully copy a
> > file to the reserved device name 'aux' on the C:\
> > drive:
> >
> >     copy source \\.\C:\aux


                
bg> _______________________________
bg> Do you Yahoo!?
bg> Declare Yourself - Register online to vote today!
bg> http://vote.yahoo.com

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html