RE: Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability.

["Steve Scholz" <steve_scholz () sybari com>]

Hi Bipin,
By design Eicar needs to be the exact string and on the first line with nothing else following it. So the file is not 
actually an Eicar I get this with advanced zip repair. So now we won't detect this because it is not Eicar.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK


     /é0DFµ-ÿ   ÿ             
         eicar.comPK    
 
 7   k  

Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz () sybari com

MSN IM:Steve_Scholz () Msn com (email never checked) 




-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
bipin gautam
Sent: Saturday, March 12, 2005 1:03 PM
To: Steve Scholz
Cc: vuln () secunia com; full-disclosure () lists grok org uk; bugtraq () securityfocus com
Subject: [Full-disclosure] Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability.

Steve,
firstly... thankyou for all your coments.

> The Antigen_s.zip does not contain a valid Eicar
> this info when repaired
> and opened is X5O!P%@AP[4\PZX
> We did catch it with a file filter.
> What was your intent with these files?

OOPS! again my fault!!!
TRY: http://www.geocities.com/visitbipin/Antigen.zip

my intension was to show, if the archive has
compressed size and uncompressed size set to greater
than the actual file size or less than the actual file
size there are many AV that can't scan the file
properly.

send  http://www.geocities.com/visitbipin/Antigen.zip
 to virustotal.com and see for yourself!!!

Download Accelerator successfully repairs this archive
with some garbage data \x00 at the end "255 bytes"
Though, i was able to successfully execute eicar.com

-bipin
updates at:
http://www.geocities.com/visitbipin/crc.html
___________________My report!_______________________
This is a report processed by VirusTotal on 03/12/2005
at 18:38:32 (CET) after scanning the file
"Antigen.zip" file. 
 
Antivirus       Version Update  Result     
AntiVir 6.30.0.5 03.11.2005     Eicar-Test-Signature       
AVG     718     03.11.2005      EICAR_Test (+187)          
BitDefender 7.0 03.12.2005      no virus found     
ClamAV  devel-20050307  03.10.2005 Eicar-Test-Signature 
  
DrWeb   4.32b   03.12.2005 no virus found          
eTrust-Iris 7.1.194.0 03.12.2005 no virus found    
eTrust-Vet 11.7.0.0 03.11.2005 no virus found      
Fortinet 2.51   03.11.2005      no virus found     
F-Prot  3.16a   03.11.2005      EICAR_Test_File    
Ikarus  2.32    03.11.2005      EICAR-ANTIVIRUS-TESTFILE           
Kaspersky       4.0.2.24        03.12.2005      EICAR-Test-File    
McAfee  4445    03.11.2005      no virus found     
NOD32v2 1.1024  03.11.2005      archive damaged    
Norman  5.70.10 03.10.2005      no virus found     
Panda   8.02.00 03.12.2005      Eicar.Mod          
Sybari  7.5.1314 03.12.2005     no virus found     
Symantec 8.0    03.11.2005      no virus found   



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/