Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: strange windows behaviour.

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 9 Oct 2003 11:06:37 -0500
-----Original Message-----
From: J Mike Rollins [mailto:rollins () wfu edu] 
Sent: Thursday, October 09, 2003 10:13 AM
To: Schmehl, Paul L
Cc: incidents () securityfocus com
Subject: RE: strange windows behaviour.

I have just tested the ideas expressed here and have to 
report that streams can still be a threat.

When I try to make a copy of the dll stored within the 
stream, the virus scanning software does find it.

However, when I run the contents of the dll stream by using 
rundll32 the program is not caught by the virus scanning 
software.  And the trojan continues to execute undetected.

So, I believe this to be a serious threat.


Have you sent the results of your testing to your AV vendor?  It could
easily be a problem with your AV rather than a problem with the general
principle of on access scanning being able to catch the trojan.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: