RE: strange windows behaviour.

[J Mike Rollins <rollins () wfu edu>]

We are in the process of sending information to the vendor.

In summary:

will be caught:         rundll32 c:\directory\trojan.dll,params
will not be caught:     rundll32 c:\directory:trojan.dll,params

On Thu, 9 Oct 2003, Schmehl, Paul L wrote:

> > -----Original Message-----
> > From: J Mike Rollins [mailto:rollins () wfu edu]
> > Sent: Thursday, October 09, 2003 10:13 AM
> > To: Schmehl, Paul L
> > Cc: incidents () securityfocus com
> > Subject: RE: strange windows behaviour.
> >
> > I have just tested the ideas expressed here and have to
> > report that streams can still be a threat.
> >
> > When I try to make a copy of the dll stored within the
> > stream, the virus scanning software does find it.
> >
> > However, when I run the contents of the dll stream by using
> > rundll32 the program is not caught by the virus scanning
> > software.  And the trojan continues to execute undetected.
> >
> > So, I believe this to be a serious threat.
>
> Have you sent the results of your testing to your AV vendor?  It could
> easily be a problem with your AV rather than a problem with the general
> principle of on access scanning being able to catch the trojan.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins              rollins () wfu edu
     Wake Forest University     http://www.wfu.edu/~rollins
        Winston-Salem, NC            work: (336) 758-1938
======================================================================


---------------------------------------------------------------------------
----------------------------------------------------------------------------