Re[2]: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 10/06/04

  • Next message: RandallM: "[Full-Disclosure] House approves spyware legislation" 
    To: bipin gautam <visitbipin@yahoo.com>
Date: Wed, 6 Oct 2004 14:25:35 +0400

    Dear bipin gautam,

    This issue was really discussed in the past and was fixed in Kaspersky
    Antivirus.

    http://www.security.nnov.ru/search/document.asp?docid=4061

    I do work for iDefense. They pay for Mozilla bugs more than Mozilla
    does. But not in this case. As you can see

    -=-=-=- Quote -=-=-=-
    IX. CREDIT

    Kurt Seifried (kurt[at]seifried.org) is credited with this discovery.
    -=-=-=- End -=-=-=-

    I never submitted any antiviral bugs to iDefense, but both iDefense and
    Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
    good well known problem.

    --Wednesday, October 6, 2004, 7:02:46 AM, you wrote to full-disclosure@lists.netsys.com:

    bg> hi iDEFENSE,

    bg> What a coincidence, This is what i was talking about
    bg> with few others in the list... a day
    bg> back!!! I myself saw this behavoir...... (i was a few
    bg> days short) hay guys you were telling me, "Antiviral
    bg> vendors aware about this problem, it was discussed in
    bg> past." so??? iDEFENSE took away my upcomming advisort.
    bg> )O;

    bg> 3APA3A, do you work for iDEFENSE???????

    bg> ANYWAYS, this isn't a first time a advisory has
    bg> coinside with other........

    bg> cheese,
    bg> bipin

    bg> --- 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:

    >> Dear bipin gautam,
    >>
    >> Actually my super antivirus easily detects
    >> eicar in nul.con. For
    >> example, for c:\NUL.CON\eicar.com
    >>
    >> try
    >>
    >> antieicar \\.\c:\NUL.CON\eicar.com
    >>
    >> Antiviral vendors aware about this problem, it was
    >> discussed in past.
    >>
    >> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
    >> to full-disclosure@lists.netsys.com:
    >>
    >>
    >> >> OK. I just wrote new super antivirus. It's
    >> >> databases currently consist
    >> >> from only eicar.com signature (I'm very new
    >> in
    >> >> this business) but it
    >> >> 100% detects EICAR in the file with removed
    >> >> permissions :)
    >> >>
    >> >> http://www.security.nnov.ru/files/antieicar.zip
    >>
    >> >> Now, there is at least one antivirus to break
    >> your
    >> >> statement :)
    >> >>
    >>
    >>
    >> bg> good example 3APA3A to teach those software
    >> companies
    >> bg> howto,
    >>
    >> bg> anyways... here is a archive,
    >>
    >> bg> http://www.geocities.com/visitbipin/antiPOC.zip
    >>
    >> bg> Extract the archive by using "DEFAULT ZIP
    >> MANAGER" of
    >> bg> windows xp. It will create a file "NULL.con" (O;
    >> bg> within which there is a "eicar test string
    >> file".
    >>
    >> bg> I don't think your super AV will detect the
    >> "eicar
    >> bg> test string file" withing "NULL.con" folder???
    >> :)
    >>
    >> bg> anyways... let me know HOW? when you figure out
    >> to how
    >> bg> to delete "NULL.con" directory.
    >>
    >>

    >> The problem specifically exists in attempts to scan
    >> files and
    >> directories named as reserved MS-DOS devices.
    >> Reserved MS-DOS device
    >> names are a hold over from the original days of
    >> Microsoft DOS. The
    >> reserved MS-DOS device names represent devices such
    >> as the first printer
    >> port (LPT1) and the first serial communication port
    >> (COM1). Sample
    >> reserved MS-DOS device names include AUX, CON, PRN,
    >> COM1 and LPT1. If a
    >> virus stores itself in a reserved device name it can
    >> avoid detection by
    >> Symantec Norton AntiVirus when the system is
    >> scanned. Symantec Norton
    >> AntiVirus will scan the files and folders containing
    >> the virus and fail
    >> to detect or report them. reserved device names can
    >> be creating with
    >> standard Windows utilities by specifying the full
    >> Universal Naming
    >> Convention (UNC) path. The following command will
    >> successfully copy a
    >> file to the reserved device name 'aux' on the C:\
    >> drive:
    >>
    >> copy source \\.\C:\aux
    >>
    >>

                    
    bg> _______________________________
    bg> Do you Yahoo!?
    bg> Declare Yourself - Register online to vote today!
    bg> http://vote.yahoo.com

    bg> _______________________________________________
    bg> Full-Disclosure - We believe in it.
    bg> Charter: http://lists.netsys.com/full-disclosure-charter.html 

    -- 
~/ZARAZA
Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: RandallM: "[Full-Disclosure] House approves spyware legislation"