RE: [Full-disclosure] Re: Multiple AV Vendor IncorrectCRC32BypassVulnerability.

From: Steve Scholz (steve_scholz_at_sybari.com)
Date: 03/12/05

  • Next message: Matthias Geerdsen: "[Full-disclosure] [ GLSA 200503-15 ] X.org: libXpm vulnerability" 
    Date: Sat, 12 Mar 2005 10:33:48 -0500
To: "bipin gautam" <visitbipin@yahoo.com>, <vuln@secunia.com>

    Sat Mar 12 10:26:35 2005 (4320-4292), "INFORMATION: Internet scan found
    virus:

       Folder: SMTP Messages\Internal

       Message: test b

       File: Antigen_b.zip

       Incident: Large uncompressed size

       State: Removed"

    The Antigen_s.zip does not contain a valid Eicar this info when repaired
    and opened is X5O!P%@AP[4\PZX

    We did catch it with a file filter.

    Sat Mar 12 10:32:29 2005 (4320-4292), "INFORMATION: Internet scan found
    virus:

       Folder: SMTP Messages\Internal

       Message: Fw: test

       File: Antigen_s.zip->eicar.com

       Incident: FILE FILTER= *.com

       State: Removed"

    What was your intent with these files?

    Steve Scholz
    Corporate Sales Engineer-North America
    Sybari Software, Inc.
    631-630-8556 Direct
    516-903-2464 Mobile

    Email: Steve_scholz@sybari.com

    MSN IM:Steve_Scholz@Msn.com (email never checked)

    -----Original Message-----
    From: full-disclosure-bounces@lists.grok.org.uk
    [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of bipin
    gautam
    Sent: Saturday, March 12, 2005 2:58 AM
    To: Steve Scholz; vuln@secunia.com
    Cc: full-disclosure@lists.grok.org.uk; vuldb@securityfocus.com
    Subject: RE: [Full-disclosure] Re: Multiple AV Vendor
    IncorrectCRC32BypassVulnerability.

    > While it might be a vulnerability if the file is
    > extracted which it hasto be to be executed the
    > desktop scanner will detect it at that time.
    > Multiple layers of defense is your best option
    > As far as number 3 Antigen detects Eicar.

    YAP, i never reported Antigen vulnerable to the 3'rd
    one.

    Though, In Local file header if you modify "general
    purpose bit flag" 7th & 8'th byte of a zip archive
    with \x2f Antigen is also seem to be vulnerable! While
    most unzip utilities are transperently able to extract
    SUCH* archive without any problem! Though,currently my
    only source of verifying this is via
    www.virustotal.com and some others. [Go, TRY IT
    THEER!]
    http://www.geocities.com/visitbipin/gpbf.zip

    > I can see if there is anything
    > else that you do not
    > think Antigen is doing correctly.

     (O;

    For instant,
    In the 'local file header" & "data descriptor" if you
    change the compressed size and uncompressed size to
    ZERO[iDEFENSE] or greater than the actual file size or
    less than the actual file size still there are many AV
    that can't scan the file properly.
    http://www.geocities.com/visitbipin/Antigen_b.zip
    http://www.geocities.com/visitbipin/Antigen_s.zip

    Moreover there are unzip utilities that goes to a loop
    if the filesize is changed to ffffffff ! Lets hope, AV
    don't have such faulty code!

    Just run the file through www.virustotal.com and
    you'll see. (I know, they aren't using up-to-date scan
    engine)

    Thanks,
    bipin

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Small Business - Try our new resources site!
    http://smallbusiness.yahoo.com/resources/
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/

  • Next message: Matthias Geerdsen: "[Full-disclosure] [ GLSA 200503-15 ] X.org: libXpm vulnerability"

    Relevant Pages

    • [Full-Disclosure] Sample of Swen/Gibe.F Worm
      ... If someone has a copy of this virus, please contact me off the list. ... Do you Yahoo!? ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • RES: [Full-Disclosure] Sample of Swen/Gibe.F Worm
      ... If someone has a copy of this virus, please contact me off the list. ... Do you Yahoo!? ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • RES: [Full-Disclosure] Sample of Swen/Gibe.F Worm
      ... I would like to have a copy of this virus too. ... Do you Yahoo!? ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • Re: OT/ Virus SPAM email
      ... report the virus. ... I immediately advised Yahoo; I'll copy their ... attachments but I did open the message. ... become vulnerable to computer viruses. ...
      (alt.support.diabetes)
    • done..posting to newsgroup
      ... got norton security/antivirus update daily...new update ... All the virus needs is to ... >>posting to any of these newsgroups generates a new fake ... >>yahoo delete and clear out yahoo delete. ...
      (microsoft.public.security.virus)
    • Quantcast