RE: strange windows behaviour.

• Previous message: J Mike Rollins: "RE: strange windows behaviour."
• Maybe in reply to: Peter Moody: "strange windows behaviour."
• Next in thread: J Mike Rollins: "RE: strange windows behaviour."
• Reply: J Mike Rollins: "RE: strange windows behaviour."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 9 Oct 2003 11:06:37 -0500
To: "J Mike Rollins" <rollins@wfu.edu>

> -----Original Message-----
> From: J Mike Rollins [mailto:rollins@wfu.edu]
> Sent: Thursday, October 09, 2003 10:13 AM
> To: Schmehl, Paul L
> Cc: incidents@securityfocus.com
> Subject: RE: strange windows behaviour.
>
> I have just tested the ideas expressed here and have to
> report that streams can still be a threat.
>
> When I try to make a copy of the dll stored within the
> stream, the virus scanning software does find it.
>
> However, when I run the contents of the dll stream by using
> rundll32 the program is not caught by the virus scanning
> software. And the trojan continues to execute undetected.
>
> So, I believe this to be a serious threat.

Have you sent the results of your testing to your AV vendor? It could
easily be a problem with your AV rather than a problem with the general
principle of on access scanning being able to catch the trojan.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: J Mike Rollins: "RE: strange windows behaviour."
• Maybe in reply to: Peter Moody: "strange windows behaviour."
• Next in thread: J Mike Rollins: "RE: strange windows behaviour."
• Reply: J Mike Rollins: "RE: strange windows behaviour."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]