[13666] in bugtraq
Re: Bypass Virus Checking
daemon@ATHENA.MIT.EDU (Brock Sides)
Wed Feb 2 16:21:04 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10002011443090.13188-100000@koala.towery.com>
Date: Tue, 1 Feb 2000 14:46:13 -0600
Reply-To: Brock Sides <bsides@TOWERY.COM>
From: Brock Sides <bsides@TOWERY.COM>
X-To: Neil Bortnak <neil@BORTNAK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3895202F.A89C9F57@bortnak.com>
NAV 4.0 running on NT successfully detects the EICAR test file even if
it's residing in RECYCLED.
--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides@towery.com
On Sun, 30 Jan 2000, Neil Bortnak wrote:
> 1.Background
> ------------
>
> Under Win95/98 the Recycle Bin is a system designed to make it easy for
> users to "undelete" files. When a user deletes from the GUI, the file is
> not really deleted but moved to a folder named "RECYCLED" located at the
> root of that volume. If the folder does not exist, possibly because
> nothing has ever been deleted on that volume, the directory is created.
> The file is then renamed and information about the file's original name
> and location are stored in an index file. When you look at the recycle
> bin through the GUI, Windows reads the index files from each volume and
> displays their contents. It does not display a raw directory listing.
> You cannot easily access a raw directory listing through the GUI. When
> you empty the recycle bin, Windows deletes all of the files in the
> RECYCLED directories that have a corresponding entry in one of the
> indexes. Therefore a file stored in a RECYCLED directory via DOS or a
> program will not show up anywhere in the GUI and will not be deleted
> when you empty the Recycle Bin.
[snip]
> 4. Notes on NT
> --------------
>
> The exploit works great under NT. The anti-virus folk make the same
> exclusions with NT checkers, presumably to deal with dual boot systems.
> NT's default permissions allow this to work even when the machine is not
> dual boot and has NTFS on all drives because EVERYONE can create
> directories at the root. Just make a \RECYCLED directory and away you
> go.
