[13668] in bugtraq
WG: Bypass Virus Checking - NAI
daemon@ATHENA.MIT.EDU (Patrick Hinsberger)
Wed Feb 2 16:36:32 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001A_01BF6D60.02ADDD20"
Message-Id: <NCBBKILKCLKFNGMAOHPDCEHICOAA.P.Hinsberger@globus.net>
Date: Wed, 2 Feb 2000 09:29:31 +0100
Reply-To: Patrick Hinsberger <P.Hinsberger@GLOBUS.NET>
From: Patrick Hinsberger <P.Hinsberger@GLOBUS.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_001A_01BF6D60.02ADDD20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
I tried the same with NAI (4.025 Engine AND DAT 4061) � and it seems that
the exploit works ;-()
But I was in hurry � I will test it again�
Hinse
-----Urspr|ngliche Nachricht-----
Von: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]Im Auftrag von Russ
Johnson
Gesendet: Dienstag, 1. Februar 2000 01:25
An: BUGTRAQ@SECURITYFOCUS.COM
Betreff: Re: Bypass Virus Checking
I'm using NAV 5.02.00 with all updates and the latest definitions. I have
NOT modified the preferences except to turn off the weekly scan of all
files. (Such a scan is redundant to scanning files as they are executed.
This is the "Auto-Protect" feature of NAV.)
Running the executable "virusexploit0100.exe" caused NAV to alert. It saw
the virus signature and denied access to the file. It did this from memory,
not from a directory. If normal scanning (Auto-Protect) is turned on (as it
is by default) then this exploit should not work in any version of NAV that
I'm familiar with, versions 3.0 for Windows 95 and up.
Russ
------=_NextPart_000_001A_01BF6D60.02ADDD20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 9">
<meta name=3DOriginator content=3D"Microsoft Word 9">
<link rel=3DFile-List href=3D"cid:filelist.xml@01BF6D60.0259F0C0">
<title>RE: Bypass Virus Checking</title>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>0</w:Zoom>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:HyphenationZone>21</w:HyphenationZone>
<w:EnvelopeVis/>
<w:Compatibility>
<w:ForgetLastTabAlignment/>
<w:DoNotUseHTMLParagraphAutoSpacing/>
</w:Compatibility>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:16792199 0 0 0 65791 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;
text-underline:single;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p
{margin-right:0cm;
mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;
margin-left:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
span.EmailFormatvorlage19
{mso-style-type:personal;
mso-ansi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
span.EmailFormatvorlage20
{mso-style-type:personal-reply;
mso-ansi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:#993366;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DDE link=3Dblue vlink=3Dblue style=3D'tab-interval:35.4pt'>
<div class=3DSection1>
<p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 =
color=3Dnavy
face=3DArial><span lang=3DEN-GB =
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;
font-family:Arial;mso-ansi-language:EN-GB'>I tried the same with NAI =
(4.025
Engine AND DAT 4061) – and it seems that the exploit works =
;-()<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 =
color=3Dnavy
face=3DArial><span lang=3DEN-GB =
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;
font-family:Arial;mso-ansi-language:EN-GB'>But I was in hurry – I =
will test it
again…<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 =
color=3Dnavy
face=3DArial><span lang=3DEN-GB =
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;
font-family:Arial;mso-ansi-language:EN-GB'><![if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 =
color=3Dnavy
face=3DArial><span lang=3DEN-GB =
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;
font-family:Arial;mso-ansi-language:EN-GB'>Hinse<o:p></o:p></span></font>=
</span></p>
<p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 =
color=3Dnavy
face=3DArial><span lang=3DEN-GB =
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;
font-family:Arial;mso-ansi-language:EN-GB'><![if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal style=3D'margin-left:35.4pt'><font size=3D2 =
color=3Dblack
face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;color:black'>-----Urspr=FCng=
liche
Nachricht-----<br>
<b><span style=3D'font-weight:bold'>Von:</span></b> Bugtraq List
[mailto:BUGTRAQ@SECURITYFOCUS.COM]<b><span style=3D'font-weight:bold'>Im =
Auftrag
von </span></b>Russ Johnson<br>
<b><span style=3D'font-weight:bold'>Gesendet:</span></b> Dienstag, 1. =
</span></font><font
size=3D2 color=3Dblack face=3DTahoma><span lang=3DEN-GB =
style=3D'font-size:10.0pt;
font-family:Tahoma;color:black;mso-ansi-language:EN-GB'>Februar 2000 =
01:25<br>
<b><span style=3D'font-weight:bold'>An:</span></b> =
BUGTRAQ@SECURITYFOCUS.COM<br>
<b><span style=3D'font-weight:bold'>Betreff:</span></b> Re: Bypass Virus =
Checking</span></font><font
color=3Dblack><span lang=3DEN-GB =
style=3D'color:black;mso-color-alt:windowtext;
mso-ansi-language:EN-GB'><o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:35.4pt'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span lang=3DEN-GB =
style=3D'font-size:12.0pt;color:black;
mso-ansi-language:EN-GB'><![if =
!supportEmptyParas]> <![endif]></span></font><font
color=3Dblack><span lang=3DEN-GB =
style=3D'color:black;mso-color-alt:windowtext;
mso-ansi-language:EN-GB'><o:p></o:p></span></font></p>
<p style=3D'margin-left:35.4pt'><font size=3D2 color=3Dblack =
face=3D"Times New Roman"><span
lang=3DEN-GB =
style=3D'font-size:10.0pt;color:black;mso-ansi-language:EN-GB'>I'm
using NAV 5.02.00 with all updates and the latest definitions. I have =
NOT
modified the preferences except to turn off the weekly scan of all =
files. (Such
a scan is redundant to scanning files as they are executed. This is the
"Auto-Protect" feature of NAV.)</span></font><font =
color=3Dblack><span
lang=3DEN-GB =
style=3D'color:black;mso-color-alt:windowtext;mso-ansi-language:EN-GB'><o=
:p></o:p></span></font></p>
<p style=3D'margin-left:35.4pt'><font size=3D2 color=3Dblack =
face=3D"Times New Roman"><span
lang=3DEN-GB =
style=3D'font-size:10.0pt;color:black;mso-ansi-language:EN-GB'>Running
the executable "virusexploit0100.exe" caused NAV to alert. It =
saw the
virus signature and denied access to the file. It did this from memory, =
not
from a directory. If normal scanning (Auto-Protect) is turned on (as it =
is by
default) then this exploit should not work in any version of NAV that =
I'm
familiar with, versions 3.0 for Windows 95 and up.</span></font><font
color=3Dblack><span lang=3DEN-GB =
style=3D'color:black;mso-color-alt:windowtext;
mso-ansi-language:EN-GB'><o:p></o:p></span></font></p>
<p style=3D'margin-left:35.4pt'><font size=3D2 color=3Dblack =
face=3D"Times New Roman"><span
lang=3DEN-GB =
style=3D'font-size:10.0pt;color:black;mso-ansi-language:EN-GB'>Russ</span=
></font><font
color=3Dblack><span lang=3DEN-GB =
style=3D'color:black;mso-ansi-language:EN-GB'> </span></font><font
color=3Dblack><span lang=3DEN-GB =
style=3D'color:black;mso-color-alt:windowtext;
mso-ansi-language:EN-GB'><o:p></o:p></span></font></p>
<p style=3D'margin-left:35.4pt'><font size=3D3 color=3Dblack =
face=3D"Times New Roman"><span
lang=3DEN-GB =
style=3D'font-size:12.0pt;color:black;mso-ansi-language:EN-GB'><span
style=3D"mso-spacerun: yes"> </span></span></font><font =
color=3Dblack><span
lang=3DEN-GB =
style=3D'color:black;mso-color-alt:windowtext;mso-ansi-language:EN-GB'><o=
:p></o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_001A_01BF6D60.02ADDD20--
