[13724] in bugtraq
Re: Bypass Virus Checking
daemon@ATHENA.MIT.EDU (Eric D. Williams)
Mon Feb 7 15:29:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <01BF6E9C.3D736730.eric@infobro.com>
Date: Thu, 3 Feb 2000 23:12:19 -0500
Reply-To: "Eric D. Williams" <eric@INFOBRO.COM>
From: "Eric D. Williams" <eric@INFOBRO.COM>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Another stab with a little more clarity ---
Hello all,
On a related topic. Would it not be possible to use a similar exploit
technique, specifically concerning NAI's fine products, to establish a bogus
pagefile.sys.
For Example:
Search the system for valid HD drives: C: D: E:, etc. not removable and RW
use a (little better, maybe I'll post some code) paging a little at a time to
disk and decoding... to a drive without a pagefile.sys
Now all that is left to do is to get the system to read the code, yes? Not to
difficult considering the constant reads done to paging files. Maybe you could
even race the thing into memory??? I believe pagefile.sys and windows.swap
files are excluded by default, and AFAIK Windows NT does not 'scan' the drive
or establish a new pagefile, that is at boot time all done by (previous)
registry configuration. Just a thought.
The InfoBro
Eric Williams, Pres.
Information Brokers, Inc.
http://www.infobro.com/
mailto:eric@infobro.com
For More Info: info@infobro.com
