[20280] in bugtraq
Re: Double clicking on innocent looking files may be da ngerous
daemon@ATHENA.MIT.EDU (Michael Wojcik)
Wed Apr 18 02:56:14 2001
Message-ID: <27B17B8B25A3D411B45800805FA7F01CB08444@mtvmail.merant.com>
Date: Tue, 17 Apr 2001 10:37:21 -0700
Reply-To: Michael Wojcik <Michael.Wojcik@MERANT.COM>
From: Michael Wojcik <Michael.Wojcik@MERANT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> From: Vittal Aithal [mailto:vittal.aithal@UK.ION-GLOBAL.COM]
> Sent: Tuesday, April 17, 2001 4:11 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> A possible workaround is to add a pattern match in your desktop anti-virus
> software to pick up on such extensions. For instance, adding
> {????????-????-????-????-????????????} as an executable extension in
> Sophos Anti-Virus 3.43 scans such files.
Confirmed (using the EICAR test string) that adding the extension "{?*" to
the program file extension list in Symantec Norton Antivirus 5.00.01C
running on Win95 causes it to scan files with class ID extensions. (NAV 5.0
only allows three characters in the extension list, but I expect most people
don't have very many files with extensions that begin with "{" anyway, so
scanning them shouldn't be a problem.)
I also noted in passing that NAV 5.0 apparently does not have HTA in the
extension list, so add that one while you're at it. NAV may not detect any
known HTA-carried malware yet, but I assume it's possible to use HTA to
transport various payloads, and it is an executable type after all.
I suspect we're approaching the point where it makes no sense to have an
executable extension list anyway, and desktop antivirus products will just
scan all files.
Michael Wojcik michael.wojcik@merant.com
MERANT
Department of English, Miami University
