[35305] in bugtraq
RE: Multiple Antivirus Scanners DoS attack.
daemon@ATHENA.MIT.EDU (Messer, Jon)
Tue Jun 15 14:51:49 2004
Message-ID: <B2CC0E0F2C10D511B86600B0D06898420B318ABB@NETSRVR1.pelco.org>
From: "Messer, Jon" <JMesser@pelco.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Mon, 14 Jun 2004 15:28:32 -0700
MIME-Version: 1.0
Content-Type: text/plain
Symantec AV Corporate version 8 doesnt seem to be affected. I scanned the
blackhole.zip file and SAV corp v8 blew right through all levels of the
compression and found and quarantined the EICAR test strings.
-----Original Message-----
From: Ethy H. Brito [mailto:ethy@inexo.com.br]
Sent: Monday, June 14, 2004 10:48 AM
To: bugtraq@securityfocus.com
Subject: Re: Multiple Antivirus Scanners DoS attack.
On Mon, 14 Jun 2004 14:38:50 +0000
"bipin gautam" <visitbipin@hotmail.com> wrote:
> Multiple Antivirus Scanners DoS attack.
>
> --- [Vulnerable Products] ---
> Only tested on...
>
> * Norton Antivirus 2002
> * Norton Antivirus 2003
> * Mcafee VirusScan 6
> * Network Associates (McAfee) VirusScan Enterprise 7.1
> * Windows Xp default ZIP manager [report's wrong size of compress ZIP
> files.]
Linux uvscan scan engine 4.3.20 (MacAfee) is also vulnerable.
uvscan takes all CPU and lots of memory been only killed with signal 9 from
another terminal.
from 'top':
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
1306 nobody 15 0 22744 21M 1648 R 97.4 35.6 0:44 0 uvscan
nobody@babalu:/usr/local/uvscan# ./uvscan -v -r --analyze --unzip
BlackHole.zip
Scanning BlackHole.zip
Scanning file BlackHole.zip
Scanning file BlackHole.zip/~.BZ2
..... stalls here .....
--
Ethy H. Brito /"\
InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil / \
