This is a multi-part message in MIME format. ------=_NextPart_000_001A_01BF6D60.02ADDD20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit I tried the same with NAI (4.025 Engine AND DAT 4061) – and it seems that the exploit works ;-() But I was in hurry – I will test it again… Hinse -----Ursprüngliche Nachricht----- Von: Bugtraq List [mailto:BUGTRAQat_private]Im Auftrag von Russ Johnson Gesendet: Dienstag, 1. Februar 2000 01:25 An: BUGTRAQat_private Betreff: Re: Bypass Virus Checking I'm using NAV 5.02.00 with all updates and the latest definitions. I have NOT modified the preferences except to turn off the weekly scan of all files. (Such a scan is redundant to scanning files as they are executed. This is the "Auto-Protect" feature of NAV.) Running the executable "virusexploit0100.exe" caused NAV to alert. It saw the virus signature and denied access to the file. It did this from memory, not from a directory. If normal scanning (Auto-Protect) is turned on (as it is by default) then this exploit should not work in any version of NAV that I'm familiar with, versions 3.0 for Windows 95 and up. Russ ------=_NextPart_000_001A_01BF6D60.02ADDD20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 9"> <meta name=3DOriginator content=3D"Microsoft Word 9"> <link rel=3DFile-List href=3D"cid:filelist.xmlat_private"> <title>RE: Bypass Virus Checking</title> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:Zoom>0</w:Zoom> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:HyphenationZone>21</w:HyphenationZone> <w:EnvelopeVis/> <w:Compatibility> <w:ForgetLastTabAlignment/> <w:DoNotUseHTMLParagraphAutoSpacing/> </w:Compatibility> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:16792199 0 0 0 65791 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:blue; text-decoration:underline; text-underline:single;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} p {margin-right:0cm; mso-margin-top-alt:auto; mso-margin-bottom-alt:auto; margin-left:0cm; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} span.EmailFormatvorlage19 {mso-style-type:personal; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:navy;} span.EmailFormatvorlage20 {mso-style-type:personal-reply; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:#993366;} @page Section1 {size:595.3pt 841.9pt; margin:70.85pt 70.85pt 2.0cm 70.85pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DDE link=3Dblue vlink=3Dblue style=3D'tab-interval:35.4pt'> <div class=3DSection1> <p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 = color=3Dnavy face=3DArial><span lang=3DEN-GB = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt; font-family:Arial;mso-ansi-language:EN-GB'>I tried the same with NAI = (4.025 Engine AND DAT 4061) – and it seems that the exploit works = ;-()<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 = color=3Dnavy face=3DArial><span lang=3DEN-GB = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt; font-family:Arial;mso-ansi-language:EN-GB'>But I was in hurry – I = will test it again…<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 = color=3Dnavy face=3DArial><span lang=3DEN-GB = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt; font-family:Arial;mso-ansi-language:EN-GB'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 = color=3Dnavy face=3DArial><span lang=3DEN-GB = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt; font-family:Arial;mso-ansi-language:EN-GB'>Hinse<o:p></o:p></span></font>= </span></p> <p class=3DMsoNormal><span class=3DEmailFormatvorlage19><font size=3D2 = color=3Dnavy face=3DArial><span lang=3DEN-GB = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt; font-family:Arial;mso-ansi-language:EN-GB'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal style=3D'margin-left:35.4pt'><font size=3D2 = color=3Dblack face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma;color:black'>-----Urspr=FCng= liche Nachricht-----<br> <b><span style=3D'font-weight:bold'>Von:</span></b> Bugtraq List [mailto:BUGTRAQat_private]<b><span style=3D'font-weight:bold'>Im = Auftrag von </span></b>Russ Johnson<br> <b><span style=3D'font-weight:bold'>Gesendet:</span></b> Dienstag, 1. = </span></font><font size=3D2 color=3Dblack face=3DTahoma><span lang=3DEN-GB = style=3D'font-size:10.0pt; font-family:Tahoma;color:black;mso-ansi-language:EN-GB'>Februar 2000 = 01:25<br> <b><span style=3D'font-weight:bold'>An:</span></b> = BUGTRAQat_private<br> <b><span style=3D'font-weight:bold'>Betreff:</span></b> Re: Bypass Virus = Checking</span></font><font color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-color-alt:windowtext; mso-ansi-language:EN-GB'><o:p></o:p></span></font></p> <p class=3DMsoNormal style=3D'margin-left:35.4pt'><font size=3D3 = color=3Dblack face=3D"Times New Roman"><span lang=3DEN-GB = style=3D'font-size:12.0pt;color:black; mso-ansi-language:EN-GB'><![if = !supportEmptyParas]> <![endif]></span></font><font color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-color-alt:windowtext; mso-ansi-language:EN-GB'><o:p></o:p></span></font></p> <p style=3D'margin-left:35.4pt'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span lang=3DEN-GB = style=3D'font-size:10.0pt;color:black;mso-ansi-language:EN-GB'>I'm using NAV 5.02.00 with all updates and the latest definitions. I have = NOT modified the preferences except to turn off the weekly scan of all = files. (Such a scan is redundant to scanning files as they are executed. This is the "Auto-Protect" feature of NAV.)</span></font><font = color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-color-alt:windowtext;mso-ansi-language:EN-GB'><o= :p></o:p></span></font></p> <p style=3D'margin-left:35.4pt'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span lang=3DEN-GB = style=3D'font-size:10.0pt;color:black;mso-ansi-language:EN-GB'>Running the executable "virusexploit0100.exe" caused NAV to alert. It = saw the virus signature and denied access to the file. It did this from memory, = not from a directory. If normal scanning (Auto-Protect) is turned on (as it = is by default) then this exploit should not work in any version of NAV that = I'm familiar with, versions 3.0 for Windows 95 and up.</span></font><font color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-color-alt:windowtext; mso-ansi-language:EN-GB'><o:p></o:p></span></font></p> <p style=3D'margin-left:35.4pt'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span lang=3DEN-GB = style=3D'font-size:10.0pt;color:black;mso-ansi-language:EN-GB'>Russ</span= ></font><font color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-ansi-language:EN-GB'> </span></font><font color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-color-alt:windowtext; mso-ansi-language:EN-GB'><o:p></o:p></span></font></p> <p style=3D'margin-left:35.4pt'><font size=3D3 color=3Dblack = face=3D"Times New Roman"><span lang=3DEN-GB = style=3D'font-size:12.0pt;color:black;mso-ansi-language:EN-GB'><span style=3D"mso-spacerun: yes"> </span></span></font><font = color=3Dblack><span lang=3DEN-GB = style=3D'color:black;mso-color-alt:windowtext;mso-ansi-language:EN-GB'><o= :p></o:p></span></font></p> </div> </body> </html> ------=_NextPart_000_001A_01BF6D60.02ADDD20--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:07 PDT