Hello, the ".." bug and how it can be exploited is quite old, so I was wondering that the newer packer programs still have it. :-( Network Associates ( http://www.nai.com ) has found a virus in mid- 2000 called "Bat/Winrip", which uses such a way to replicate. After the virus has been found by the German NAI Office, some warnings were send out to both other av companies as well as developers of packer programs. But it sems that only a few people have taken steps against this issue in their programs. The most interesting issue in this virus was, that it was able to replicate using the extraction routine of a virus scanner: Some scanners still extract every file of an archive to disk first (like to C:\TEMP) and after this, they look for a virus inside of this unzipped file. Some virus scanners used external unpackers or special DLL routines for doing this - both using the full path and accepting ".." or "\". Currently, this should have changed now - some still extract the files first (which is relatively slow, so scanning everything in memory is more effective), but usually using a random file name and/or ignoring path statements as far as I know. The trick of the WinRip virus was to drop itself to the autostart folder: "\winnt\profiles\default user\start menu\programs\startup\winrip.bat". After a reboot (and if this was really the 'correct' folder!) the virus could activate... I can remember about this virus very good, since I've been written a longer article about this virus and the security-related issue for the PC-WELT magazine in German language ( http://www.pcwelt.de/ratgeber/online/15968/ ). cheers, Andreas Marx AV-Test.org - Tests of Anti-Virus Programs -- Andreas Marx, amarx@gega-it.de, http://www.av-test.org GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 20:26:06 PDT