Re: I was just Eicar test virus testing, when.....
Hi Nick! In message mid:20021018120126.4F21.ANDRIASH;shaw.ca on Friday, October 18, 2002, 2:07:25 PM, you wrote: http://www.microsoft.com/technet/security/bulletin/MS02-054.asp NA Thanks Marcus... I have read the article, but I still remain skeptical. NA Why? Because if that were true, the entire Computing World would be up in NA arms about it. Anti-Virus Software Companies would be scrambling to NA produce Programs that would automatically delete all *.zip files if simply NA opening an archive to view the contents would in itself unleash the virus. Read the article more carefully -- first, simply viewing the list of files in the archive is ok. The problem comes when extracting the files. Second, it applies only to Microsoft's uncompression code, not to third party code, such as you would find in antivirus programs, or third-party archive utilities. Third, the fix is already available via WindowsUpdate for WinME and WinXP (it doesn't mention it for XP, but I checked and my system is patched already), so anyone who is on the internet and has their system set up properly (hint, hint) has the fix already. -- --Scott. mailto:Wizard;local.nu Using The Bat! 1.61 under Windows XP 5.1 Build 2600 on an AMD Athlon XP 1900 (1.6G real, 1.9G effective) with 512MB. Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday, October 18, 2002, Carren Stuart wrote... JA The virus doesn't exist inside the archive... it is the archive JA ;) But if this is the case then surely that would mean that the moment you unzip the archive, the virus is executed? I don't get it? That is why virus scanners actually scan the archive... whilst some scan both the archive file itself (.zip) AND the content. You did get it right :) - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- Version: 6.5.8ckt iQA/AwUBPbAXUyuD6BT4/R9zEQK9EgCfUxe0E6IhKd29j5wKWrUEeRzOW4AAoM4m xjzAEejv9qF9ghY9mF0rAcDO =AYSN -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
Hello Marcus Ohlström, On Friday, October 18 2002 at 12:43 AM PDT, you wrote: I have never heard of a *.zip file that was itself a virus. Is that what you are referring to, and if so can you point to some documentation that explains how they do it or how it works? http://www.microsoft.com/technet/security/bulletin/MS02-054.asp Thanks Marcus... I have read the article, but I still remain skeptical. Why? Because if that were true, the entire Computing World would be up in arms about it. Anti-Virus Software Companies would be scrambling to produce Programs that would automatically delete all *.zip files if simply opening an archive to view the contents would in itself unleash the virus. Think of all the hundreds of thousands... or millions... of *.zip files that are being opened each and every day. That presents a tremendous opportunity for virus makers, yet one never hears of such exploits. It must not be a very popular exploit... either that or there is more to unleashing the virus than simply opening a ZIP file. -- Nick Andriash Creston, B.C. Canada PGP Public Key: MailTo:andriash;shaw.ca?subject=PGPKey Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday, October 18, 2002, Nick Andriash wrote... I have never heard of a *.zip file that was itself a virus. Is that what you are referring to, and if so can you point to some documentation that explains how they do it or how it works? http://www.microsoft.com/technet/security/bulletin/MS02-054.asp Thanks Marcus... I have read the article, but I still remain skeptical. Why? Because if that were true, the entire Computing World would be up in arms about it. Anti-Virus Software Companies would be scrambling to produce Programs that would automatically delete all *.zip files if simply opening an archive to view the contents would in itself unleash the virus. I think you're miss-understanding how the scanning of a zip file works. It doesn't run say winzip, then open the file, then scan it. It does it in a certain order. It locks the file, and runs a signature check. Basically it scans the archive file itself (NOT CONTENT YET) to see if it matches a fingerprint of a virus. If it does, then alert the user. If it doesn't, and the AV software supports it, run an internal extraction utility to extract the files to a temporary location, then scan the content. At no point in the process does it attempt to 'run' the file. Only after it has passed the first scan does it attempt to 'open' it. Think of all the hundreds of thousands... or millions... of *.zip files that are being opened each and every day. That presents a tremendous opportunity for virus makers, yet one never hears of such exploits. It must not be a very popular exploit... either that or there is more to unleashing the virus than simply opening a ZIP file. You don't often hear about Word97 macro viruses any more either, but they still exist, and I get regular notifications of them flying about. The reason you tend not to hear about them is because they require a little user interaction to get them to work... ie the user has to open it. Where as take Klez for example, you didn't even have to touch the attached files, it did everything on its own. I think the people that write viruses aren't too worried about certain methods any more. With the increasing popularity of computers and the Internet, email is the quickest way to spread a virus, you cannot hit most of the world in a file that requires you to manually send it on, or copy it to a floppy disk ;) The really sad thing is most virus creators now have lost their creativity. I used to enjoy watching out for viruses (sad eh?) purely because some of them were quite comical. Take for example Pregnant... it's not really destructive as such, but some of the messages it gives you are amusing... same with cookie monster as well... ever seen somebody try feeding the Cookie Monster cookies every 3 seconds? ;) Now creativity is limited to trying to work out how to make 30 different random subjects in really bad English. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- Version: 6.5.8ckt iQA/AwUBPbBiWyuD6BT4/R9zEQK8FQCdHwrboz3hrVlJSj3yS4n/59Ktnm8An3Pt mzzhBkcbAj98B5cCDyOHcjOa =pz3V -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Friday, October 18, 2002 4:04:09 PM RE: I was just Eicar test virus testing, when. Greetings Nick, On Friday, October 18, 2002, 3:07:25 PM, you wrote: NA Think of all the hundreds of thousands... or millions... of *.zip files NA that are being opened each and every day. That presents a tremendous NA opportunity for virus makers, yet one never hears of such exploits. Do the words Not yet? mean anything? As virus programmers develop and utilize new technology everyday I am positively sure that there will come the day when a zip header will be used to execute a file within the zip that will further contaminate a system based on simply opening the archive. This will also hold true for .rar archives, .ace archives, .pak archives and, very easily, .cab archives. As we progress with the daily virus technology I see it not long in coming. I progress in statement, regress in thread and therfore forsee my answer becoming off topic and being informed to take it offlist or to tbot by the moderator. - -- Regards, DG Raftery Sr. It's not a bug; it's an undocumented feature. -BEGIN PGP SIGNATURE- Version: PGP for Business Security 6.0 iQA/AwUBPbBrgmGmTEg4iItaEQLcqwCguNwrrtvBP5rcc6aFlNzxnh1gPLUAnjCB is5LNYRlkzFIIDVNNwM6b2Ky =AgH+ -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
I was just Eicar test virus testing, when.....
I think I found a weakness in NOD32 pop3 scanning. At the moment, I'm running pop3 scanning and AVG with the plug-in. I thought I'd give this little set-up a test run. So; 1. I sent the test file as a notepad attachment using another of my e-mail address through e-mailanywhere.com directly to my address. I saved this sent message. Not a problem, pop3 and AVG picked up the files. 2. I then went in and forwarded the message using the e-mailanywhere. I needed to re-attach the file and again sent it to my address. This time pop3 missed it and AVG with the plug-in caught it! On checking the log in pop3, it appears it only checked the message text in the forwarded message and not the attached file aswell! Why would this happen? Has anyone else experienced this? Have I got something wrong in the set-up? Open to suggestions, as very confused! Cheers, Chris Weaven -- E-Mail - [EMAIL PROTECTED] Created Using The Bat! V1.61 and Virus Checked by NOD32 AVG. Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
On Thursday, October 17, 2002, Chris Weaven wrote in mid:1527670089.20021017154635;Surfcity.net: CW I think I found a weakness in NOD32 pop3 scanning. Hmmm... This is troubling I downloaded the most fully nested EICAR test file. When NOD32 scanned it after GetRight pulled it in, it came up positive. I then emailed it from one account to another as an attachment. (My attachments are kept within the message envelope.) I also took that sent message (from the sent folder) and forwarded it to the same other address. Both messages came in fine and lodged in my Inbox, despite the fact that I have the NOD32 BAV active. When I scanned the Inbox Windows folder from Explorer with NOD32, there was no positive hit, either. Just to be sure that the attached ZIP files remained active and were not cleaned by the first scanning, on download, I extracted them from the messages and scanned each one. They came up positive on the NOD32 scanner, but neither one had a problem being saved as a separate file, although all AMON options are enabled. As I said, this is troubling. Anyone have a compelling explanation for this behavior? -- JN Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
Hi Joseph, On Thursday, October 17, 2002 19:54 your local time, which was 17:54 my local time, Joseph N. [JN] wrote; JN I downloaded the most fully nested EICAR test file. When NOD32 JN scanned it after GetRight pulled it in, it came up positive. I then JN emailed it from one account to another as an attachment. (My JN attachments are kept within the message envelope.) I also took that JN sent message (from the sent folder) and forwarded it to the same JN other address. JN Both messages came in fine and lodged in my Inbox, despite the fact JN that I have the NOD32 BAV active. When I scanned the Inbox Windows JN folder from Explorer with NOD32, there was no positive hit, either. JN Just to be sure that the attached ZIP files remained active and were JN not cleaned by the first scanning, on download, I extracted them from JN the messages and scanned each one. They came up positive on the NOD32 JN scanner, but neither one had a problem being saved as a separate file, JN although all AMON options are enabled. JN As I said, this is troubling. Anyone have a compelling explanation JN for this behavior? Phew, it's not only me then! Surprises me that it even got through with the .bav plug-in! Allie sent me a mail with it on twice, once in a zip and another PGP encrypted, and both came through pop3 without a problem, but was picked up by AVG with the .bav plug-in! Maybe it's just the Eicar file or am I being kind? Still worrying though! Anyone with any comments, suggestions or anything? Chris. -- E-Mail - [EMAIL PROTECTED] Created Using The Bat! V1.61 and Virus Checked by NOD32 AVG. Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
Hi Chris! In message mid:1417360232.20021017182805;Surfcity.net on Thursday, October 17, 2002, 8:28:05 PM, you wrote: CW Maybe it's just the Eicar file or am I being kind? The EICAR file should always be caught, otherwise the purpose of it is defeated. -- --Scott. mailto:Wizard;local.nu Using The Bat! 1.61 under Windows XP 5.1 Build 2600 on an AMD Athlon XP 1900 (1.6G real, 1.9G effective) with 512MB. Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
In mid:1417360232.20021017182805;Surfcity.net, Chris Weaven [CW] wrote:' CW Maybe it's just the Eicar file or am I being kind? CW Still worrying though! CW Anyone with any comments, suggestions or anything? I sent it to you zipped. This is why. If you try to unzip eicar.com then Amon will stop you. -- Allie C Martin \ TB! v1.62/Beta6 WinXP Pro (SP1) List Moderator/ PGP Key - http://pub-key.ac-martin.com Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
Hi Allie, On Thursday, October 17, 2002 20:51 your local time, which was 18:51 my local time, Allie Martin wrote; I sent it to you zipped. This is why. If you try to unzip eicar.com then Amon will stop you. But I thought it had a function to check zipped files/compressed files? Chris. -- E-Mail - [EMAIL PROTECTED] Created Using The Bat! V1.61 and Virus Checked by NOD32 AVG. Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In mid:198914835.20021017195450;qwest.net, Joseph N. [JN] wrote:' JN As I said, this is troubling. Anyone have a compelling JN explanation for this behavior? The thing is that neither Amon or the incoming plugin scanner will check archives. However, the plugin immediately detects the virus when you try to open the archive. A manual scan of the archive will also detect the virus. - -- Allie C Martin \ TB! v1.62/Beta6 WinXP Pro (SP1) List Moderator/ PGP Key - http://pub-key.ac-martin.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-cvs (Win32) - GPGshell v2.60 iD8DBQE9r252V8nrYCsHF+IRAm/pAKCGZxouG2dG6N0VIPfMoVzydvyQPgCeIPqW 9RNckil1+HWVmFqM3QfpHJ0= =PN/p -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In mid:18819068298.20021017185633;Surfcity.net, Chris Weaven [CW] wrote:' CW But I thought it had a function to check zipped files/compressed CW files? It does. Scan it manually and you'll see. Trying to open the archive from TB! also results in an archive check which will stop you from opening the archive. - -- Allie C Martin \ TB! v1.62/Beta6 WinXP Pro (SP1) List Moderator/ PGP Key - http://pub-key.ac-martin.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-cvs (Win32) - GPGshell v2.60 iD8DBQE9r278V8nrYCsHF+IRAmePAJwNYFH8GDPwEX62G646VlArm1UDuACg+Rrs j9pt2hTWYOg+fhjxb5hPjfM= =5K5t -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: I was just Eicar test virus testing, when.....
On Thursday, October 17, 2002, Allie C Martin wrote in mid:154275702148.20021017211416;landscreek.net: The thing is that neither Amon or the incoming plugin scanner will check archives. However, the plugin immediately detects the virus when you try to open the archive. A manual scan of the archive will also detect the virus. Confidence restored. It would be nice, though, if there were some type of notice when trying to open the archive. All I get (with NOD32 and WinRAR 3.00) is a WinRAR window telling me that access is denied. If I didn't already know it was due to the presence of a virus, I wouldn't find out from trying to open the file. -- JN Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
Hi Joseph, On Thursday, October 17, 2002 22:27 your local time, which was 20:27 my local time, Joseph N. [JN] wrote; JN Confidence restored. It would be nice, though, if there were some JN type of notice when trying to open the archive. All I get (with NOD32 JN and WinRAR 3.00) is a WinRAR window telling me that access is denied. JN If I didn't already know it was due to the presence of a virus, I JN wouldn't find out from trying to open the file. To go one step further, it would be a nice touch if scanners did check compressed files also. Would be a bummer if you forwarded it to someone, without even opening it, who hasn't got a virus scanner, and wam, payload dropped on their machine! Mind you, everyone should have a virus scanner! Can you believe, on my old PC, I didn't run a virus scanner for atleast a year! Wouldn't go a day now! Chris. -- E-Mail - [EMAIL PROTECTED] Created Using The Bat! V1.61 and Virus Checked by NOD32 AVG. Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday, 18 October 2002 at 2:51 p.m. Allie wrote: ACM I sent it to you zipped. This is why. If you try to unzip ACM eicar.com then Amon will stop you. OK, now I am interested. I have just done some playing around with the files myself out of interest and what you say above does not seem to be true, at least for me. Amon *let* me unzip both zipped files without warning me BUT when I attempted to open the unzipped files, it then gave me a warning as I would have expected. I am curious about your statement above - were you assuming that, or is that what happens for you? I am not using the plugin by the way, not that that should make any difference. - -- Carren PGP public key: mailto:MyPGPkey;myrealbox.com?subject=PGP_Key_Body=Please%20send%20key -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0-nr2 (Windows 98) - GPGshell v2.60 iD8DBQE9r49RyogQhPvf03MRAp+LAKCLcdbteRajyaXKLYtXsVhpvykqgQCfYr9C vJIYg2AWZH4gIO9Vy4Nk7G4= =oJFH -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In mid:1407572987.20021018174028;myrealbox.com, Carren Stuart [CS] wrote:' CS Amon *let* me unzip both zipped files without warning me BUT CS when I attempted to open the unzipped files, it then gave me a CS warning as I would have expected. I am curious about your CS statement above - were you assuming that, or is that what CS happens for you? You're correct on this. The same thing happens here. - -- Allie C Martin \ TB! v1.62/Beta6 WinXP Pro (SP1) List Moderator/ PGP Key - http://pub-key.ac-martin.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1-cvs (Win32) - GPGshell v2.60 iD8DBQE9r5GjV8nrYCsHF+IRAjXRAJ9vl5g1gB4nIU+vtHe4fq9iL3iorgCgmvib jdutH56G/wgFmmcjP06hn/E= =zZQ9 -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: I was just Eicar test virus testing, when.....
On Thursday, October 17, 2002, Chris Weaven wrote in mid:16826186323.20021017205511;Surfcity.net: CW To go one step further, it would be a nice touch if scanners did check CW compressed files also. Chris, This may be a terminology thing, but the NOD32 scanner does check compressed archive files. The AMON real-time monitor apparently does not, but it *does* check when an infected file is extracted from a compressed archive file. So, it does seem as though all doors are being guarded, although by different sentries in different ways. -- JN Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: I was just Eicar test virus testing, when.....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, October 17, 2002, Chris Weaven wrote... To go one step further, it would be a nice touch if scanners did check compressed files also. Some do... some don't. Some companies don't deem it necessary to waste system resources reading the contents of an archive when they really only need to do it when the contents are executed/extracted. The mail server scanning software I run scans all kinds of archives from the standard zip to sit (Mac Stuff-it files) and unix tar and gzip files. - -- Jonathan Angliss ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- Comment: Fingerprint: 676A 1701 665B E343 E393 B8D2 2B83 E814 F8FD 1F73 iQA/AwUBPa+VZCuD6BT4/R9zEQK0PgCePZJsadx4cO9Jqq2BpTcLqEvAsgkAoPR6 ZED6/via/b62bErZTWxjOEo5 =QW+g -END PGP SIGNATURE- Current version is 1.61 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html