[Avcheck] Re: a way to circumvent checks by AVP
Michael Tokarev
mjt@tls.msk.ru
Thu, 25 Jul 2002 18:24:08 +0400
Juri Haberland wrote:
>
> Michael Tokarev wrote:
> > Juri Haberland wrote:
>
> >> Maybe someone can check this with other AV-scanners like Dr.Web or Sophos.
> >
> > Oh well. No single outlook/outlook express here. On more than
> > 40 machines with windoze (mine runs linux). I really missed this
> > good program, how very bad... ;)
>
> If you like, I can send you a eicar.com to your mjt@tls address.
Jury, this is a brilliant idea! Please do it.
But please wait. Eicar.com? In .rtf? What for? This combo should
NOT be detected. Just like eicar.com inseted into plaintext email.
There was some discussions about this very issue: as stated in eicar.msg
file in avcheck distro, avp will detect eicar ONLY when it is an
application/octet-stream, and ONLY with .com extension. There may
be different opinions about if this is right or not.
What IS interesting is - if it is possible to insert some .exe into
.rtf, or embed some evil macro code into .rtf (yes, yes, I know that
rtf can't store macros of any kind directly, but many winword viruses,
when infected your normal.dot, will not allow to sav any document as
rtf - it will have .rtf extension but format will be as in .doc).
And I think *this* sort of things WILL be detected.
And what may be done to test this is - get infected .doc somewhere,
rename it to be .rtf (just rename, not open+save as), and insert it
into email message. This variant should be detected by all virusscanners,
I think.
/mjt