[Avcheck] Re: a way to circumvent checks by AVP

Juri Haberland haberland@altus.de
Thu, 25 Jul 2002 16:38:02 +0200


Michael Tokarev wrote:
> Juri Haberland wrote:

>> If you like, I can send you a eicar.com to your mjt@tls address.
> 
> Jury, this is a brilliant idea!  Please do it.
> 
> But please wait.  Eicar.com?  In .rtf?  What for?  This combo should
> NOT be detected.  Just like eicar.com inseted into plaintext email.
> There was some discussions about this very issue: as stated in eicar.msg
> file in avcheck distro, avp will detect eicar ONLY when it is an
> application/octet-stream, and ONLY with .com extension.  There may
> be different opinions about if this is right or not.
> 
> What IS interesting is - if it is possible to insert some .exe into
> .rtf, or embed some evil macro code into .rtf (yes, yes, I know that
> rtf can't store macros of any kind directly, but many winword viruses,
> when infected your normal.dot, will not allow to sav any document as
> rtf - it will have .rtf extension but format will be as in .doc).
> And I think *this* sort of things WILL be detected.

Hmm, ok, so I need a real infected .exe file. Maybe I can dig one out.

> And what may be done to test this is - get infected .doc somewhere,
> rename it to be .rtf (just rename, not open+save as), and insert it
> into email message.  This variant should be detected by all virusscanners,
> I think.

I'll go hunting for sme real viruses.

Thanks,
Juri

-- 
  If each of us have one object, and we exchange them,
     then each of us still has one object.
  If each of us have one idea,   and we exchange them,
     then each of us now has two ideas.