[Avcheck] Re: a way to circumvent checks by AVP

Michael Tokarev mjt@tls.msk.ru
Thu, 25 Jul 2002 19:49:33 +0400


Juri Haberland wrote:
> 
[]
> Ok, found some (have a look at http://vx.org.ua/ lot's of viruses).

;)

> Tried it with an ancient DOS-Bootsector Virus called Galicia.a and the
> famous new decrypt-password.exe. If attached directly to a mail it was
> found by AVP, but embedded in a RTF-mail neither of both viruses was
> detected :-(

So let me ask: *why* those should be detected inside rtf?  (btw, I don't
know how you embed .exe into rtf?  As a "picture"?  As OLE object?  Hmm...).
Why those should be detected when embedded into .doc file and sent via
normal mail agent (without that famous winmail.dat crap)?

Or, let's go other way around:  after you embed such crap into email,
what steps should be done on receiving side to actually execute the
code to be infected?  Is it as easy as just opening a message (as most
iframe worms with unpatched outgluck)?  Or by double-clicking some
icon/button?  Or maybe by double-clicking on an embedded archive to
lunch some .zip shell and clicking on a file inside an archive?
I guess that some more advanced steps should be done instead...
(I hope you got an idea - it shouldn't be easy task to be infected,
some expirience will be required for this...)

> Not good, not good.
> Maybe it's time to switch to Dr.Web...

Send it to me first.  I guess DrWeb will too not detect this (who knows,
but that's my guess).  And if so, I think it will be right.

(Sending it to me just may serve as a test for drweb, since I
will not able to open such attachments anyway.  At least, no
harm could be done for me on linux... ).

/mjt