[Avcheck] Re: a way to circumvent checks by AVP
Michael Tokarev
mjt@tls.msk.ru
Thu, 25 Jul 2002 19:49:33 +0400
Juri Haberland wrote:
>
[]
> Ok, found some (have a look at http://vx.org.ua/ lot's of viruses).
;)
> Tried it with an ancient DOS-Bootsector Virus called Galicia.a and the
> famous new decrypt-password.exe. If attached directly to a mail it was
> found by AVP, but embedded in a RTF-mail neither of both viruses was
> detected :-(
So let me ask: *why* those should be detected inside rtf? (btw, I don't
know how you embed .exe into rtf? As a "picture"? As OLE object? Hmm...).
Why those should be detected when embedded into .doc file and sent via
normal mail agent (without that famous winmail.dat crap)?
Or, let's go other way around: after you embed such crap into email,
what steps should be done on receiving side to actually execute the
code to be infected? Is it as easy as just opening a message (as most
iframe worms with unpatched outgluck)? Or by double-clicking some
icon/button? Or maybe by double-clicking on an embedded archive to
lunch some .zip shell and clicking on a file inside an archive?
I guess that some more advanced steps should be done instead...
(I hope you got an idea - it shouldn't be easy task to be infected,
some expirience will be required for this...)
> Not good, not good.
> Maybe it's time to switch to Dr.Web...
Send it to me first. I guess DrWeb will too not detect this (who knows,
but that's my guess). And if so, I think it will be right.
(Sending it to me just may serve as a test for drweb, since I
will not able to open such attachments anyway. At least, no
harm could be done for me on linux... ).
/mjt