Multiple AntiVirus Reserved Device Name Handling Vulnerability Author:Sowhat Date:October,9th,2004 Update:2006.10.28 http://secway.org/Advisory/Ad20041009.txt BID:11444 BID:11451 Vendor: AntiVir www.hbedv.com Twister www.filseclab.com Protector plus 2000 www.pspl.com Overview: As many popular AV's "Reserved Device Name Handling Vulnerability" were reported, i have tested this well known bugz with some others for fun :) There are still 3 leaving for me, tested with the lastest or the most popular version. Descritption: Exploitation of this design vulnerability in these AntiVirus products could allow malicious code to evade the detection. The problem is that during the automatic and manual scanning,these AV products dont consistently scan the files and directories named as reserved MS-DOS devices, such as AUX, CON, PRN, COM1 and LPT1 etc. When these AVs scan the files and folders named with Reserved Device Name, they will fail to detect and report the malicious code, then the malicious code can bypass the detection. This vulnerablity is exactly as the Symantec's so,if you want to see more information , just google "Symantec Security Advisory SYM04-015" || "iDEFENSE Security Advisory 10.05.04b" WorkAround: Delelte all the files and folders named with Reserved Device Name. Vendor Status: I have contacted all of the 3 vendors, only Twister replied and claimed that they will fix it in the next release. [2004.10.31]according to the BID:11444,The vendor of AntiVir has released new versions of the affected packages to resolve this issue: H+BEDV AntiVir Windows Server NT/2000/2003 6.28 .01.03: H+BEDV Upgrade antivir_server_2k3_de.zip http://dl.antivir.de/down/windows/antivir_...rver_2k3_de.zip H+BEDV AntiVir DOS 6.28 .00.03: H+BEDV Upgrade antivir_dos_de.zip http://dl.antivir.de/down/dos/antivir_dos_de.zip H+BEDV AntiVir Windows Workstation 6.28 .00.01: H+BEDV Upgrade antivir_workstation_win_de.zip http://dl.antivir.de/down/windows/antivir_...tion_win_de.zip CREDIT: Sowhat Sowhat[0x40]secway[0x2e]org