Construct a special file name to bypass multiple anti-virus engine-vulnerability warning-the black bar safety net

ID MYHACK58:6220066187
Type myhack58
Reporter 佚名
Modified 2006-01-08T00:00:00


The author of the article: root (

Category: design error

Threat level: medium

BUGTRAQ ID: 1 5 4 2 3

Affected by the anti-virus engine:

Kaspersky Antivirus Symantec AntiVirus F-Prot Antivirus ClamWin Antivirus Avast Antivirus RAV AntiVirus Microsoft AntiSpyware

Tested version: Symantec AntiVirus Corporate 8.0 Kaspersky Antivirus Personal Pro Kaspersky Antivirus For MS NTServer F-Prot Antivirus 3.16 c ClamWin Antivirus 0.87 Avast. Professional. Edition. v4. 6. 6 0 3 RAV. AntiVirus. Desktop. v8. 6 Microsoft AntiSpyware beta1

  1. Problem description:

Windows system may use a variety of special symbols as the file name, some anti-virus engine is unable to properly parse specially constructed file name, so the file operation failed.

  1. Technical description:

Test method:

Choice A can be detected file, 比如nc.exe,the file is renamed as: nc??.exe the. (?? =hex C0 D7 BA DC)

Then use anti-virus software for scanning.

Because these special names are unable directly to input, so if you want to use the modified file(nc??.exe), you can use the following method:

[ROOT@D:\Vul\bugtrap]#dir /x

1998-01-03 1 4:3 7 59,392 NC294E~1.EXE nc??.exe

[ROOT@D:\Vul\bugtrap]#NC294E~1.EXE -help [v1. 1 0 NT] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc-l-p port [options] [hostname] [port] options:

Use the MS-DOS file name, the File Open, read, write, and copy operations.

In fact the majority of manufacturers in to this problem to deal with on the are some problems: such as Kaspersky in the right-click such a file when the pop-up menu without scanning option Symantec AntiVirus Corporate V10. 0. 1. 1 0 0 0 can be detected but cannot be cleared. AVG Anti-Virus the normal path of the scanning may be by, but click on the scan option, but cannot read files.