home *** CD-ROM | disk | FTP | other *** search
-
-
- A brand new way to fool TBScan
- +----------------------------+ by Automag/VLAD
-
-
- Today I worked on some features for Antipode:
- I wanted it to infect a file during a scan by AV software so I added
- the usual int 21h 3Dh (open) infection. It already infected the files
- under McAfee's SCAN so I added the 21h 6Ch (extended open) infection and
- F-PROT became a vector but I was surprised that TBSCAN didn't infect my
- test files (5 byte .COM just 3 NOPs and an int 20h). I took SoftICE and
- traced some code and was really surprised as TBSCAN didn't open any file
- in my directory!
-
- I thought that Frans had found a brand new way to open files ? Taking
- int 21h as a breakpoint I found that TBSCAN just used the Find-Next
- function. I was dispirited, how would I use TBSCAN as a vector ?
- Scanning another directory I was suprised to find TBSCAN used Int 21h 3Dh!
-
- Rebooting, I tried to scan my directory again and now TBSCAN only opened
- two files, both were infected (627 bytes long) while the others were
- skipped (5 bytes long).
-
- So here is the trick:
- TBSCAN does not 'waste' any time with tiny files, it just skips them.
- Let's imagine an algorithm...
-
- Int 21 4Bh entry point:
- if (file_to_be_executed='TBSCAN.EXE')
- then TBSCAN_FLAG=1
- end
-
- int 21 4E entry point:
- if (TBSCAN_FLAG=1)
- then
- {
- if DTA.FILEEXT=COM
- then DTA.SIZE=0
- }
- end
-
- int 21 4C entry point:
- TBSCAN_FLAG=0
- end
-
- with such an int 21h, TBSCAN won't scan any COM file :)
-
- That's done and tested and TBSCAN doesn't scan any file :)
- The scanning is just a bit too fast as it scanned 726 executables in six
- seconds :) Now Frans can say that TBSCAN is the fastest scanner ever !
-
- But anyway TBAV is the best AV program I have ever used...
- So greets to Frans Veldman...
-
-
