Interception of web content by AV software (was Re: VML Patch for Win9x?) - Page 4

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

|
|
| |
| | It seems to be unnecessary to un/re-register it. And I was able like
Dan
| | to do it in Windows, not DOS.
| |
|
| It's a batch file silly !  :-)
|

I've done it already with Winzip from the Win2k download.



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

David H. Lipman wrote:
Quoted text here. Click to load it

<grins, exactly David>

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

PCR wrote:
Quoted text here. Click to load it

Whoa, Calm down, PCR.  It will be okay!

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

| PCR wrote:
| > |
| > |
| > | |>
| > | |> What virus ?  This is Exploit code, not a virus !!!
| > | |
| > | | I believe I have already said to you in another thread, McAfee's
| > wording
| > | | is...
| > | |
| > | | Download file:  G:\Temporary Internet
| > | | Trojan name:    Exploit.VMLFill
| > | | McAfee Shield:  Virus found in download file!
| > |
| > |
| > | Gee... three conflicts all in one message !
| > |
| > | Trojan <> virus <> exploit
| > |
| > | McAfee (or any other AV software for that matter) creates a
default
| > message and then
| > | concatenates what's found to the default message.
| > |
| > | If you test the EICAR, see what it calls it !
| >
| > http://www.eicar.org/anti_virus_test_file.htm
| > It was the same format alert, BUT McAfee calls all 4 of those just a
| > virus!
| >
| > | I'll say it again, again...  There is NO virus, this is an Exploit
| > Code.
| >
| > You may do so. It's one of the 3 choices!
| >
| > | The fact is if you are using the TEST URL
| > http://www.isotf.org/zert/testvml.htm there isn't
| > | even a payload.  It just creates a Buffer Overflow condition.
McAfee
| > is flagging the Buffer
| > | Overflow condition or the test for it (I can't which).
| >
| > McAfee captures a file that the site attempts to put into my TIFs...
| > testvml[1].htm. It will delete or quarantine that file, renaming
it...
| > testvml[1].htm.vir.
| > Then, apparently, the site continues to load a will crash to the IE
| > Error Report Tool. HOWEVER, now that I took the Win2k Vgx.dll, the
crash
| > does not occur. I can only hope that's a good thing, since
apparently
| > the site is one that wanted to poison me! It will be you, 98 Guy,
Bear,
| > & Dan to blame, if not! And Chauvin!
| >
| > I DO get to see "two colored boxes" on my screen now. But I thought
that
| > was the wording in 98 Guy's bogus exploit/trojan/virus file,
| > testvml[1].htm! How can it be showing on my screen, IF I had McAfee
| > delete it ???
| >
| > | Here is is in FireFox... (No virus statement here in Enterprise
v7.1)
| > | 10/4/2006 8:01:24 PM Deleted (Clean failed)  DLIPMAN-1\lipman
| > | D:\temp\Mozilla\Cache\_CACHE_001_\_CACHE_001_ Exploit-VMLFill
| > |
| > | Here is is in Internet Explorer... (Again no virus statement here
in
| > Enterprise v7.1)
| > | 10/4/2006 8:03:09 PM Deleted  DLIPMAN-1\lipman
D:\temp\IE6\Temporary
| > Internet
| > | Files\Content.IE5\UJN91K6V\testvml[1].htm Exploit-VMLFill
| > |
| > | Here is is in Opera... (Still no virus statement here in
Enterprise
| > v7.1)
| > | 10/4/2006 8:05:29 PM Deleted  DLIPMAN-1\lipman C:\Program
| > | Files\Opera\profile\cache4\opr002P3.htm Exploit-VMLFill
| >
| > McAfee gives me a choice of three what to call it!
| >
| > |
| > | So it is YOUR version generated this incorrect statement and this
| > reatail version was
| > | discontinued YEARS ago.  PCR, I believe you are still using Retail
| > VirusScan v5.x.
| >
| > McAfee VirusScan v.5.21.1000, Scan Engine v.4.3.20. I am doubly
pleased
| > with it now, as this is the very first almost real virus it has
caught
| > other than the ones at EICAR!
| >
| > | One more time...
| > |
| > | There is NO virus, this is purely Exploit Code and this URL has NO
| > payload !
| >
| > It may have no payload, that is right.
| >
| > | |
| > | | WELL, McAfee does give a choice of 3 what to call it, actually.
I
| > have
| > | | taken the .dll already as Bear said, with Winzip. Yet I haven't
| > | | installed it.
| > | |
| > |
| > | My unoffcial patch will install the non-vulnerable version,
unregister
| > the vulnerable
| > | version, register the replacement DLL and fix the Registry.
| >
| > It seems to be unnecessary to un/re-register it. And I was able like
Dan
| > to do it in Windows, not DOS.
| >
| > | --
| > | Dave
| > | http://www.claymania.com/removal-trojan-adware.html
| > | http://www.ik-cs.com/got-a-virus.htm
| > |
| > |
| >
| >
|
| Whoa, Calm down, PCR.  It will be okay!

I'm just saying I have a choice of three! Lipman must relent!



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

PCR wrote:

Quoted text here. Click to load it

McAfee found with it thinks is a virus.

What it found was (for lack of a better word) a shell of a virus.  It
has the fingerprints and characteristics of exploit code.  It has no
payload (that's what makes it safe to execute).  McAfee doesn't know
that it doesn't have a payload.  It has the characteristics of the VML
exploit, so that's what it calls it.

Quoted text here. Click to load it

The .htm file posted earlier contains specially crafted code that
triggers a fault in IE that causes IE to crash.  That's all it does.
In it's nasty form, there would be additional code that would be
executed in conjunction with IE crashing.  

Quoted text here. Click to load it

The exploit code opens a door into the operating system.  Think of it
as a key.  If there is nothing accompanying the key (the payload) then
there is nothing to "get in".  AV software detects the key - because
the payload can vary but the key must remain relatively similar or
static.

So we know what the key looks like.  What is the lock?  The lock in
this case is the vgx.dll file.  You can either remove the file from
your system (and hence the key has nowhere to go) or update the file
(plug the keyhole).

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

98 Guy wrote:
Quoted text here. Click to load it

Just update this file --- vgx.dll and it is not very difficult -- just
rename the current one to vgx.bak -- use Winzip to extract the newer
vgx.dll from the 2000 patch and then cut and paste --- It is that
simple, PCR.  The urlmon.dll will be trickier for some users since in my
system at least -- I had to go to command prompt in order to cut and
paste because the file was in use in normal mode and safe mode.  It can
be done without very much difficulty but it certainly helps to be
comfortable in a text based interface.  It was liberating for me to be
free from the confines of the GUI.

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

| PCR wrote:
|
| > | What virus ?  This is Exploit code, not a virus !!!
| >
| > I believe I have already said to you in another thread,
| > McAfee's wording is...
| >
| > Download file:  G:\Temporary Internet
| > Trojan name:    Exploit.VMLFill
|
| McAfee found with it thinks is a virus.
|
| What it found was (for lack of a better word) a shell of a virus.  It
| has the fingerprints and characteristics of exploit code.  It has no
| payload (that's what makes it safe to execute).  McAfee doesn't know
| that it doesn't have a payload.  It has the characteristics of the VML
| exploit, so that's what it calls it.

It seems McAfee calls it a trojan. It posts it's name as
"Exploit.VMLFill". Finally, McAfee announces: "Virus found in download
file!". Thus...

Download file:  G:\Temporary Internet
Trojan name:    Exploit.VMLFill
McAfee Shield:  Virus found in download file!

At the...
http://www.eicar.org/anti_virus_test_file.htm
..., it calls all 4 a virus only! And the virus is named "Eicar test
file".

| > So... does IE need the exploit file of 98 Guy to deliver the
| > exploit?
|
| The .htm file posted earlier contains specially crafted code that
| triggers a fault in IE that causes IE to crash.  That's all it does.

Well, looking inside the the file McAfee has quarantined, it seems to
have wording that I now see on the screen: "If you can see two colored
boxes". I do see the boxes, because I now have taken that Win2k .dll, &
IE does not crash.

BUT how do I see this, IF the file has been deleted or quarantined ???

| In it's nasty form, there would be additional code that would be
| executed in conjunction with IE crashing.

How/why do I see any code at all get executed?

| > Is the exploit file extraneous to the delivery of the
| > exploit?
|
| The exploit code opens a door into the operating system.  Think of it
| as a key.  If there is nothing accompanying the key (the payload) then
| there is nothing to "get in".  AV software detects the key - because
| the payload can vary but the key must remain relatively similar or
| static.
|
| So we know what the key looks like.  What is the lock?  The lock in
| this case is the vgx.dll file.  You can either remove the file from
| your system (and hence the key has nowhere to go) or update the file
| (plug the keyhole).

I begin to wonder whether I was better off with a crashing Vgx.dll. At
least I didn't see that code on the screen from a file that was deleted!



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)


< snip >

|
| I begin to wonder whether I was better off with a crashing Vgx.dll. At
| least I didn't see that code on the screen from a file that was deleted!
|

Stop over analyzing this.  You will only get a headache.

If IE no longer crashes and you see the red boxes then you have mitigated the
vulnerability.
That's is what is important here.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

David H. Lipman wrote:
Quoted text here. Click to load it

Exactly, David and PCR please listen to him and do not worry.  I am sure
98 Guy's machine or my machine would be hit first with any error because
we replaced the *.dll earlier than you.

--
Dan W.

Computer User

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

PCR wrote:

Quoted text here. Click to load it

Mcafee is calling it an Exploit, a Virus, and a Trojan at the same
time.  So what's your question?

Quoted text here. Click to load it

Because McAfee didn't intercept the data.

Because IE got to see the content of that .HTM file first, and McAfee
only got to see it when IE created the cached file.

If it had been a REAL threat, and if you had the unpatched DLL, then
your system would have been exposed to the virus, and the virus could
very well have performed it's designated function.  McAfee would have
told you milliseconds later that you have been exposed to the virus
because of the presence of the cached file.  But that is irrelavent
because your system has been modified by the virus and presumably
opened up for the download of a secondary payload.  

Or so that is the case for Win-2k and XP machines.  It's not a given
that the virus would function correctly on a win-98 system.

Quoted text here. Click to load it

No.

The crashing is an indication that you are succeptible to the exploit.

It doesn't matter that McAfee found the remnants of the exploit in the
cached file.  It's too late by then.

The real test of good AV software is to try that web site with the
unpatched VGX.DLL file - and seeing that your IE does not crash.  That
would indicate that the AV software kept the exploit code away from IE
completely - as if it snatched that file away from IE before IE had a
chance to see it.

Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

| PCR wrote:
|
| > It seems McAfee calls it a trojan.
| > Finally, McAfee announces: "Virus found in download file!"
| >
| > Trojan name:    Exploit.VMLFill
| > McAfee Shield:  Virus found in download file!
|
| Mcafee is calling it an Exploit, a Virus, and a Trojan at the same
| time.  So what's your question?

Well, it's a bigger issue to Lipman what it should be called. In the
end, it's behavior should determine it. Fine, it's an exploit-- a flaw
in Vgx.dll-- that lets whatever-it-is in. After that, it is EITHER a
virus or a trojan depending what the payload does.

| > | The .htm file posted earlier contains specially crafted code
| > | that triggers a fault in IE that causes IE to crash.  That's
| > | all it does.
| >
| > the file McAfee has quarantined,
| > I do see the boxes
| > BUT how do I see this, IF the file has been deleted or
| > quarantined ???
|
| Because McAfee didn't intercept the data.

It deletes or quarantines the file before the crash & before the page is
rendered. Therefore, I was thinking I SHOULDN'T see what it nevertheless
DOES put into the IE page... those red boxes & the wordage that I am not
vulnerable!

| Because IE got to see the content of that .HTM file first, and McAfee
| only got to see it when IE created the cached file.

I think I begin to understand. The page is rendered apart from the bits
& pieces that IE also puts into TIFs (Temporary Internet Files). TIFs
would be used later to see the page while working offline. That can't
happen. However, I guess you are right, & I would be infected on first
visit to the site.

Then, TOO BAD IE does it's first rendering directly from the site! And,
yea, it is good I have taken the Win2k file!

| If it had been a REAL threat, and if you had the unpatched DLL, then
| your system would have been exposed to the virus, and the virus could
| very well have performed it's designated function.  McAfee would have
| told you milliseconds later that you have been exposed to the virus
| because of the presence of the cached file.  But that is irrelavent
| because your system has been modified by the virus and presumably
| opened up for the download of a secondary payload.

Yea, thanks, 98 Guy. I finally do believe that.

Hmmm, a while ago I WAS getting a spell of crashes to the IE Report
Tool. But those have gone away, & McAfee never peeped. Still, I'd better
find a way to research it.

| Or so that is the case for Win-2k and XP machines.  It's not a given
| that the virus would function correctly on a win-98 system.

That would be a blessing, if it can't!

| > I begin to wonder whether I was better off with a crashing
| > Vgx.dll.
|
| No.

You are right. I think the crash is what causes a buffer to flush &
activate. Still, I'd rather not be at a site that was infected & would
want to leave it immediately!

| The crashing is an indication that you are succeptible to the exploit.
|
| It doesn't matter that McAfee found the remnants of the exploit in the
| cached file.  It's too late by then.

Those are bits/pieces of the site to be used for speed of rendering at
next visit or to see the site while working offline. They wouldn't have
to be downloaded again.

| The real test of good AV software is to try that web site with the
| unpatched VGX.DLL file - and seeing that your IE does not crash.  That
| would indicate that the AV software kept the exploit code away from IE
| completely - as if it snatched that file away from IE before IE had a
| chance to see it.

You are right, it would have to stop IE from rendering the page directly
from the data it receives from the site. Too bad IE doesn't create the
TIFs & render even the FIRST visit to the site from them. That would
have allowed McAfee to stop it. However, I guess the W2k .dll is even
better than that because it corrected the flaw in VML code-- this one,
anyhow.



Re: Interception of web content by AV software (was Re: VML Patch for Win9x?)

PCR wrote:
Quoted text here. Click to load it

PCR, I have the exact same file that is in the vault in quarantine and
put there by AVG.  It is apparently nothing to worry about and the virus
scanners were just doing there job.

--
Dan W.

Computer User

Site Timeline