• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
ZortMcGort11

Does Win9x need Antivirus anymore?

38 posts in this topic

I think it wouldn't hurt to have a couple on-demand scanners for Win9x. But anything that scans real-time would probably be completely pointless.

Agreed.

McAfee v6 still working on Win9x using current DAT files.

See here.

0

Share this post


Link to post
Share on other sites

I was testing a malware link recently on my win-98 system (with Kex) with Firefox 2.0.0.20, Adobe reader 6.0.2, and Java 1.6.0_43. This is what happened:

The link ends up causing my system to load the Java engine and process some java code, which in turn tries to invoke acrord32.exe and render some sort of pdf file. Java and Acrord32 displayed these error messages:

------

Application Error

General Exception (!)

java.lang.NullPointerException

(ok) (Details)

-------

And this:

-------

Acrobat plug-in

! This operation is not allowed

(ok)

-------

Looking at the Details for the Java error:

-------

java.lang.NullPointerException

at sun.net.www.ParseUtil.encodePath(Unknown Source)

at sun.misc.URLClassPath$Loader.getResource(Unknown Source)

at sun.misc.URLClassPath.getResource(Unknown Source)

at sun.applet.AppletClassLoader.getResourceAsResource(Unknown Source)

at sun.applet.AppletPanel$7.run(Unknown Source)

at sun.applet.AppletPanel$7.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.applet.AppletPanel.createSerialApplet(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

-------

Before I dismiss these error messages, I do a search for all recently-created files. I find these in windows/temp:

Acr6392.TMP

Acr6390.TMP

Acr639C.TMP

Small, useless PDF files. I can't find anywhere on the web to verify this, but I believe that Adobe reader must create these temp files during it's normal operation, so these are harmless. AV scan on them turns up nothing.

I find this file in windows/application data/sun/java/deployment/cache/6.0/host: 31ba0019-40d9db35.hst It's a text file that contains this: 184.82.108.82

I have this file in my firefox cache directory: 10D13CC8d01. It contained comma separated decimal representations of ASCII characters for the <applet>some stuff</applet> container. Also contained period separated values represent the ASCII characters for JavaScript for downloading of the malicious PDF, Java jar, and Shockwave flash object. The malicious PDF contained stream object (111) which is a compressed obfuscated JavaScript which works on yet another blob which is the PDF heapspray/exploit code which also has two shellcode variables. The shellcodes had URLs that were not encrypted.

VirusTotal identified that file as containing: JS/Exploit-Blacole.ld - but only 2 out of 46 AV programs flagged the file as malicious.

I dismiss the java error, and then the adobe error. Immediately another Acrord error pops up (same as the first). I dismiss it. Firefox then comes back to life and displays this page:

www.google.com/search?q=404%20error

And at this point we seem to be done, with no lasting effects. This lame attempt at a browser/java/pdf exploit just bounced off my win-98 system.

I have yet to find a pdf exploit that can work correctly on the combination of win-98/Acrobat Reader 6. And the heap/spray exploits seem not to work correctly on win-98 systems as well. And many of the malware files that I seek out (as a result of following recent spam links) turn out to have a very low rate of being identified by antivirus programs - at least during their first day of circulation.

0

Share this post


Link to post
Share on other sites

On my Win98SE PC (AMD K6-3+@550MHz,768MB RAM) I run the firewall ZoneAlarm AntiVirus 6.1 (outdated antivirus part disabled) combined with Avast4.8 AntiVirus (start delayed through StartRight to prevent race condition lockups). However nowadays a complete boot takes about 20 minutes and Avast update even >30 minutes. Also random bowser lockups likely come from Avast, which seems to slow down the machine by 90% in some situations. I guess this bloatware monster does linear search through an infinitely growing virus database and since long time has lost its point of usefulness. (The only malwares I ever found with it were adware scripts in old downloaded HTML pages, and obviously fake e-mail attachments I wouldn't open with Acrobat Reader or MS Word anyway since I do not use them.)

Thus I will replaces this bugger with ClamWin+Sentinel soon. I hope I manage to make it coexist with ZoneAlarm.

Edited by CyberyogiCoWindler
0

Share this post


Link to post
Share on other sites

No antivirus at all here for years and years, and never had any problem surfing. They are slowing too much on old PC.

(Only using ZA 5.5, proper configuration and passive protections like Hosts file, ActiveX killbits, ...)

 

I really wonder if it is possible to any current malware to recognize such legacy OS as Win9x and infect it.

0

Share this post


Link to post
Share on other sites

I was going to create a new thread, but I see that this thread has been resurrected so I'll add this.

I got a spam on Friday with a nonsense subject (#jNSuR) and an attachment (hqPP03Lb.doc - 83 kb). The only text in the spam was "Sent from my ipad". I saved the attachment and tried to open it with notepad. Notepad threw up the usual "this file is too large- how about I open it with wordpad?". My fingers were faster than my brain and I clicked OK.

Now I've seen a bunch of viral .doc files recently where they try to invoke some sort of macro, and if you have macro's disabled then they throw up a lame message asking you to enable macros. So I guess I expected this to do the same. But instead I got this:

===============

Wordpad caused an invalid page fault in module mswrd832.cnv

(a bunch of details)

===============

And that's all. No dropped files, no new processes, no new entries in my registry. Yet another example of a cutting-edge exploit that falls flat on it's face when it encounters a win-98 system (and I have Office 2K Premium installed - and still it could not exploit it).

I have 2 copies of mswrd832.cnv on this system - one in a directory containing all files unpacked from a win-98 CD, and the other in program files / common files / microsoft shared / textconv. Presumably the one being used is the one in textconv, and funny thing - it's dated 12/08/1998 (but has version 98120800) while the other is 4/23/1999 (and has version 97081200).

A scan of the .doc file at virustotal (and this is some 24 hours after I got it) got flagged by 29 out of 56 AV programs. A few of the notable programs that DID NOT detect this threat were:

ClamAV

Malwarebytes

Norman

Panda

The file acts as a downloader (or dropper) and is variously ID'd as W97M / Adnel. Trend calls it "W2KM_BARTALEX.VVRA". I really would like to know the exploit mechanism being attempted here, and why the mechanism failed under win-98 (and hence why does it work under NT). I can make the file available to anyone that want's to analyze it in more detail.

0

Share this post


Link to post
Share on other sites

And something more is that this file can had fail in a plain vanilla Win 98

but be active when KernelEx is installed...   :unsure:

0

Share this post


Link to post
Share on other sites

> And something more is that this file can had fail in a plain vanilla Win 98

> but be active when KernelEx is installed...

Um, I run Kex on all my win-98 systems. I think it's been discussed in this thread that Kex doesn't convey any of the various heap-spray and buffer-overrun vulnerabilities that NT has to win-98.

0

Share this post


Link to post
Share on other sites

I wouldn't be so sure to attribute the success to Windows 98 alone, but rather to NOT opening that file with some version of MS Word.

The Wordpad ".doc converter" most likely strips off anything that is not text and its formatting.

 

If you prefer, if you open that .doc file on a NT family OS with - say - OpenOffice, LibreOffice or Atlantis, very likely the whatever is in them won't be triggered as well, as it is seemingly a WORD macro:

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:W97M/Adnel#tab=2

 

It is entirely possible that even when opened by Word the macro won't run on 9x systems, but from what you report the macro has never been executed, it simply crashed the converter. 

 

jaclaz

0

Share this post


Link to post
Share on other sites

When I open the .doc file in MS Word (that is part of Office 2000) I get this message window:

-------------------

Microsoft Visual Basic (in the title bar)

The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.

--------------------

And while that message is on-screen, this is what the Word window looks like:

post-357900-0-03032200-1431315039_thumb.

0

Share this post


Link to post
Share on other sites

If that's an "unknown DOC" file (e.g. you don't know what it is and it shouldn't be trusted), you're asking for it, IMHO.

https://support.microsoft.com/en-us/kb/285514

The above link answers your question, but not what to do if you shouldn't have run that Macro in the first place.

0

Share this post


Link to post
Share on other sites

> The above link answers your question,

Well, technically the above link doesn't mention Word 2000. But the point is that for what ever reason (maybe it's the default setting?) I have Word macro's set to "High" (only signed macros can run). With that document open in Word, if I go to Tools, Macros, Visual Basic Editor, that brings up MS Visual Basic project editor, where I see the name of the document in the left-hand project pane. If I try to do anything with it (like expand it, get the properties, etc) I am prompted to provide a Project Password.

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

0

Share this post


Link to post
Share on other sites

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

Well, I would rather attempt "cracking" the Macro password (if possible) and see what is in the actual macro. :whistle:

 

If it is a "simple", "default" password protection, the good ol' DPB= to DPx= hexedit/replacement:

http://stackoverflow.com/questions/272503/how-do-i-remove-the-password-from-a-vba-project

http://superuser.com/questions/807926/how-to-bypass-the-vba-project-password-from-excel

works for both Excel and Word VBA projects.

 

jaclaz

0

Share this post


Link to post
Share on other sites

I've edited the malicious .doc file in 3 places, rendering 3 internal keys as invalid. While opening the modified document, Word throws up a VB error message for each key, giving me the option to continue loading the project - which I say yes. I can then open the project in the VB editor, and there are 3 code windows (one for the document, and two which are labled as Module1 and Module2). I understand that starting with MS Word 2007, I wouldn't be able to view this code or possibly even open the document given the invalid keys.

If anyone wants to see the VB code, I can post them (or the modified document itself) where ever appropriate.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.