Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Does Win9x need Antivirus anymore?

- - - - -

  • Please log in to reply
37 replies to this topic

#26
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,048 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

I think it wouldn't hurt to have a couple on-demand scanners for Win9x. But anything that scans real-time would probably be completely pointless.

Agreed.

McAfee v6 still working on Win9x using current DAT files.

See here.

... Let him who hath understanding reckon the Number Of The Beast ...



How to remove advertisement from MSFN

#27
Nomen

Nomen

    Advanced Member

  • Member
  • PipPipPip
  • 348 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
I was testing a malware link recently on my win-98 system (with Kex) with Firefox 2.0.0.20, Adobe reader 6.0.2, and Java 1.6.0_43. This is what happened:

The link ends up causing my system to load the Java engine and process some java code, which in turn tries to invoke acrord32.exe and render some sort of pdf file. Java and Acrord32 displayed these error messages:
------
Application Error
General Exception (!)
java.lang.NullPointerException

(ok) (Details)
-------

And this:

-------
Acrobat plug-in
! This operation is not allowed
(ok)
-------

Looking at the Details for the Java error:

-------
java.lang.NullPointerException
at sun.net.www.ParseUtil.encodePath(Unknown Source)
at sun.misc.URLClassPath$Loader.getResource(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at sun.applet.AppletClassLoader.getResourceAsResource(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletPanel.createSerialApplet(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
-------

Before I dismiss these error messages, I do a search for all recently-created files. I find these in windows/temp:

Acr6392.TMP
Acr6390.TMP
Acr639C.TMP

Small, useless PDF files. I can't find anywhere on the web to verify this, but I believe that Adobe reader must create these temp files during it's normal operation, so these are harmless. AV scan on them turns up nothing.

I find this file in windows/application data/sun/java/deployment/cache/6.0/host: 31ba0019-40d9db35.hst It's a text file that contains this: 184.82.108.82

I have this file in my firefox cache directory: 10D13CC8d01. It contained comma separated decimal representations of ASCII characters for the <applet>some stuff</applet> container. Also contained period separated values represent the ASCII characters for JavaScript for downloading of the malicious PDF, Java jar, and Shockwave flash object. The malicious PDF contained stream object (111) which is a compressed obfuscated JavaScript which works on yet another blob which is the PDF heapspray/exploit code which also has two shellcode variables. The shellcodes had URLs that were not encrypted.

VirusTotal identified that file as containing: JS/Exploit-Blacole.ld - but only 2 out of 46 AV programs flagged the file as malicious.

I dismiss the java error, and then the adobe error. Immediately another Acrord error pops up (same as the first). I dismiss it. Firefox then comes back to life and displays this page:

www.google.com/search?q=404%20error

And at this point we seem to be done, with no lasting effects. This lame attempt at a browser/java/pdf exploit just bounced off my win-98 system.

I have yet to find a pdf exploit that can work correctly on the combination of win-98/Acrobat Reader 6. And the heap/spray exploits seem not to work correctly on win-98 systems as well. And many of the malware files that I seek out (as a result of following recent spam links) turn out to have a very low rate of being identified by antivirus programs - at least during their first day of circulation.

#28
CyberyogiCoWindler

CyberyogiCoWindler

    Junior

  • Member
  • Pip
  • 91 posts
  • Joined 04-September 10
  • OS:98SE
  • Country: Country Flag
On my Win98SE PC (AMD K6-3+@550MHz,768MB RAM) I run the firewall ZoneAlarm AntiVirus 6.1 (outdated antivirus part disabled) combined with Avast4.8 AntiVirus (start delayed through StartRight to prevent race condition lockups). However nowadays a complete boot takes about 20 minutes and Avast update even >30 minutes. Also random bowser lockups likely come from Avast, which seems to slow down the machine by 90% in some situations. I guess this bloatware monster does linear search through an infinitely growing virus database and since long time has lost its point of usefulness. (The only malwares I ever found with it were adware scripts in old downloaded HTML pages, and obviously fake e-mail attachments I wouldn't open with Acrobat Reader or MS Word anyway since I do not use them.)

Thus I will replaces this bugger with ClamWin+Sentinel soon. I hope I manage to make it coexist with ZoneAlarm.

Edited by CyberyogiCoWindler, 07 May 2015 - 09:27 PM.

MAY THE SOFTWARE BE WITH YOU!
CYBERYOGI =CO= Windler (teachmaster of LOGOLOGIE - the 1st cyberage-religion!)
{http://weltenschule.de/e_index.html}
ABANDON=THE=BRUTALITY


#29
CharlesF

CharlesF

    Advanced Member

  • Member
  • PipPipPip
  • 489 posts
  • Joined 13-July 08
  • OS:98SE
  • Country: Country Flag
No antivirus at all here for years and years, and never had any problem surfing. They are slowing too much on old PC.
(Only using ZA 5.5, proper configuration and passive protections like Hosts file, ActiveX killbits, ...)
 
I really wonder if it is possible to any current malware to recognize such legacy OS as Win9x and infect it.

#30
Nomen

Nomen

    Advanced Member

  • Member
  • PipPipPip
  • 348 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
I was going to create a new thread, but I see that this thread has been resurrected so I'll add this.

I got a spam on Friday with a nonsense subject (#jNSuR) and an attachment (hqPP03Lb.doc - 83 kb). The only text in the spam was "Sent from my ipad". I saved the attachment and tried to open it with notepad. Notepad threw up the usual "this file is too large- how about I open it with wordpad?". My fingers were faster than my brain and I clicked OK.

Now I've seen a bunch of viral .doc files recently where they try to invoke some sort of macro, and if you have macro's disabled then they throw up a lame message asking you to enable macros. So I guess I expected this to do the same. But instead I got this:

===============
Wordpad caused an invalid page fault in module mswrd832.cnv
(a bunch of details)
===============

And that's all. No dropped files, no new processes, no new entries in my registry. Yet another example of a cutting-edge exploit that falls flat on it's face when it encounters a win-98 system (and I have Office 2K Premium installed - and still it could not exploit it).

I have 2 copies of mswrd832.cnv on this system - one in a directory containing all files unpacked from a win-98 CD, and the other in program files / common files / microsoft shared / textconv. Presumably the one being used is the one in textconv, and funny thing - it's dated 12/08/1998 (but has version 98120800) while the other is 4/23/1999 (and has version 97081200).

A scan of the .doc file at virustotal (and this is some 24 hours after I got it) got flagged by 29 out of 56 AV programs. A few of the notable programs that DID NOT detect this threat were:

ClamAV
Malwarebytes
Norman
Panda

The file acts as a downloader (or dropper) and is variously ID'd as W97M / Adnel. Trend calls it "W2KM_BARTALEX.VVRA". I really would like to know the exploit mechanism being attempted here, and why the mechanism failed under win-98 (and hence why does it work under NT). I can make the file available to anyone that want's to analyze it in more detail.

#31
CharlesF

CharlesF

    Advanced Member

  • Member
  • PipPipPip
  • 489 posts
  • Joined 13-July 08
  • OS:98SE
  • Country: Country Flag

And something more is that this file can had fail in a plain vanilla Win 98

but be active when KernelEx is installed...   :unsure:



#32
Nomen

Nomen

    Advanced Member

  • Member
  • PipPipPip
  • 348 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
> And something more is that this file can had fail in a plain vanilla Win 98
> but be active when KernelEx is installed...

Um, I run Kex on all my win-98 systems. I think it's been discussed in this thread that Kex doesn't convey any of the various heap-spray and buffer-overrun vulnerabilities that NT has to win-98.

#33
jaclaz

jaclaz

    The Finder

  • Developer
  • 16,631 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I wouldn't be so sure to attribute the success to Windows 98 alone, but rather to NOT opening that file with some version of MS Word.

The Wordpad ".doc converter" most likely strips off anything that is not text and its formatting.

 

If you prefer, if you open that .doc file on a NT family OS with - say - OpenOffice, LibreOffice or Atlantis, very likely the whatever is in them won't be triggered as well, as it is seemingly a WORD macro:

https://www.microsof...97M/Adnel#tab=2

 

It is entirely possible that even when opened by Word the macro won't run on 9x systems, but from what you report the macro has never been executed, it simply crashed the converter. 

 

jaclaz



#34
Nomen

Nomen

    Advanced Member

  • Member
  • PipPipPip
  • 348 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
When I open the .doc file in MS Word (that is part of Office 2000) I get this message window:

-------------------
Microsoft Visual Basic (in the title bar)

The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.
--------------------

And while that message is on-screen, this is what the Word window looks like:

Attached File  hqPP03Lb.gif   46KB   0 downloads

#35
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,916 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

If that's an "unknown DOC" file (e.g. you don't know what it is and it shouldn't be trusted), you're asking for it, IMHO.

https://support.micr...en-us/kb/285514

The above link answers your question, but not what to do if you shouldn't have run that Macro in the first place.


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#36
Nomen

Nomen

    Advanced Member

  • Member
  • PipPipPip
  • 348 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
> The above link answers your question,

Well, technically the above link doesn't mention Word 2000. But the point is that for what ever reason (maybe it's the default setting?) I have Word macro's set to "High" (only signed macros can run). With that document open in Word, if I go to Tools, Macros, Visual Basic Editor, that brings up MS Visual Basic project editor, where I see the name of the document in the left-hand project pane. If I try to do anything with it (like expand it, get the properties, etc) I am prompted to provide a Project Password.

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

#37
jaclaz

jaclaz

    The Finder

  • Developer
  • 16,631 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

Well, I would rather attempt "cracking" the Macro password (if possible) and see what is in the actual macro. :whistle:

 

If it is a "simple", "default" password protection, the good ol' DPB= to DPx= hexedit/replacement:

http://stackoverflow...m-a-vba-project

http://superuser.com...word-from-excel

works for both Excel and Word VBA projects.

 

jaclaz



#38
Nomen

Nomen

    Advanced Member

  • Member
  • PipPipPip
  • 348 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
I've edited the malicious .doc file in 3 places, rendering 3 internal keys as invalid. While opening the modified document, Word throws up a VB error message for each key, giving me the option to continue loading the project - which I say yes. I can then open the project in the VB editor, and there are 3 code windows (one for the document, and two which are labled as Module1 and Module2). I understand that starting with MS Word 2007, I wouldn't be able to view this code or possibly even open the document given the invalid keys.

If anyone wants to see the VB code, I can post them (or the modified document itself) where ever appropriate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users