Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Does Win9x need Antivirus anymore?

- - - - -

  • Please log in to reply
26 replies to this topic

#26
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

I think it wouldn't hurt to have a couple on-demand scanners for Win9x. But anything that scans real-time would probably be completely pointless.

Agreed.

McAfee v6 still working on Win9x using current DAT files.

See here.

... Let him who hath understanding reckon the Number Of The Beast ...



How to remove advertisement from MSFN

#27
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 187 posts
  • OS:98SE
  • Country: Country Flag
I was testing a malware link recently on my win-98 system (with Kex) with Firefox 2.0.0.20, Adobe reader 6.0.2, and Java 1.6.0_43. This is what happened:

The link ends up causing my system to load the Java engine and process some java code, which in turn tries to invoke acrord32.exe and render some sort of pdf file. Java and Acrord32 displayed these error messages:
------
Application Error
General Exception (!)
java.lang.NullPointerException

(ok) (Details)
-------

And this:

-------
Acrobat plug-in
! This operation is not allowed
(ok)
-------

Looking at the Details for the Java error:

-------
java.lang.NullPointerException
at sun.net.www.ParseUtil.encodePath(Unknown Source)
at sun.misc.URLClassPath$Loader.getResource(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at sun.applet.AppletClassLoader.getResourceAsResource(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletPanel.createSerialApplet(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
-------

Before I dismiss these error messages, I do a search for all recently-created files. I find these in windows/temp:

Acr6392.TMP
Acr6390.TMP
Acr639C.TMP

Small, useless PDF files. I can't find anywhere on the web to verify this, but I believe that Adobe reader must create these temp files during it's normal operation, so these are harmless. AV scan on them turns up nothing.

I find this file in windows/application data/sun/java/deployment/cache/6.0/host: 31ba0019-40d9db35.hst It's a text file that contains this: 184.82.108.82

I have this file in my firefox cache directory: 10D13CC8d01. It contained comma separated decimal representations of ASCII characters for the <applet>some stuff</applet> container. Also contained period separated values represent the ASCII characters for JavaScript for downloading of the malicious PDF, Java jar, and Shockwave flash object. The malicious PDF contained stream object (111) which is a compressed obfuscated JavaScript which works on yet another blob which is the PDF heapspray/exploit code which also has two shellcode variables. The shellcodes had URLs that were not encrypted.

VirusTotal identified that file as containing: JS/Exploit-Blacole.ld - but only 2 out of 46 AV programs flagged the file as malicious.

I dismiss the java error, and then the adobe error. Immediately another Acrord error pops up (same as the first). I dismiss it. Firefox then comes back to life and displays this page:

www.google.com/search?q=404%20error

And at this point we seem to be done, with no lasting effects. This lame attempt at a browser/java/pdf exploit just bounced off my win-98 system.

I have yet to find a pdf exploit that can work correctly on the combination of win-98/Acrobat Reader 6. And the heap/spray exploits seem not to work correctly on win-98 systems as well. And many of the malware files that I seek out (as a result of following recent spam links) turn out to have a very low rate of being identified by antivirus programs - at least during their first day of circulation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN