Stealth Viruses can prevent being detected by Norton Anti Virus
22 Dec. 2000
Summary
A disturbing lapse in the scanning procedure of Norton Antivirus 5.0 Win32 has been discovered. This evading is performed by embedding viruses inside documents. This vulnerability allows Viruses to avoid being detected by the Antivirus, but only if the Virus remains inactive (i.e. the infected file will be successfully transported, but when the Virus will try to attack NAV will detect it).
Vulnerable systems:
Norton Antivirus version 5.0
Norton Antivirus version 7.01
Immune systems:
Norton Antivirus version 6.20.04
NAV 5.0 fails to detect any infected embedded objects when they are enclosed inside documents (They aren't detected when the file is either opened or scanned manually). NAV 'Auto Protect' does detect the malicious content when the embedded object was either saved or launched from within the document, but not before. This appears to be a simple method for transporting and storing malicious content in a NAV protected environment.
To test this, do the following:
- Turn off NAV Auto Protect.
- Obtain a copy of some malware or the EICAR test pattern file.
- Open a new Word or Excel document.
- Drag the malware from an Explorer window into the new document window.
- If prompted, pick 'copy here'.
- Close the document, right click on it, and select 'Scan with Norton Antivirus'.
- You should see 'No viruses found in this scan'.
- Repeat the scan on the malware or pattern file.
- You will probably see a notification that a virus has been detected and/or cleaned.
- Close the document.
- Re-enable NAV Auto Protect.
- Launch the document again.
- Norton should not warn of any infection.
- If you attempt to save or launch the infected object, then Auto Protect should detect it and produce a warning.
