Multiple Vendor AVs Magic Byte Detection Vuln. from »www.securityfocus.com/bid/15189/info " .. Multiple vendor anti-virus software is prone to a detection evasion vulnerability. The problem presents itself in the way various anti-virus software determines the type of file it is scanning. An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine... ... Vulnerable: Ukranian National Antivirus UNA Trend Micro PC-cillin 2005 Trend Micro OfficeScan Corporate Edition 7.0 Sophos Anti-Virus 3.91 Panda Titanium Norman Virus Control 5.81 McAfee Internet Security Suite 7.1.5 Kaspersky Labs Anti-Virus 5.0.372 Ikarus Ikarus 2.32 F-Prot Antivirus 3.16 c eTrust eTrust CA 7.0.14 Dr.Web Dr.Web 4.32 b AVG AVG Anti-Virus 7.0.323 ArcaBit ArcaVir 2005.0 Not Vulnerable: VirusBlokAda VBA32 Symantec Norton Internet Security 2005 11.5.6 .14 Symantec AntiVirus Corporate Edition 10.0 Sophos Anti-Virus 5.0.2 Sophos Anti-Virus 3.95 Softwin BitDefender 8.0 NOD32 NOD32 2.50.25 H+BEDV AntiVir Personal 6.31 .00.01 F-Secure Anti-Virus 5.56 ClamWin ClamWin 0.86.1 Avast! Antivirus Home Edition 4.6.655 ..." edit: from »archives.neohapsis.com/archives/fulldi.. ".. The problem exists in the scanning engine - in the routine that determines the file type. If some file types (file types tested are .BAT, .HTML and .EML) changed to have the MAGIC BYTE of the EXE files (MZ) at the beginning, then many antivirus programs will be unable to detect the malicious file. It will break the normal flow of the antivirus scanning and many existent and future viruses will be undetected. ..." I wonder how would AT software fare, some of them could be vulnerable too. And FWs that scan inbound email could also be fooled i think.