I've become a little addicted to flickr's random interesting photos page, so I decided to find a script to rotate my wallpaper based on this set. I found a VBS script in the flickr Yahoo Hacks! group which promised just that: unfortunately, Mcafee Enterprise believed the script to be the VBS/Psyme trojan and immediately deleted it.

I found this a bit unlikely so I fetched the VBS on my linux desktop and read the source. It looked pretty innocent, so I read up a bit on this VBS/Psyme trojan.

It turns out this worm exploits an unpatched IE exploit related to something called ADODB.Stream. Sure enough, this string appears in the flickr wallpaper VBS:

'Create a Stream instance
Dim objStream
Set objStream = CreateObject("ADODB.Stream")

I started to harbour a suspicion that this Enterprise virus scanner was doing little more than simple pattern matching on the VBS. So, I changed it thusly:

'Create a Stream instance
foo = "ADO"
bar = "DB.S"
baz = "tream"
Dim objStream
Set objStream = CreateObject(foo & bar & baz)

...and it passed by without harm.

I've never personally relied on virus scanners (which I have found tend to make a windows desktop considerably slower than it would be otherwise), instead relying on savvy with regards running things, and using external firewalling. This experience hasn't changed that.


Comments