Dear Morning Wood, As shown by the recent MZ header bypass, (most) AV "analyse" the header to determine the Filetpye. I think extension based recognition is to be considered outdated.
MW> I think the OP was getting at this being an AV bypass vector for worms and MW> other malware that can interact with cmd.exe . Hmm ok, but how can it interact when it doesn't execute using explorer.exe ? Is the user going under Dos to execute it? How does that fit in the scenario ? -- http://secdev.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
