CVE-2005-3222

An attacker crafts a RAR archive with deliberately malformed central and local headers that contain a malicious executable (e.g., the EICAR test file). The antivirus engine misinterprets the archive structure and does not scan the embedded payload, while archivers such as Winrar and PowerZip still open and extract the file normally [ref_id=1]. The attacker delivers the crafted archive to the victim; when the victim extracts it, the malicious content is released without having been detected by the antivirus [ref_id=1].

The advisory does not specify particular functions or file paths within VBA32 Antivirus. The vulnerability lies in how the antivirus engine parses RAR file headers — specifically, it fails to correctly interpret malformed central and local headers that are still accepted by archivers like Winrar and PowerZip [ref_id=1].

No patch is provided in the bundle. The advisory does not include remediation guidance from the vendor; it only documents the bypass technique and the list of antivirus products that failed to detect the payload [ref_id=1]. To close the vulnerability, the vendor would need to improve the RAR parser to correctly validate and scan archives with malformed headers, rather than treating them as empty or unparseable.

1. Create a clean EICAR test file (eicar.com). 2. Use a RAR archiver or hex editor to produce a RAR archive with intentionally malformed central and local headers — the advisory's PoC files are named SecuBox_AVPoC1.rar and SecuBox_AVPoC2.rar [ref_id=1]. 3. Scan the crafted archive with VBA32 Antivirus; the scanner reports "Found nothing" [ref_id=1]. 4. Open the same archive with Winrar or PowerZip — the archive extracts successfully and the EICAR file is released [ref_id=1].