Sunday, August 9, 2009

A Technique Used by Antivirus Programes

In past when a virus was released it was detected by antivirus experts after 15-30 days. Till then virus had done enough damage to millions of users like "I love you worm". Then antivirus experts started using a new technology.

In this technology , when a certain files does specious activity in computer, Av program does not perform any action and keep eye on that file. Next, when you update your antivirus these files are send to security experts of antivirus that you are using. Some time you have to submit that files manually by selecting those specious files and then clicking "Submit" (An option in Antivirus Program). Malware analysts analyze the file, if it is a virus then they make it's signatures. By this a virus is caught with in 3-4 days and less damage is done.

Antivirus Using these Technique:-
May be some other antivirus vendors also use this technique but i know these.
  • Eset Nod32 (Threat Sense Engine)
  • Bitdefender 10
  • Norton Antivirus 2009

So A bad new for malware writers but to counter this many malware writers try to delete and disable Antivirus programs. A simple example is "Avkiller.Trojan". Let discuss little bit more about this Trojan.
--------------------------------------------------------------

Avkiller.Trojan is written in Delphi. It is usually UPX packed. The unpacked size is approximately 34 KB. It adds the value to start every time when PC Starts.

MSWindows C:\windows\spool16.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

This Trojan horse also terminates antivirus programs and services; for example:
  • Zonealarm.exe
  • Zapro.exe
  • Vsmon
  • Minilog
  • Minilog.exe
  • Vsmon.exe
  • Svw3
  • Blackice
  • Blackd.exe
  • Blackice.exe
  • Nisum
  • Nisserv
  • Nisum.exe
  • Nisserv.exe
  • Nmain.exe
  • Iamapp.exe
  • Iamserv.exe
  • Frw.exe
  • Persfw.exe
  • Lockdown.exe
  • Lockdown2000.exe
  • Sphinx.exe
  • Nprotect.exe
  • Ndd32.exe
  • Smc.exe
  • Netutils.exe
  • Ldnetmon.exe
  • Portmonitor.exe
  • Connectionmonitor.exe
  • Cpd.exe
  • Defwatch.exe
  • Rtvscn95.exe
  • Vpc32.exe
  • Vptray.exe
  • Poproxy.exe
  • _Avp32.exe
  • _Avpcc.exe
  • _Avpm.exe
  • Avpcc.exe
  • Avpm.exe
  • Avp.exe
  • Nav Alert
  • Nav Auto-Protect
  • Navapw32.exe
  • Alertsvc.exe
  • Navapsvc.exe
  • Navlu32.exe
  • Navw32.exe
  • Sweepnet
  • Sweepsrv.Sys
  • Swnetsup.exe
  • Icload95.exe
  • Icmon.exe
  • Icsupp95.exe
  • Icloadnt.exe
  • Icsuppnt.exe
  • Iface.exe
  • Ants.exe
  • Anti-Trojan.exe
  • Wrctrl.exe
  • Wradmin.exe
  • Cleaner3.exe
  • Cleaner.exe
  • Tc.exe
  • Tca.exe
  • Tcm.exe
  • Moolive.exe
  • Mcshield
  • Avsynmgr
  • Mcshield.exe
  • Vshwin32.exe
  • Vsmain.exe
  • Scan32.exe
  • Scrscan.exe
  • Alogserv.exe
  • Vsecomr.exe
  • Webscanx.exe
  • Avconsol.exe
  • Vsstat.exe
  • Avxw.exe
  • Avxmonitornt.exe
  • Avxmonitor9x.exe
  • Avxquar.exe.exe
  • Amon9x.exe
  • Avgserv
  • Avgserv.exe
  • Avgw.exe
  • Avgcc32.exe
  • Iomon98.exe
  • Webtrap.exe
  • Pccwin98.exe
  • Pcciomon.exe
  • Pop3trap.exe
  • Tds-3.exe
  • Ss3edit.exe
  • Doors.exe
  • Jedi.exe
  • Monitor.exe
  • Rav7win.exe
  • Rav7.exe
  • Sweep95.exe
  • Mcagent.exe
  • Mcupdate.exe
  • Claw95.exe
  • Claw95cf.exe
  • Normist.exe
  • Nvc95.exe
  • Vet95.exe
  • Vettray.exe
  • Autodown.exe
  • Rescue.exe
  • Avkserv.exe
  • Ackwin32.exe
  • Dvp95.exe
  • Dvp95_0.exe
  • F-Agnt95.exe
  • F-Prot95.exe
  • Expert.exe
  • Fp-Win.exe
  • F-Stopw.exe
  • Vir-Help.exe
  • F-Prot.exe
  • Spyxx.exe
  • Atwatch.exe
  • Atupdater.exe
  • Atcon.exe
  • Pview95.exe
  • Wgfe95.exe
  • Avgctrl.exe
  • Ldpromenu.exe
  • Ldscan.exe
  • Generics.exe
  • Processmonitor.exe
  • Programauditor.exe
  • Avsynmgr.exe
  • Guard.exe
  • Tfak.exe
  • Luall.exe
  • Lucomserver.exe
  • Trjscan.exe
  • Regrun2.exe
  • Navapsvc
  • Symproxysvc.exe
  • Neowatchtray.exe
  • Netstat.exe
  • Regedit.exe
  • Regedit95.exe
  • egui.exe
So always practice a good Anti-Virus program to keep your PC safe from malwares before your PC get infected.