KAV TEST Part 2 Next
3) Malwares protection:
a) Trojans and backdoors:
-BasicBackdoor: P1/P2
KAV warns about rundll32 integrity violation: this can't really be considered as an alert in relation to a suspect or malicious activity.
But even if the backdoor is not known from kav labs, the deny answer to the alert prevents the backdoor from listening.
-BlackShell: P1/P2
P2 ("accès refusé"="access denied"):
-Gaspar Hooker (R): P1/P2
This file is able to kill any process running under user or administrator privileges.
-MistaKiller (designed to kill thousands of applications): P1/P2.
Self-protection is working :
With file anti-virus enabled, the file is detected before to start (P2) :
-HaxSpy: P1/P2
-Kuang (Byweird trojan): P1/P2
- HackArmy : P1/P2: The file is sent through Instant Messenger, and executed, as would do many "regular" users:
As soon as the process starts, KAV detects the attemps to create a new autostart entry, and a second popup warns about the "Trojan.Generic" detection:
Finally, a rollback can be done, to delete the fake msnmsgs.exe file:
The file is detected by Web or File AV anyway:
-Morwill trojan clicker: P1/P2 (invader alert)
-MSN to CGI : F1/P2. The real MSN is killed as soon as the fake one is started (MSN end-time to fake MSN's start-time shown in the pic).
Hopefully, the tool is detected by file AV (P2) :
-MSN Pass Sender: F1/P2
The file can be launched, create message hooks and connect to the net without any kind of alert.
It can only be blocked if the antivirus file protection is enabled (P2, the file is known as a malware by kav).
In addition, the malware can create files, folders, can lauch them for its own goal without any kind of alert.
The message hooks of the fake csrss.exe shown by IceSword:
-PhPing: F1/P2:
P2:
-Registrator (trojan downloader): P1/P2 : As soon as the downloader is started, Kav detects the launch of QBtools.exe, as "hidden installation into system", without user interaction :
Once "Deny" is selected, the downloader itself is killed : It couldn't even start to download/drop other files; as we can see, QBtools.exe wasn't started at all :
With file AV, QBtools.exe is detected during install :
-tibs : P1/P2:
P2 ("accès refusé"="access denied"):
-Start (Backdoor Agent): P1/P2
Kav proactive module just prevents the malware from being permanent: it does not prevent files creation, neither the malware from running.
-TX backdoor: P1/P2
-XPKiller : F1/P2 : Auto-updates and XP firewall services are killed without notice, and their files deleted from the system. No way to restart it.
Hopefully, the file is detected by file AV (P2) :