Publié le par SSTA

b) Worms and virus:

-Feebs : P1/ P2. KAV detects the launch of IE browser, which can be blocked, and detects startup entry once mshta.exe is running. Mshta.exe is not killed, but no harmful changes are made.

AV detection :

- WormRays : P1/ P2. Wormray is blocked instantaneously once launched, because of the attempt to register itself at startup. The process can then be killed, and changes can be "rollbacked" in the next prompts.

(The rollback seems to fail, but is complete indeed : The run key was not created in the first place) :

AV detection :

- Ganda : P1/P2. Here too, the malware is killed  (can be killed) as soon as it is launched, KAV detecting it as "trojan.generic", because of the autostart attempt.

Here too, rollback is complete, despite of the error reported (KAV doesn't find the run key, but it did prevent it from being created) :

AV detection :

- "virus" (unknwon from AVs editors) : P1/P2

The file is not known as a malware (database), but its main action (keyboard hooks) can be easily blocked.

c) script protection:

Here we suppose that the targuet host is not hardened (in a home environment, Windows Scripting Host is not necessary and should be disabled to avoid security risks):

-with a script which can disable system retore: P1/P2

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!" & strComputer & "rootdefault")

Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.Disable("")
errResults = objItem.Enable("")

-with Finjan VBS (once executed, it copies documents files and creates a folder on the desktop called "you have been hacked"): F1/F2

-with GesWall script test: F1/F2: (only the run key for the backdoor are blocked)

-Dlhello virus : P1/P2.  The .vbs is detected before to run.

AV Detection :

See other "virus, worm, and scipts" pages for more tests about this class of malwares.

d) spywares and adwares :

-Trytofind adware: P1/P2


Test firstly done in 2006-08 with a "fail" result:

Another toolbar which promotes Viagra...with Spam...what a success...or invasion...

But it seems that Kaspersky lab does not consider it as an adware:

Prevention and detection (if we allow the toolbar):

www.ieplugin.com/download.html: P1/P2

With the antivirus file protection enabled (P2):

For Firefox: www.voonda.com/toolbar/install.shtml: F1/F2

The scan and the AV resident protection give no results (F2):

And the uninstall.exe is fake (the user will not get ride of the toolbar by running this uninstaller).

Detection after the installation:

-180search assistant : P1/P2.  The run key is blocked, but since the options are "allow/deny", the process is not killed. It's opening hidden connections after 2 mn, in order to download some more components. One of them is detected by Web AV. If we allow it, the new malware is detected as "invader" anyway, and killed.

So, few files are left behind, but they stay inert, and nothing is able to harm after a reboot (except some links dropped in IE history).

AV detection :

- Adware shop SahaAgent : P1/P2.  KAV detects the attempts to inject the .dll into other processes, and to launch hidden instances of the browser IE, which can be blocked. If browser launch is blocked, no connections can be established by  the malware, and a run key is finally blocked too.

If I launch the browser (on a purpose), the malware can't connect yet : It is actually neutralized.

(Note : The hidden attribute should be reported in the 1st prompt, as you can see this is not the case; only after the browser launch is blocked, KAV does report the prevention of hidden IE instance).

AV detection :

-Adware Wintools.A: P1/P2. KAV detects it right after creation of the files in Program Files/Common Files, the malware can't even open its connections. Then KAV allow the user to rollback changes made : The toolbar isn't created in IE (in fact, the malware was killed before to perform all changes needed).

However, KAV didn't see ALL the changes made by the malware : For example here the file WSup.exe was left, with numerous entries and keys in the registry :

But since the most important changes were blocked and "rollbacked", the test is passed. Eg. explorer bars key is free of junk :

-Spyware WinFixer: P1/P2

This is one of the most prevalent pest on the Web: we guess that any computer user has in his environment (family, friends etc) someone who has "met" this pest.
It's important to note that among prevalent malwares, many of them are designed by the "marketing industry" (ad's).

Damned! Madre de Dios! Non de Dieu! 204 pests found! what an effective antivirus....we really need WinAntivirusPro!
In addition, it speaks an excellent french! we definitively love it!

e) Rootkits and stealth keyloggers


Publié dans KASPERSKY 6 TEST

Commenter cet article