New rogue: Internet Antivirus Pro
I was analyzing this rogue manually today and I wanted to show you how it hooks into your system.
To start off, a screen we are familiar with… Many untrue detections:
This is a screen cap of one of our analysis tools:
The rogue program creates five different run entries (which means it will try to run again each time you turn on your PC).
Notice how it uses legitimate Windows file names such as winlogon.exe or services.exe. This is to confuse users who will do Google searches and find out that winlogon.exe is actually a legitimate file. Well, in the world of computer viruses a name does not mean anything… I could name a file “sweetlittleflower” and yet it could be so nasty! 
In our jargon, we identify binaries (files) with ’scientific’ methods. For example MD5 hashing, SHA1 etc… Not that they are 100% proof, but that’s how most AV products still work these days…
Jerome
Comments:
|
|
