AntiVir,Dr.WEB,Mcafee,Norton,NOD32 are easy to bypass ?

[Genghis Khan]

Recently, I had just saw an article writen by MJ0011 (a programmer from a famours Chinese security software vendor 360safe) in her blog.

MJ0011 programmed an anti-rootkit software for 360safe that can found new rootkits, see here.
She said that AntiVir,Dr.WEB(VirusChaser),Mcafee,Norton,NOD32 are "rubbish softwares".

Here is exactly what she said, you can see her words in 360safe forum here or in her blog here.

Quote:

AntiVir,Dr.WEB(VirusChaser),Mcafee,Norton,NOD32 are easy to bypass because they are using the Outdated File System Filter Driver to moniter files. A little Function can destroy all these Anitvirus softwares like IoGetBaseFileSystemDeviceObject Function.

The antivirus software that uses outdated file system includes: AntiVir, Dr.WEB, Mcafee(Mcafee even had a bug in its file filter driver that can cause the blue screen), Norton, NOD32.

These Antivirus software have no attempt to make progress, they don't know how to use new technologys.(As contrast,Kaserpsky does it very well.)
Lead to the so-called protection, very easy for hackers to bypass or totally destroy.

When using these softwares, you have to take a great risk.

I want to know that whether her statement is trustworthy or not ?

[sukarof]

Tell her to keep the page alive a couple of days, I have to learn Chinese first

[Firecat]

Yes, it would be appreciated if someone has a cache of the pages, I will need them in future.

[BrainWarp]

Interesting.

[MR X]

humm not so sure i believe here. seems like 360safe is not so-safe after all.

A new Worm , Threat and Key logger has been founded here is the detail of the worm and its risk and how to remove it manually read carefully.


DeepScan.Generic.Malware.SP!dldPk!g.01C03DEE. The virus carries high system risk as the malicious dropper will disable some commonly used anti-virus software and unable to open security applications. Other reported infected symptoms include unable to update virus signatures, unable to access or load antivirus websites or forums. All these effects caused the removal or disinfection process for Worm.Pabug.ck/co virus a little bit harder.

The worm can’t self-propagate. It is likely that the system could be infected when a user downloads an executable file from email, messenger, board, and download centers and run the file. Or, it is possible that it is installed by other malicious codes (worms, viruses and trojan horses). The worm which is a dropper, when executed, will create the following files:
%systemroot%\system32\gfosdg.exe or jusodl.exe
%systemroot%\system32\gfosdg.dll or jusodl.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe or pnvifj.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf
X represents non-system hard drive. %systemroot% folder is usually C:\Windows on most systems (so the path to the infected files are C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP).
Beside, the dropper also adds the following value to Windows registry key entries by executing noruns.reg and then delete the file once done to run itself automatically whenever Windows starts.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
“NoDriveTypeAutoRun”=dword:b5
Above change the auto run method of the drive.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
“jusodl” = “C:\WINDOWS\system32\severe.exe”
“pnvifj” = “C:\WINDOWS\system32\jusodl.exe”
or
“mpnxyl” = “C:\WINDOWS\system32\gfosdg.exe”
“gfosdg” = “C:\WINDOWS\system32\severe.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell” = “explorer.exe C:\WINDOWS\system32\drivers\conime.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
Debugger = Windows system folder\drivers\pnvifj.exe
or
“Debugger”=”C:\WINDOWS\system32\drivers\mpnxyl.exe ”
The above registry value is for the child registry key which based on the executables file names of the security programs, so that when these security software are been double clicked, the virus file that is been run. The child registry keys include:
+ 360Safe.exe
+ adam.exe
+ avp.com
+ avp.exe
+ IceSword.exe
+ iparmo.exe
+ kabaload.exe
+ KRegEx.exe
+ KvDetect.exe
+ KVMonXP.kxp
+ KvXP.kxp
+ MagicSet.exe
+ mmsk.exe
+ msconfig.com
+ msconfig.exe
+ PFW.exe
+ PFWLiveUpdate.exe
+ QQDoctor.exe
+ Ras.exe
+ Rav.exe
+ RavMon.exe
+ regedit.com
+ regedit.exe
+ runiep.exe
+ SREng.EXE
+ TrojDie.kxp
+ WoptiClean.exe
The worm terminates following running process(es). Targets (listed below) are antivirus software, firewall, system process, and other malicious codes. The command used in ‘net stop’ and using sc.exe to configure forbid usage of these services with the command “config [service_name] start=disabled”
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
The virus also terminates and stops the following process from running:
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
EGHOST.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe
It also modifies HOSTS file to keep the user from connecting specifiec addresses. Generally, the addresses are homepages of Internet security sites and antivirus engine updates servers. So the infected system’s user can’t get information or engine updates to scan and remove the malicious code.
Following is the addresses that are blocked:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
The virus is may also affect USB flash drive or portable hard disk, by autorun OSO.exe. All non system partition will contains OSO.exe and autorun.inf virus files too. Beside, system time may be changed too to cause some anti virus programs to expire.
How to Remove and Disinfect Worm.Pabug.ck or Worm.Pabug.co Manually
To run antivirus program that has been disabled, you can try to rename the antivirus executable file name to another file name, and then run the new file name.
Terminate and end the following processes (tasks) using Task Manager (alternative you can use procexp):
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe
Remove the registry key added by virus under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key using Registry Editor or Autoruns (http://www.microsoft.com/technet/sys.../Autoruns.mspx) (for Autoruns, remember to first select Options -> Hide Microsoft Entries to avoid mistaken delete valid entries）. This process will allow anti virus or security software or system utilities such as IceSword, SREng and etc to be able to function properly again:
+ 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe
+ adam.exe c:\windows\system32\drivers\mpnxyl.exe
+ avp.com c:\windows\system32\drivers\mpnxyl.exe
+ avp.exe c:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe c:\windows\system32\drivers\mpnxyl.exe
+ iparmo.exe c:\windows\system32\drivers\mpnxyl.exe
+ kabaload.exe c:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe
+ KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe
+ mmsk.exe c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe c:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe c:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe c:\windows\system32\drivers\mpnxyl.exe
+ regedit.com c:\windows\system32\drivers\mpnxyl.exe
+ regedit.exe c:\windows\system32\drivers\mpnxyl.exe
+ runiep.exe c:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE c:\windows\system32\drivers\mpnxyl.exe
+ TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe
Remove the following auto run on Windows startup registry entries located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run registry key by using Registry Editor or SREng (System Repair Engineer)
“mpnxyl”=”C:\WINDOWS\system32\gfosdg.exe”
“gfosdg”=”C:\WINDOWS\system32\severe.exe”
Also navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, double click on it and remove the text behind “Explorer.exe” in the value data, so that it will become looked like as below:
“shell”=”Explorer.exe”
Next delete all files planted by the virus. Note that even if you right click on these infected files may trigger the infection process, so it’s recommended to use IceSword or WinRAR to delete these files:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf
X mean all non system partitions, including your USB flash drive and portable hard disk.
System Recovery and Clean Up
Navigate to the following registry keys and add back the original value.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue”=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
“NoDriveTypeAutoRun” value is vary depending on system, normally by default it will set as 91 (in HEX value)
Next remove all contents added by the worm in Hosts file. Use Notepad to open %systemroot%\system32\drivers\etc\hosts, and remove the entries or lines specified above. If you’re using SREng, simply click on “System Recovery” -> “Hosts file”, then click “Replace” and then “Save”.
Finally, you will need to recover or repair or reinstall the anti virus program, if it has been damaged.



Take Care
ENJOY

[Firecat]

I do not see ANY of those registry entries or files on my computer, and I did visit all the sites. Saw in hidden mode as well, checked regedit...nothing. So whats up with that?

[Genghis Khan]

MR. X , you just posted a virus analysis.

It has no connection with our topic.

What are you doing? Just stop flood.

[Firecat]

Quote:

Originally Posted by Genghis Khan

MR. X , you just posted a virus analysis.

It has no connection with our topic.

What are you doing? Just stop flood.

I think he posted it because it affects 360Safe. Also, this malware blocks 360Safe's own website. Why would a malware creator block his/her own site?

[coldplay]

360safe is a famous ******** software on Chinese market, they don't crap talk about Kaserpsky is because they are business partners of Kaserpsky. 360safe doesn't clean certain malwares which made by its partners. In fact, the CEO of this company used to be a very famous malware writer.

[Firecat]

Quote:

Originally Posted by coldplay

360safe is a famous ******** software on Chinese market, they don't crap talk about Kaserpsky is because they are business partners of Kaserpsky. 360safe doesn't clean certain malwares which made by its partners. In fact, the CEO of this company used to be a very famous malware writer.

"********" software?

Why?

Business partners of Kaspersky? Now that explains a lot....But why did she choose only these particular vendors to bash instead of every other vendor except Kaspersky?

[Genghis Khan]

Recently, I had just saw an article writen by MJ0011 (a programmer from a famours Chinese security software vendor 360safe) in her blog.

MJ0011 programmed an anti-rootkit software for 360safe that can found new rootkits, see here.
She said that AntiVir,Dr.WEB(VirusChaser),Mcafee,Norton,NOD32 are "rubbish softwares".

Here is exactly what she said, you can see her words in 360safe forum here or in her blog here.

Quote:

AntiVir,Dr.WEB(VirusChaser),Mcafee,Norton,NOD32 are easy to bypass because they are using the Outdated File System Filter Driver to moniter files. A little Function can destroy all these Anitvirus softwares like IoGetBaseFileSystemDeviceObject Function.

The antivirus software that uses outdated file system includes: AntiVir, Dr.WEB, Mcafee(Mcafee even had a bug in its file filter driver that can cause the blue screen), Norton, NOD32.

These Antivirus software have no attempt to make progress, they don't know how to use new technologys.(As contrast,Kaserpsky does it very well.)
Lead to the so-called protection, very easy for hackers to bypass or totally destroy.

When using these softwares, you have to take a great risk.

I want to know that whether her statement is trustworthy or not ?

[NAMOR]

Quote:

Originally Posted by coldplay

360safe is a famous ******** software on Chinese market, they don't crap talk about Kaserpsky is because they are business partners of Kaserpsky. 360safe doesn't clean certain malwares which made by its partners. In fact, the CEO of this company used to be a very famous malware writer.

So is it a KAV clone? All the GUI images that I have seen for 360safe have the kaspersky badge plastered on them.

[Genghis Khan]

Quote:

Originally Posted by Firecat

"********" software?
But why did she choose only these particular vendors to bash instead of every other vendor except Kaspersky?

That's exactly what I want to know. Do they really have such shortage ?

[coldplay]

Quote:

Originally Posted by Firecat

"********" software?

Why?

Business partners of Kaspersky? Now that explains a lot....But why did she choose only these particular vendors to bash instead of every other vendor except Kaspersky?

Those AV vendors are major competitions of Kaspersky, sharing same target consumers with Kaspersky.

@NAMOR:
No, its not a clone of any AV, its more like a cleaner but not CCleaner kind of cleaner. you know what , I really can't think of any similar English products atm.

[prius04]

Yeah, someone posted the following quote from a Red Herring article:

"What evidently prompted Alibaba’s open attack on Mr. Zhou was Qihoo’s launch in late July of free antivirus software called 360safe, developed in cooperation with the Moscow-based antivirus company Kaspersky Labs.

360safe includes Yahoo Assistant, which remains one of the key drivers of traffic to Yahoo China, on the list of malware that it disables."

[Genghis Khan]

Quote:

Originally Posted by NAMOR

So is it a KAV clone? All the GUI images that I have seen for 360safe have the kaspersky badge plastered on them.

No, it is not a KAV clone. Actually, 360safe is more like an anti-adware software with some function of system utilities software.

It has a partnership with Kaspersky. You can have a half-year free key of KAV6 if you download 360safe. So Kaspersky can be widely spreaded.

[Firecat]

Quote:

Originally Posted by Genghis Khan

No, it is not a KAV clone. Actually, 360safe is more like an anti-adware software with some function of system utilities software.

It has a partnership with Kaspersky. You can have a half-year free key of KAV6 if you download 360safe. So Kaspersky can be widely spreaded.

So they're like a reseller of Kaspersky? First we had that Chinese NOD32 distributor bashing AntiVir and now this....Utter nonsense, I find it very strange that both Eset and Kaspersky allow this BS to continue.

[coldplay]

Quote:

Originally Posted by Firecat

First we had that Chinese NOD32 distributor bashing AntiVir

lmao, who is that guy? Can I have some links?

[prius04]

Quote:

Originally Posted by Genghis Khan

I want to know that whether her statement is trustworthy or not ?

The answer is, "Not". Apparently, this company has zero credibility.


"What evidently prompted Alibaba’s open attack on Mr. Zhou was Qihoo’s launch in late July of free antivirus software called 360safe, developed in cooperation with the Moscow-based antivirus company Kaspersky Labs. 360safe includes Yahoo Assistant, which remains one of the key drivers of traffic to Yahoo China, on the list of malware that it disables."



"In September of this year [2006], Yahoo China filed suit against Beijing Sanjiwuxian, which was founded by a former Yahoo China general manager, charging the company with unfair competition. Yahoo China is operated by Alibaba.com Corp., the Chinese Internet company that took over Yahoo Inc.'s Chinese operations in 2005.

The suit charged Beijing Sanjiwuxian, which operates the Qihoo.com Web portal, with offering software, called 360safe, that reports the Yahoo Toolbar as malware and advises users to uninstall it. Yahoo Toolbar is offered by Yahoo China for free and includes antivirus protection as well as access to Yahoo services, such as Yahoo's search engine and Yahoo Mail. The Beijing No. 2 Intermediate People's Court ruled in favor of Yahoo China, and ordered Beijing Sanjiwuxian to stop engaging in anticompetitive activities and to compensate Yahoo China for unspecified damages and legal costs, Alibaba said. Beijing Sanjiwuxian must also make a public statement that "clarifies all incorrect allegations" made against Yahoo China.

Beijing Sanjiwuxian executives could not be reached for comment."

[Firecat]

Quote:

Originally Posted by coldplay

lmao, who is that guy? Can I have some links?

http://www.wilderssecurity.com/showthread.php?t=169919

Apparently the tester wanted to prove that NOD32 has best heuristics on Earth and AntiVir flags packers instead of identifying malware. Turns out NOD32 didn't do so well anyway, and the tester was working at NOD32's China distributor. You'll also find all the Chinese language links you want related to the topic in the above thread.

Read the thread carefully and properly, lots of interesting twists

[NAMOR]

Thanks Genghis Khan and coldplay for answering my question.

[coldplay]

thx for the link, I have read that test on Chinese forums. The poster on wilder or the one on nod32 forum added their own conslusion. The orignal writer was bashing Rising actually.

[De Hollander]

It's almost like a marketing virus.....at this moment there are topics on several forums...

[SexIsGood4U]

ATTENTION: Genghis Khan

You have just joined to TWACK club.

Stop creating multi topics on the same CRAP.
Humans create "things", being that we create solutions, and we new create problems aswell. So is not nearly everything and anything possible?

Do you use NOD32 ?

[The_Duality]

Quote:

Originally Posted by SexIsGood4U

ATTENTION: Genghis Khan

You have just joined to TWACK club.

Stop creating multi topics on the same CRAP.
Humans create "things", being that we create solutions, and we new create problems aswell. So is not nearly everything and anything possible?

Do you use NOD32 ?

I dont see the need for that...

Genghis Khan was not bashing NOD32. All he did was post a link to a blog, asking whether its reasoning was reliable, and the source was trustworthy.