Hey PrevX Support. Is PrevX able to detect Induc in generally or only special infected files? What is about any patching virus? How is PrevX able to detect these files? I ask cause i didnt get any responds to the Induc sample i sent in...
We do detect a number of Induc samples but we saw only a small uptick in reports and then it has dropped down significantly. We're still monitoring the infection, however, but it looks like it was just seeded in a finite number of files.
Oh no! Induc is spreading widely. I would like to give just a few examples: QIP8095.exe: TidyFavorites: FinalUninstall_setup.exe: ANYTV_SETUP_2.4.1: Preispiraten 6: ~Multiple Virus Total links removed per Policy.~ Glary Registry Repair: RegRepair: The GiveAwayOfTheDay Software is infected as well! http://de.giveawayoftheday.com/gold-audio-suite/ http://www.soundeditingsoftware.net/ And i could go on. There is no real damage caused by the virus but i think it should wake us all up! The infected files are ALL on the servers right now and they are infecting a lot of people! Thats an evidence of incapacity by companies like ComputerBild, Chip.de, GiveAway and many more. But also the AV companies should work on that problem. So my question was: Is PrevX only able to detect the flagt infected files or is it able to detect every zero-time file that is infected by Induc?
We have a generic signature in place to block infected files but if you find anything which gets past us, please let us know
Ok. That aswers my question. I think the installers are quit difficult to detect but most of the unpacked infected files are beeing catched.
The difficulty lies in the fact that the signature can appear anywhere within the program, thanks to the fact that the virus exists before the compilation happens It is indeed a good technique (in a bad way) to use and I suspect we'll be seeing more like this in the future, possibly from the other high-level frameworks sooner because of their interdependency on linked runtimes.
The funniest story about Induc i found is that sophos has found Induc Code in other malicious files. So they consider that the malware authors got infected by induc too... ^^ Bätsch... Serves them right!
We see this a lot also - it's probably the purest form of real viruses when a virus and another virus combine to form a new one