AntiVir,Dr.WEB,Mcafee,Norton,NOD32 are easy to bypass ?

Discussion in 'other anti-virus software' started by Genghis Khan, May 2, 2007.

Thread Status:
Not open for further replies.
  1. Genghis Khan

    Genghis Khan Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    7
    Location:
    Ulan Bator
    Recently, I had just saw an article writen by MJ0011 (a programmer from a famours Chinese security software vendor 360safe) in her blog.

    MJ0011 programmed an anti-rootkit software for 360safe that can found new rootkits, see here.
    She said that AntiVir,Dr.WEB(VirusChaser),Mcafee,Norton,NOD32 are "rubbish softwares".

    Here is exactly what she said, you can see her words in 360safe forum here or in her blog here.

    I want to know that whether her statement is trustworthy or not ? o_O
     
    Last edited: May 2, 2007
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Tell her to keep the page alive a couple of days, I have to learn Chinese first :)
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Yes, it would be appreciated if someone has a cache of the pages, I will need them in future. :)
     
  4. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    287
    Interesting.
     
  5. MR X

    MR X Registered Member

    Joined:
    Feb 21, 2007
    Posts:
    15
    humm not so sure i believe here. seems like 360safe is not so-safe after all.

    A new Worm , Threat and Key logger has been founded here is the detail of the worm and its risk and how to remove it manually read carefully.


    DeepScan.Generic.Malware.SP!dldPk!g.01C03DEE. The virus carries high system risk as the malicious dropper will disable some commonly used anti-virus software and unable to open security applications. Other reported infected symptoms include unable to update virus signatures, unable to access or load antivirus websites or forums. All these effects caused the removal or disinfection process for Worm.Pabug.ck/co virus a little bit harder.

    The worm can’t self-propagate. It is likely that the system could be infected when a user downloads an executable file from email, messenger, board, and download centers and run the file. Or, it is possible that it is installed by other malicious codes (worms, viruses and trojan horses). The worm which is a dropper, when executed, will create the following files:
    %systemroot%\system32\gfosdg.exe or jusodl.exe
    %systemroot%\system32\gfosdg.dll or jusodl.dll
    %systemroot%\system32\severe.exe
    %systemroot%\system32\drivers\mpnxyl.exe or pnvifj.exe
    %systemroot%\system32\drivers\conime.exe
    %systemroot%\system32\hx1.bat
    %systemroot%\system32\noruns.reg
    X:\OSO.exe
    X:\autorun.inf
    X represents non-system hard drive. %systemroot% folder is usually C:\Windows on most systems (so the path to the infected files are C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP).
    Beside, the dropper also adds the following value to Windows registry key entries by executing noruns.reg and then delete the file once done to run itself automatically whenever Windows starts.
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
    “NoDriveTypeAutoRun”=dword:b5
    Above change the auto run method of the drive.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    “jusodl” = “C:\WINDOWS\system32\severe.exe”
    “pnvifj” = “C:\WINDOWS\system32\jusodl.exe”
    or
    “mpnxyl” = “C:\WINDOWS\system32\gfosdg.exe”
    “gfosdg” = “C:\WINDOWS\system32\severe.exe”
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    “Shell” = “explorer.exe C:\WINDOWS\system32\drivers\conime.exe”
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    Debugger = Windows system folder\drivers\pnvifj.exe
    or
    “Debugger”=”C:\WINDOWS\system32\drivers\mpnxyl.exe ”
    The above registry value is for the child registry key which based on the executables file names of the security programs, so that when these security software are been double clicked, the virus file that is been run. The child registry keys include:
    + 360Safe.exe
    + adam.exe
    + avp.com
    + avp.exe
    + IceSword.exe
    + iparmo.exe
    + kabaload.exe
    + KRegEx.exe
    + KvDetect.exe
    + KVMonXP.kxp
    + KvXP.kxp
    + MagicSet.exe
    + mmsk.exe
    + msconfig.com
    + msconfig.exe
    + PFW.exe
    + PFWLiveUpdate.exe
    + QQDoctor.exe
    + Ras.exe
    + Rav.exe
    + RavMon.exe
    + regedit.com
    + regedit.exe
    + runiep.exe
    + SREng.EXE
    + TrojDie.kxp
    + WoptiClean.exe
    The worm terminates following running process(es). Targets (listed below) are antivirus software, firewall, system process, and other malicious codes. The command used in ‘net stop’ and using sc.exe to configure forbid usage of these services with the command “config [service_name] start=disabled”
    srservice
    sharedaccess
    KVWSC
    KVSrvXP
    kavsvc
    RsRavMon
    RsCCenter
    The virus also terminates and stops the following process from running:
    PFW.exe
    Kav.exe
    KVOL.exe
    KVFW.exe
    adam.exe
    qqav.exe
    qqkav.exe
    TBMon.exe
    kav32.exe
    kvwsc.exe
    CCAPP.exe
    EGHOST.exe
    KRegEx.exe
    kavsvc.exe
    VPTray.exe
    RAVMON.exe
    KavPFW.exe
    SHSTAT.exe
    RavTask.exe
    TrojDie.kxp
    Iparmor.exe
    MAILMON.exe
    MCAGENT.exe
    KAVPLUS.exe
    RavMonD.exe
    Rtvscan.exe
    Nvsvc32.exe
    KVMonXP.exe
    Kvsrvxp.exe
    CCenter.exe
    KpopMon.exe
    RfwMain.exe
    KWATCHUI.exe
    MCVSESCN.exe
    MSKAGENT.exe
    kvolself.exe
    KVCenter.kxp
    kavstart.exe
    RAVTIMER.exe
    RRfwMain.exe
    FireTray.exe
    UpdaterUI.exe
    KVSrvXp_1.exe
    RavService.exe
    It also modifies HOSTS file to keep the user from connecting specifiec addresses. Generally, the addresses are homepages of Internet security sites and antivirus engine updates servers. So the infected system’s user can’t get information or engine updates to scan and remove the malicious code.
    Following is the addresses that are blocked:
    127.0.0.1 localhost
    127.0.0.1 mmsk.cn
    127.0.0.1 ikaka.com
    127.0.0.1 safe.qq.com
    127.0.0.1 360safe.com
    127.0.0.1 www.mmsk.cn
    127.0.0.1 www.ikaka.com
    127.0.0.1 tool.ikaka.com
    127.0.0.1 www.360safe.com
    127.0.0.1 zs.kingsoft.com
    127.0.0.1 forum.ikaka.com
    127.0.0.1 up.rising.com.cn
    127.0.0.1 scan.kingsoft.com
    127.0.0.1 kvup.jiangmin.com
    127.0.0.1 reg.rising.com.cn
    127.0.0.1 update.rising.com.cn
    127.0.0.1 update7.jiangmin.com
    127.0.0.1 download.rising.com.cn
    127.0.0.1 dnl-us1.kaspersky-labs.com
    127.0.0.1 dnl-us2.kaspersky-labs.com
    127.0.0.1 dnl-us3.kaspersky-labs.com
    127.0.0.1 dnl-us4.kaspersky-labs.com
    127.0.0.1 dnl-us5.kaspersky-labs.com
    127.0.0.1 dnl-us6.kaspersky-labs.com
    127.0.0.1 dnl-us7.kaspersky-labs.com
    127.0.0.1 dnl-us8.kaspersky-labs.com
    127.0.0.1 dnl-us9.kaspersky-labs.com
    127.0.0.1 dnl-us10.kaspersky-labs.com
    127.0.0.1 dnl-eu1.kaspersky-labs.com
    127.0.0.1 dnl-eu2.kaspersky-labs.com
    127.0.0.1 dnl-eu3.kaspersky-labs.com
    127.0.0.1 dnl-eu4.kaspersky-labs.com
    127.0.0.1 dnl-eu5.kaspersky-labs.com
    127.0.0.1 dnl-eu6.kaspersky-labs.com
    127.0.0.1 dnl-eu7.kaspersky-labs.com
    127.0.0.1 dnl-eu8.kaspersky-labs.com
    127.0.0.1 dnl-eu9.kaspersky-labs.com
    127.0.0.1 dnl-eu10.kaspersky-labs.com
    The virus is may also affect USB flash drive or portable hard disk, by autorun OSO.exe. All non system partition will contains OSO.exe and autorun.inf virus files too. Beside, system time may be changed too to cause some anti virus programs to expire.
    How to Remove and Disinfect Worm.Pabug.ck or Worm.Pabug.co Manually
    To run antivirus program that has been disabled, you can try to rename the antivirus executable file name to another file name, and then run the new file name.
    Terminate and end the following processes (tasks) using Task Manager (alternative you can use procexp):
    %systemroot%\system32\gfosdg.exe
    %systemroot%\system32\severe.exe
    %systemroot%\system32\drivers\conime.exe
    Remove the registry key added by virus under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key using Registry Editor or Autoruns (http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx) (for Autoruns, remember to first select Options -> Hide Microsoft Entries to avoid mistaken delete valid entries). This process will allow anti virus or security software or system utilities such as IceSword, SREng and etc to be able to function properly again:
    + 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe
    + adam.exe c:\windows\system32\drivers\mpnxyl.exe
    + avp.com c:\windows\system32\drivers\mpnxyl.exe
    + avp.exe c:\windows\system32\drivers\mpnxyl.exe
    + IceSword.exe c:\windows\system32\drivers\mpnxyl.exe
    + iparmo.exe c:\windows\system32\drivers\mpnxyl.exe
    + kabaload.exe c:\windows\system32\drivers\mpnxyl.exe
    + KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe
    + KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe
    + KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe
    + KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe
    + MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe
    + mmsk.exe c:\windows\system32\drivers\mpnxyl.exe
    + msconfig.com c:\windows\system32\drivers\mpnxyl.exe
    + msconfig.exe c:\windows\system32\drivers\mpnxyl.exe
    + PFW.exe c:\windows\system32\drivers\mpnxyl.exe
    + PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe
    + QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe
    + Ras.exe c:\windows\system32\drivers\mpnxyl.exe
    + Rav.exe c:\windows\system32\drivers\mpnxyl.exe
    + RavMon.exe c:\windows\system32\drivers\mpnxyl.exe
    + regedit.com c:\windows\system32\drivers\mpnxyl.exe
    + regedit.exe c:\windows\system32\drivers\mpnxyl.exe
    + runiep.exe c:\windows\system32\drivers\mpnxyl.exe
    + SREng.EXE c:\windows\system32\drivers\mpnxyl.exe
    + TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe
    + WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe
    Remove the following auto run on Windows startup registry entries located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run registry key by using Registry Editor or SREng (System Repair Engineer)
    “mpnxyl”=”C:\WINDOWS\system32\gfosdg.exe”
    “gfosdg”=”C:\WINDOWS\system32\severe.exe”
    Also navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, double click on it and remove the text behind “Explorer.exe” in the value data, so that it will become looked like as below:
    “shell”=”Explorer.exe”
    Next delete all files planted by the virus. Note that even if you right click on these infected files may trigger the infection process, so it’s recommended to use IceSword or WinRAR to delete these files:
    %systemroot%\system32\gfosdg.exe
    %systemroot%\system32\gfosdg.dll
    %systemroot%\system32\severe.exe
    %systemroot%\system32\drivers\mpnxyl.exe
    %systemroot%\system32\drivers\conime.exe
    %systemroot%\system32\hx1.bat
    %systemroot%\system32\noruns.reg
    X:\OSO.exe
    X:\autorun.inf
    X mean all non system partitions, including your USB flash drive and portable hard disk.
    System Recovery and Clean Up
    Navigate to the following registry keys and add back the original value.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    “CheckedValue”=dword:00000001
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
    “NoDriveTypeAutoRun” value is vary depending on system, normally by default it will set as 91 (in HEX value)
    Next remove all contents added by the worm in Hosts file. Use Notepad to open %systemroot%\system32\drivers\etc\hosts, and remove the entries or lines specified above. If you’re using SREng, simply click on “System Recovery” -> “Hosts file”, then click “Replace” and then “Save”.
    Finally, you will need to recover or repair or reinstall the anti virus program, if it has been damaged.



    Take Care
    ENJOY
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I do not see ANY of those registry entries or files on my computer, and I did visit all the sites. Saw in hidden mode as well, checked regedit...nothing. So whats up with that?
     
  7. Genghis Khan

    Genghis Khan Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    7
    Location:
    Ulan Bator
    MR. X , you just posted a virus analysis.

    It has no connection with our topic.

    What are you doing? Just stop flood.
     
  8. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I think he posted it because it affects 360Safe. Also, this malware blocks 360Safe's own website. Why would a malware creator block his/her own site? ;)
     
  9. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    360safe is a famous bullshit software on Chinese market, they don't crap talk about Kaserpsky is because they are business partners of Kaserpsky. 360safe doesn't clean certain malwares which made by its partners. In fact, the CEO of this company used to be a very famous malware writer.
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    "Bullshit" software? o_O

    Why?

    Business partners of Kaspersky? Now that explains a lot....But why did she choose only these particular vendors to bash instead of every other vendor except Kaspersky?
     
  11. Genghis Khan

    Genghis Khan Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    7
    Location:
    Ulan Bator
    NOD32 is a rubbish software ?

    Recently, I had just saw an article writen by MJ0011 (a programmer from a famours Chinese security software vendor 360safe) in her blog.

    MJ0011 programmed an anti-rootkit software for 360safe that can found new rootkits, see here.
    She said that AntiVir,Dr.WEB(VirusChaser),Mcafee,Norton,NOD32 are "rubbish softwares".

    Here is exactly what she said, you can see her words in 360safe forum here or in her blog here.

    I want to know that whether her statement is trustworthy or not ? o_O
     
  12. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum

    So is it a KAV clone? All the GUI images that I have seen for 360safe have the kaspersky badge plastered on them.
     
  13. Genghis Khan

    Genghis Khan Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    7
    Location:
    Ulan Bator
    That's exactly what I want to know. Do they really have such shortage ?
     
  14. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    Those AV vendors are major competitions of Kaspersky, sharing same target consumers with Kaspersky.

    @NAMOR:
    No, its not a clone of any AV, its more like a cleaner but not CCleaner kind of cleaner. you know what , I really can't think of any similar English products atm.
     
    Last edited: May 2, 2007
  15. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Yeah, someone posted the following quote from a Red Herring article:

    "What evidently prompted Alibaba’s open attack on Mr. Zhou was Qihoo’s launch in late July of free antivirus software called 360safe, developed in cooperation with the Moscow-based antivirus company Kaspersky Labs.

    360safe includes Yahoo Assistant, which remains one of the key drivers of traffic to Yahoo China, on the list of malware that it disables."
     
  16. Genghis Khan

    Genghis Khan Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    7
    Location:
    Ulan Bator
    No, it is not a KAV clone. Actually, 360safe is more like an anti-adware software with some function of system utilities software.

    It has a partnership with Kaspersky. You can have a half-year free key of KAV6 if you download 360safe. So Kaspersky can be widely spreaded.
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    So they're like a reseller of Kaspersky? First we had that Chinese NOD32 distributor bashing AntiVir and now this....Utter nonsense, I find it very strange that both Eset and Kaspersky allow this BS to continue.
     
  18. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    lmao, who is that guy? Can I have some links?
     
  19. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Re: NOD32 is a rubbish software ?

    The answer is, "Not". Apparently, this company has zero credibility.


    "What evidently prompted Alibaba’s open attack on Mr. Zhou was Qihoo’s launch in late July of free antivirus software called 360safe, developed in cooperation with the Moscow-based antivirus company Kaspersky Labs. 360safe includes Yahoo Assistant, which remains one of the key drivers of traffic to Yahoo China, on the list of malware that it disables."



    "In September of this year [2006], Yahoo China filed suit against Beijing Sanjiwuxian, which was founded by a former Yahoo China general manager, charging the company with unfair competition. Yahoo China is operated by Alibaba.com Corp., the Chinese Internet company that took over Yahoo Inc.'s Chinese operations in 2005.

    The suit charged Beijing Sanjiwuxian, which operates the Qihoo.com Web portal, with offering software, called 360safe, that reports the Yahoo Toolbar as malware and advises users to uninstall it. Yahoo Toolbar is offered by Yahoo China for free and includes antivirus protection as well as access to Yahoo services, such as Yahoo's search engine and Yahoo Mail. The Beijing No. 2 Intermediate People's Court ruled in favor of Yahoo China, and ordered Beijing Sanjiwuxian to stop engaging in anticompetitive activities and to compensate Yahoo China for unspecified damages and legal costs, Alibaba said. Beijing Sanjiwuxian must also make a public statement that "clarifies all incorrect allegations" made against Yahoo China.

    Beijing Sanjiwuxian executives could not be reached for comment."
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    https://www.wilderssecurity.com/showthread.php?t=169919

    Apparently the tester wanted to prove that NOD32 has best heuristics on Earth and AntiVir flags packers instead of identifying malware. Turns out NOD32 didn't do so well anyway, and the tester was working at NOD32's China distributor. You'll also find all the Chinese language links you want related to the topic in the above thread. :)

    Read the thread carefully and properly, lots of interesting twists :D
     
  21. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Thanks Genghis Khan and coldplay for answering my question.
     
  22. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    thx for the link, I have read that test on Chinese forums. The poster on wilder or the one on nod32 forum added their own conslusion. The orignal writer was bashing Rising actually.
     
  23. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    It's almost like a marketing virus.....at this moment there are topics on several forums...
     
  24. SexIsGood4U

    SexIsGood4U Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    54
    Re: NOD32 is a rubbish software ?

    ATTENTION: Genghis Khan

    You have just joined to TWACK club.

    Stop creating multi topics on the same CRAP.
    Humans create "things", being that we create solutions, and we new create problems aswell. So is not nearly everything and anything possible?

    Do you use NOD32 ?
     
  25. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Re: NOD32 is a rubbish software ?

    I dont see the need for that...

    Genghis Khan was not bashing NOD32. All he did was post a link to a blog, asking whether its reasoning was reliable, and the source was trustworthy.
     
Loading...
Thread Status:
Not open for further replies.