AV Killer technique

Discussion in 'other anti-virus software' started by hsobrevilla02, Oct 2, 2007.

Thread Status:
Not open for further replies.
  1. hsobrevilla02

    hsobrevilla02 Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    19
    just for info:

    http://www.websense.com/securitylabs/blog/blog.php?BlogID=148

    some part in this statement mentioned this.."With this registry key set, you can't run this anti-virus software. AV Killer disables many AV software programs, such as McAfee, NOD32, Symantec Anti-Virus software and so on. AV killer can download other Trojans onto your windows system and let these viruses run as well....."

    i am not a computer techie or an AV expert but maybe someone knowledgeable enough could shed some light into this information(if this could be considered as an information).
    If this post is not helpful,pls feel free to delete this post.

    for info

    thanks....
     
  2. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Hi,
    I think we have to pay attention to this kind of threat.
    At this moment I didn't see anything dealing with IFEO based protection on NOD32 antivirus. The only post about AV Killer, on the web, is on Kapersky lab forum. I hope (and we can be sure) that Eset will post some more explaination about that kind of treat, if NOD32 is able to block such execution redirection via registry, and if not, the roadmap for the update..

    Best Regards
     
  3. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    185
    Location:
    Bangladesh
    Any average hips should stop this av-killer . I don't think it can disable kaspersky if the pro-active defense is on.............
     
  4. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Yes I confirm. On Kapersky lab, it is said that this kind of threat is detected and bloc. Kapersky deals with IFEO but what's about NOD32 ?

    I've been a ESET Nod32 customer since 3 years and I would like to have any kind of answers from ESET experts.

    Please would it be possible to move back this subject onto NOD32 antivirus software.
    Best Regards
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since the subject matter can affect other AV softwares....We have moved this thread to a more appropriate forum for discussion. As is the usual case concerning threads such as this....if someone from Eset wishes to comment to this discussion they will do so regardless of what forum the thread may reside.

    Regards,
    Bubba
     
  6. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    If this is the same trojan that first appeared back in '02, Symantec already has it in it's defs (as probably all AV's should have). It looks like the lastest variant appeared on 9-26.

    avkiller.trojan
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    My advise: Delete the whole IFEO in registry. Beat fire with fire.
     
  8. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
  9. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    It appears to be the same when you look down at the "alias" chart on that page. It looks like Dr Web listed 5 years worth of variants on the page. If the defs don't catch it the behavioral part of your defense should (in my case it would be Bloodhound or AntiBot).

    As a Chinese member here pointed out in another thread, the only place it is rampant is in China at the moment.
     
  10. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i think drweb has a popular customer-base in the far east,

    but i do hope it is the same thing, as this sounds like a nasty little bugger :D

    it never hurts to be alerted to such a threat though. :shifty:

    cmon UTD! ;)
     
    Last edited: Oct 2, 2007
  11. hsobrevilla02

    hsobrevilla02 Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    19
    with regards to my first post:

    I am not very sure if this kind of helpful, but I tried to search AV killer using google, and I encountered this site:
    ~Removed~
    (please delete the link if its against rules/ or is a malware site)
    after reading the site, I tried to download a sample executable file AV killer:
    ~Removed~
    (again,please delete the link if its against rules/ or is a malware site)
    and uploaded it to jotti and virus total yesterday and today, but it seems that NOD32 belongs to the VERY FEW groups of AV that did not detected / flagged the file as a virus..

    I just posted this as an opinion-if I am mistaken,please enlighten me.
    thanks...
    (by the way, I already sent yesterday the file to samples@eset.com / sample@eset.com)
     
    Last edited by a moderator: Oct 2, 2007
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Submitting the files is the correct way to proceed. We need no links to dubious sites here.
     
  13. hsobrevilla02

    hsobrevilla02 Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    19
    to Mr.ronjor,

    sorry if i posted a malware site and/or link.
    my mistake.
    so now, that I submitted the file to eset, what will happen next?
    will this file be again CLASSIFIED as LESS IMPORTANT (same as my previous post - ZLOB detection)
    this is just my opinion - again, if I am mistaken..please enlighten me...
    thanks in advance...
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    hsobrevilla02,

    As to what will happen next, I guess we will have to wait and see.
     
  15. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    I clicked on the link to the trojan and Norton blocked it identifying it as Trojan.KillAV. It was discovered in '99 with the latest variant released today if I understand this correctly. I am not sure if it is the same as the avkiller.trojan link I posted above.

    Strange thing is that I went ahead and tried to download the file but I got something like "need administrative rights to perform this action". I clicked on the admin button but it said it could not copy the file. I tried several times with different locations but Vista would not let me put the file anywhere on the computer.
     
  16. hsobrevilla02

    hsobrevilla02 Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    19
    any clarification from eset yet?
    hoping some eset moderators/technical agents would share some thoughts or ideas.....
    thank you...
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
  18. hsobrevilla02

    hsobrevilla02 Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    19
Loading...
Thread Status:
Not open for further replies.