How does process termination work?

Discussion in 'other security issues & news' started by RedZero, Oct 27, 2007.

Thread Status:
Not open for further replies.
  1. RedZero

    RedZero Registered Member

    Joined:
    Oct 22, 2007
    Posts:
    34
    When malware attempts to terminate the process of a well-known security app, how does it figure out which process to terminate?

    Does it search for the default process name like antivirus.exe and/or does it terminate the process based on its checksum?

    Thanks!
     
  2. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Many virus authors try many different methods to disable anti-virus software. Mostly they search for file/process-names, but there are virii what terminates AV by using the IFEO method.

    IFEO stands for "image file execution options". This technology can redirect execution of a file. For example, if you want to run ABC.exe, the computer can be made to run XYZ.exe instead of ABC.exe.
    This is done because IFEO has an item in the Windows registry as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ABC.exe
    that tells it to run XYZ.exe instead.
    Example:
    The virus created an item in the Windows registry as
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe.
    In this case, avp.exe is a key in the Windows registry, and avp.exe is also the filename of Kaspersky's anti-virus software.
    Now, if you want to run Kaspersky's anti-virus software, the computer runs the specified .exe file instead of avp.exe.

    More information about this technology you find in this Blog
     
    Last edited: Oct 27, 2007
Loading...
Thread Status:
Not open for further replies.