Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (68)
  • add to favourites
    Add to Bookmarks

An anti-virus as part of a system

Read: 786 Comments: 2 Rating: 9

Friday, May 4, 2018

As everyone knows, Microsoft is in a battle with is working with anti-virus companies. In particular, the company offers all vendors identical conditions restricts access to the operating system and requires vendors to use a restricted API. Among other things, the company requires them to display messages via the operating system API, integrate their products with the Security Center, and use a special Microsoft self-protection service. New restrictions requirements for anti-virus products appear almost every week.

On the one hand, this is good—after all, the world is full of "anti-viruses". But, on the other hand—unified interfaces provide a wide range of opportunities for criminals. We won't have to look very far for examples: Trojan.Encoder.24939 and Trojan.Encoder.24938. This is AVCrypt—a new sample of encryption ransomware.

AVCrypt not only tries to remove anti-viruses before encrypting a victim's files but also removes some Windows services.

The Trojan is installed on computers using macro-enabled Microsoft Word files, which are allegedly sent from trusted Internet service providers. The threat is known to run as "av2018.exe" on compromised computers.

Attention! The error prevented this Trojan from connecting to the cybercriminals' servers. So, you won't be able to decrypt your system even if you send a ransom.

AVCrypt tries to remove anti-virus protection and disable some Windows services, including MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection. Anti-viruses, including Windows Defender, need these services to operate.

This is how services are removed:

cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc delete "MBAMService";

Then the ransomware checks whether any anti-virus programs are registered in the Windows Security Center and tries to remove any solutions found via the command line. For example, like this:

cmd.exe /C wmic product where ( Vendor like "%Emsisoft%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;

It's simple.

#Windows #hack_anti-virus #ransom #encoder

The Anti-virus Times recommends

An anti-virus is an attractive target for cybercriminals. The environment in which it operates should not allow services or anti-virus components to be removed, nor should it permit the anti-virus to be disabled or shut down or messages from the protection system to be blocked.

As practice shows in terms of the Android OS, the artificial restrictions of operating system manufacturers can't constrain hackers.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.