Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (34)
  • add to favourites
    Add to Bookmarks

Bizarre Trojans that don't scare us

Read: 514 Comments: 3 Rating: 9

Media outlets never tire of serving up all kinds of horrifying malware stories for public consumption:

According to Bleeping Computer, MalwareHunterTeam researchers discovered a dangerous encryption ransomware program named after former US President Barak Obama. The ransomware shuts down the anti-viruses installed on computers.

Once anti-virus programs are rendered non-operational, the ransomware scans the system for executable files and encrypts them all.

https://lenta.ru/news/2018/09/03/obama_virus/

This behaviour is indeed bizarre. As a rule, executable files can be recovered easily. Compromising those files can only disrupt the operation of some applications or that of the operating system, nothing more.

The Trojan even modifies the contents of the Windows directory, while other ransomware species usually leave it intact.

The Trojan uses the following commands to shut down anti-viruses:

taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe

https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail...

What does taskkill do? This command is used to end processes via the Windows command prompt. The /F parameter is used to forcefully terminate processes—those that freeze and do not respond. The /IM option enables one to shut down a large number of similar processes. If a process on a remote computer needs to be terminated, the /S parameter is used.

And if you need to end all the processes that have been started under a certain user account, use the /F1 parameter.

This is a Swiss Army knife for those who want to end processes they don't need. But this tool is only good for processes that aren't within the realm of Dr.Web self-protection's responsibility.

Let's put it to a test. Now we are going to start the command prompt (of course, with administrator privileges!) and try to "kill" any of our anti-virus's processes.

#drweb

That's self-protection, ladies and gentlemen!

All in all, this approach can't be applied to something that’s being protected.

But here is one really curious feature:

The encryption ransomware modifies registry keys related to .exe files so that they get a new icon and launch the malware whenever a user runs any executable file in the system.

It's not actually a virus because no files get infected. However, clicking on files before the system is completely cured can be a bad idea.

#Trojan.Encoder #Trojan #security

Dr.Web recommends

We detect this bizarre creation as Trojan.Encoder.26282. Although it’s not the scariest Trojan out there, it nonetheless is quite capable of ruining your mood and hassling you. Therefore:

  1. Don't forget that ALL anti-virus protection components must remain active.
  2. Do not click on files indiscriminately.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments