Info

GarageBox.Org adalah laman teknologi dan perkara yang kami minati yang disampaikan mengikut perspektif kami sendiri dalam Bahasa Melayu. Jika ada idea baru yang masih belum diterbitkan di internet, kami akan sampaikannya dalam Bahasa Inggeris. Sebarang pertanyaan dan permintaan, sila hubungi kami di webmaster[a]garagebox.org .

 

GarageBox.Org is a website about technology and anything we like to do according to our perspective in Malay. If we have a new idea that still not publish in the internet, we will publish it in English. Any inquiry & request, please email us at webmaster[a]garagebox.org .

Malwarefix and IT knowledge PDF Print E-mail
Written by Mr Garage   
Friday, 16 October 2009 15:09

As I mentioned before, malware starts to become smart and hard to detect. I had few experience while submitting a sample to totalvirus.com which the result I got not fully detected by all antivirus distributors. I do not know why but I assume they have a problem to identify it as a malware because it not give a lot of problem to computer and usually this kind of malware is not start/execute/run payload at normal startup services.

It is strange that this kind of malware modify the registry at strange setting other than normal malware do. For example, see below registry modification made by malware.

HKLM \ControlSet001\Services\AVPsys\
Type : 0x00000001
Start : 0x00000003
ErrorControl : 0x00000001
ImagePath : "%System%\drivers\cdaudio.sys"
DisplayName : "AVPsys"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000

Actually, I am still not study and inexperience to teach myself to understand above registry. But, I think this is huge and I need a new method to identify this new kind of malware manually and beat them without antivirus.

For the time being, we have to depend on Google to look after info on some sample we found in the computer.

Luckily, I found a website (a blog actually) that explain how malware make a modification on registry other than normal startup registry. I found it interesting because not only he explained what the malware did but also he created a tool to remove it. He named his tool as PeeTechFix-Win32/PSW.OnlineGames 2.0.5. Maybe the tool only cover malware from game applications.

I can not review much about this site and how he did because I do not have a clue and need time to understand. I am an amateur, you know. Whatever it is, this site can help us immediately understand and troubleshoot of some samples and infected PC behavior. I already put it in my Advisories. Ok. Maybe the owner is from Thailand because so many Thai charactor inside the site. Good job to the owner.

Oh! I need a time to understand the registry.

 
Last Updated on Monday, 19 October 2009 16:43
 
You may send a trackback for this article by using the following Trackback link
Trackbacks provided by Trackback for Joomla




  
Twitter Digg Delicious Stumbleupon 

Custom Search



Slashdot