Author Topic: Malware & registery question.  (Read 9113 times)

0 Members and 1 Guest are viewing this topic.

Waldo

  • Guest
Malware & registery question.
« on: December 26, 2003, 11:43:53 AM »
HI !

I'm no computer noob, but i'm gonna (must) ask the following question :

Does every virus and or trojan writes in the registery ?

I thought they had to, to be able to auto-start up etc...But i could be wrong.

If there are virusses or trojans that don't use the registery, how do they work than ? (simple explaination please...)

Thanks,

Waldo




Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Malware & registery question.
« Reply #1 on: December 26, 2003, 12:08:25 PM »
Viruses do not need to modify the Registry, because they do infect files.
On Trojans, worms and other noninfecting Malware it is neccessary to get started, by modify the Registry( incl. Win.ini, system.ini, Winstart.bat)
MfG Ralf

Waldo

  • Guest
Re:Malware & registery question.
« Reply #2 on: December 26, 2003, 12:44:41 PM »
Thanks Raman (have a cookie  ;D)

I was not sure anymore about these things after some reading i did on another forum,...It confused me like hell.

But i believe your answer is correct. And that not all virusses need the registery to work (maybe just a few).

But Trojans and other malware (spyware) does need it (i'm sure about that.)


CoJo

  • Guest
Re:Malware & registery question.
« Reply #3 on: December 26, 2003, 01:54:43 PM »
waldo! my gosh...I feel so much better knowing that someone else can get confused about these things ;D

cojo

Waldo

  • Guest
Re:Malware & registery question.
« Reply #4 on: December 26, 2003, 03:24:59 PM »
waldo! my gosh...I feel so much better knowing that someone else can get confused about these things ;D

cojo

My "confusion" started when i have read this thread at Wilders :

http://www.wilderssecurity.com/index.php?board=40;action=display;threadid=18412

I also use Registery Prot (freeware) just like that Jason Voorhees guy, but I thought it would only monitor start-up changes in the registery.

But this jason guy says "states" that he want to use regprot to defend against Virusses, but like Raman stated, virusses don't use the registery.

So thats wy i got confused because Pilli (mod for Diamonds) doesn't says or reacts about this. If one person needs to know that virusses don't use the register, it should be him  ??? maybe he just didn't noticed it...

Well, i won't lose sleep about it, that's for sure  ;)

Waldo

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re:Malware & registery question.
« Reply #5 on: December 26, 2003, 03:31:10 PM »
Sometimes, Wilders' forums do not have the desired quality and precision. I have 'lost' quite a lot of time following advices than, at last, were not so correct :(
« Last Edit: December 26, 2003, 03:31:51 PM by Technical »
The best things in life are free.

techie101

  • Guest
Re:Malware & registery question.
« Reply #6 on: December 26, 2003, 06:05:52 PM »
Technical,
I think that it was in the interpretation of the article.
It was not clearly explained.

Waldo,
Raman is correct.
Not all viri enter the registry.  It would depend on their purpose.  Self executing malware usually will worm their way into the registry.  Other viri just change files so they become unusable, or modify them for their own dastardly purposes.

Cojo,
We all have similar troubles at times.

techie
« Last Edit: December 26, 2003, 06:12:18 PM by techie101 »

Waldo

  • Guest
Re:Malware & registery question.
« Reply #7 on: December 27, 2003, 01:22:48 AM »
I also wonder,

Does AVAST offers some kind of generic detection (content behavior) or is it
simply signature based ? (i know Mail provider uses heuristics)

Wy do I ask :

because nowadays you can "order"  custom made dangerous trojans that are
edited to evade detection from the AV you want.

If you only trust on signature detection > IMHO > your doomed if you encounter a edited and / or polymorphic R.A.T

I also believe that signature is no good against polymorpic malware as they change there content over and over again. You can create with a mutation engine ( do a Google search) thousands of mutated trojans.

Just like the vendors of TDS-3 explain here  (Donald Dick RAT):

If this was a normal server, we'd see the same code with every server we created. As we see in the above screenshot, this isn't the case with polymorphic trojans. With Donald Dick servers, not only are all of the entrypoints and file sizes different, but all the instruction sequences are also very unique! No form of signature-based or conventional detection can be used to detect this trojan.

 http://tds.diamondcs.com.au/index.php?page=polymorphictrojans

I wonder of AVAST of any other Av can cope with such threats, and HOW ? please fill me in...

Waldo
« Last Edit: December 27, 2003, 01:25:54 AM by Waldo »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re:Malware & registery question.
« Reply #8 on: December 27, 2003, 02:34:58 AM »
Does AVAST offers some kind of generic detection (content behavior) or is it
simply signature based ? (i know Mail provider uses heuristics)
Waldo

This was discussed in the past. Minacross I suppose.
This will be the eternal war against viruses. Some programmers think that only 'generic' or heuristic detection will solve the mutation and new virus. Other think that the 'false positives' will be so much too irritate. This is the border of the new technologies of viruses detection/prevention/cleaning.
The best things in life are free.

Offline MWassef

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1315
Re:Malware & registery question.
« Reply #9 on: December 27, 2003, 08:45:34 AM »
Technical,
you are right, as always.. (a K cookie from me) ;D
this is the thread you mean: using heuristics  
« Last Edit: December 27, 2003, 08:47:42 AM by minacross »
MW

Waldo

  • Guest
Re:Malware & registery question.
« Reply #10 on: December 27, 2003, 11:36:45 AM »
I forgot this is been discussed before (even though i made a real long post there :))....

It just seems that the content and behavior of the malware is changing drasticly (this year) and i believe it will be even worse in '04 :(

Well, whe will see...I'm sure AVAST will keep us all safe and warm, like it did before  ;D

Waldo

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re:Malware & registery question.
« Reply #11 on: December 27, 2003, 11:57:19 AM »
Thanks Minacross, Waldo and Hornus (who did a very good explanation of heuristics in Mina's forum). If I remember, Igor and Pk said something about this in the past too. But I'm not sure, maybe it was Pavel. They want to do what will be the best but they were not sure it will be posible to work just with 'generic detection' (or heuristics).
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11816
    • AVAST Software
Re:Malware & registery question.
« Reply #12 on: December 27, 2003, 09:54:38 PM »
Polymorphic viruses need a special kind of detection, of course - and avast! certainly has it. It's not a heuristic, however (at least not in the usual sense of the word - i.e. detecting unknown viruses according to their features, behavior, ...) - it's a special piece of code to detect the polymorphic virus. Every polymorphic virus has a special piece of such code, contained in the VPS file, together with the ordinary signatures; you can call this code a kind of "signature" as well, though it's certainly something more complicated.