In this article I would like to tell about removing malicious program's activity of consequences by antivirus. Users often write on the forums that not all effects of the payload were eliminated. And I would like to explain why it happens.


Continuing the conversation about "support" Trojans, I would stop on the Trojan.Win32.Regger family. These malware are designed to make changes in the system registry. Changes can be very different. For example, Trojan.Win32.Regger.f registers in the system the malicious library of the other Trojan program. Why does it do? It is impossible to distinguish the malicious and not malicious library just by name, and if the file which simply registers something in the registry is entered into antivirus lab for analysis, analysts have to make a choice: to detect the file as malicious or not? It turns out that parts of malware separately do not constitute threat. But once launched in certain sequence, they infect the PC.

In addition to the registration of libraries and adding links to malicious files in the Windows system registry autorun key, Trojan-Reggers are often used to add exclusions to the filter of built-in Windows firewall. In contrast to considered disablers that simply disable the firewall, work of such malicious programs is less visible - the protection system of the OS continues work properly, but some requests are missed. For example, Trojan.Win32.Regger.j adds exceptions exclusions to the filter for 57 domain names and makes trusted IP-addresses, on which the following sites are located:



After such "preparation" the computer is vulnerable to a variety of clickers and downloaders. Work of these malware is not accompanied by messages of unauthorized attempt to connect. And analysts should solve the dilemma: how to distinguish "criminal" exceptions from created by the user to avoid the notification system?

Trojans of Trojan.Win32.LowZones family run even less clear: in addition to adding exceptions they reduce the level of security zones in Internet Explorer. Internet Explorer assigns all websites to one of five security zones: Internet, local network, trusted unit, limited unit and the local computer. The appropriate security settings are applied to the site depending on these zones. It means that there is the "Internet" zone, and the security level for this zone is applied to all web units by default. The default security level for this zone is a moderately high. However, it can be reduced to moderate or increased to high security level. And you can just include a site in another zone with fewer limitations. Using different technologies for active content on the sites of this zone depends from these settings as well as warning that the content is found:



Active content - interactive or animated content used on the Internet. Active content includes ActiveX controls and settings for web browser. Thus, the opportunity to use multiple vulnerabilities in the ActiveX-component, and adding to the browser "support" objects detected as Trojan-Clicker.Win32.BHO or not-virus: AdWare.BHO is appeared for other malicious programs. And again it can not definitely say: reduction of security is the result of malware action or will of the user that tired of allowing the use of ActiveX which is used everywhere.

There are Trojans of Trojan.Win32.StartPage family. Using the registry key:



they change the start page of the most widely used browser Internet Explorer. The problem is that the many legitimate programs change the start page. It can decide that the start page was changed by malicious program, for example, if the content of this site is checked. But what is needed to do if the page does not work?

The malware of Trojan.Win32.Favadd family works similarly. Main payload of this family is the adding links in the menu "Favorites" of the Internet Explorer:



This is a spam. The links are themselves harmless (if, of course, it does not lead to infected sites). It only trashes the menu "Favorites". And it is no trouble to remove them (if the Trojan will be added to the startup the links will be restored). It is not possible toestablish whether a link added by malicious programs or by users.

In addition, the payload of Trojan.Win32.AddShare family is not removed. These Trojans gather data about the logical disks of the infected computer and open full access from the network to them:



Thus, the cyber criminal that infects someone's PC in the local network will have access to all files on the victim PC. Including the record that allows put other malicious programs in the startup folder. But the users can "share" their disks by themselves.

We can continue long enough, but the basic idea is clear: employees of antivirus company remove and restore only that can vouch. Do not write on the forums, that some antivirus does not fully clean the system because everything has the reasons.


Dmytro Krasylnikov, Alexander Adamov
"Design and Test Lab" , Ltd. 2009
/specially for www.av-school.com/



Article from blog: Marina.