Search found 10 matches

by vaber
Fri Jun 19, 2015 2:32 pm
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 387123

Re: UACMe - Defeating Windows User Account Control

EP_X0FF wrote:IIRC KB2919355 for Windows 8.1 removes this exe from appinfo.dll!g_lpAutoApproveEXEList and it still present only on Windows 7 (which is subject of free upgrage).
Cool! Thanks for the information.
I watched the sample just under the windows 7.
by vaber
Fri Jun 19, 2015 1:47 pm
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 387123

Re: UACMe - Defeating Windows User Account Control

infdefaultinstall.exe is used by virmakers to create key for autostart malware (they use .inf file for this). This method works under medium IL
by vaber
Wed Jun 17, 2015 3:07 pm
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 387123

Re: UACMe - Defeating Windows User Account Control

Now the adware-UACME-Hibiki is spread by virmakers:
7166268F5C6A02D51C80E0AB3348725B
85884D9C5A66E3B4BD953FFDEB791F04
by vaber
Mon Oct 15, 2012 4:59 pm
Forum: Malware
Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)
Replies: 149
Views: 148468

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

rkhunter wrote:Don't u think that this is incorrect behaviour??
And stop complaining! Do you have questions for me - go to the PM.
by vaber
Mon Oct 15, 2012 4:42 pm
Forum: Malware
Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)
Replies: 149
Views: 148468

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

rkhunter wrote:Btw, if it's identical why Alureon.K detect for him appeared?
it's different:
old
https://www.virustotal.com/file/c40d2f7 ... /analysis/
new
https://www.virustotal.com/file/0285ef7 ... /analysis/
by vaber
Tue Feb 28, 2012 11:49 am
Forum: User-Mode Development
Topic: AV SP Discussion & Bypass
Replies: 121
Views: 188456

Re: Kill kaspersky 2012 from user mode :)

I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally ...
by vaber
Fri Aug 05, 2011 8:26 pm
Forum: Malware
Topic: WinNT/Simda
Replies: 43
Views: 50116

Re: Rloader.A Virscan 4/37

fatdcuk wrote: TDSS killer killing it 8-)
KIS/KAV also detect and cure that is rootkit-infector ;)
by vaber
Sun Oct 17, 2010 10:02 am
Forum: Malware
Topic: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)
Replies: 595
Views: 588715

Re: Rootkit TDL 3 (alias TDSS, Alureon)

EP_X0FF wrote:I don't think this is TDL. There is another malware Antivirus Pro 2010 that maybe interesting, because uses some TDL3 approach.
This is another modification of max++ rootkit:
http://www.kernelmode.info/forum/viewto ... ?f=16&t=57
http://www.kernelmode.info/forum/viewto ... ?f=16&t=23
by vaber
Mon Aug 30, 2010 6:08 pm
Forum: Malware
Topic: Backdoor:Win32/Atadommoc.B
Replies: 4
Views: 4566

Re: Badly detected malware driver

Probably this is a new Pundex/Cutwail rootkit.
by vaber
Fri Mar 19, 2010 9:11 am
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 291215

Re: WinLocker with some rootkit technology

Digital-Access rootkit is the same as max++ from this thread
http://www.kernelmode.info/forum/viewto ... ?f=16&t=23