Ok i’we been talking about this yesterday on how you could extend detection. This is just one of possible ways to check file.
TEST PROGRAM:
http://freeweb.siol.net/razor256/downloads/BasicHeuristics.zip
For testing purposes i have implimented only detection for “.txt.exe” dual extension. So all files that have only one extension or those that are not considered as threat are excluded automatically. As i have noticed that VPS contains default extension set (infectable files) it could be very easy to do this in the avast!.
I have included two blank samples with different extensions.
One will be detected and other won’t. You can also test with other files,but only malware_program.txt.exe will be detected since dual extensions are suspicious (extension exe.txt is also not suspicios since TXT is the correct extension and its harmless). Files with single extension are not as suspicious as those which want to hide something.
Another check could be a wide space check. Some worms have very long space between filename and real extension. Icon usually mimics the “fake” extension. You can see the real extension only if you use Rename command on the file.
I have seen similar checking for DiamondCS WormGuard which seems to be pretty effective.
There is probably many more such “heuristic” checks that could increase possibility of catching a malware with minimal overhead (checking extension is probably something that can be performed very fast). Alwil guys probably know this since similar methods are used for mail attachements checking.
Is there any other checking method similar to “my” two?