Malware & registery question.

HI !

I’m no computer noob, but i’m gonna (must) ask the following question :

Does every virus and or trojan writes in the registery ?

I thought they had to, to be able to auto-start up etc…But i could be wrong.

If there are virusses or trojans that don’t use the registery, how do they work than ? (simple explaination please…)

Thanks,

Waldo

Viruses do not need to modify the Registry, because they do infect files.
On Trojans, worms and other noninfecting Malware it is neccessary to get started, by modify the Registry( incl. Win.ini, system.ini, Winstart.bat)

Thanks Raman (have a cookie ;D)

I was not sure anymore about these things after some reading i did on another forum,…It confused me like hell.

But i believe your answer is correct. And that not all virusses need the registery to work (maybe just a few).

But Trojans and other malware (spyware) does need it (i’m sure about that.)

waldo! my gosh…I feel so much better knowing that someone else can get confused about these things ;D

cojo

My “confusion” started when i have read this thread at Wilders :

http://www.wilderssecurity.com/index.php?board=40;action=display;threadid=18412

I also use Registery Prot (freeware) just like that Jason Voorhees guy, but I thought it would only monitor start-up changes in the registery.

But this jason guy says “states” that he want to use regprot to defend against Virusses, but like Raman stated, virusses don’t use the registery.

So thats wy i got confused because Pilli (mod for Diamonds) doesn’t says or reacts about this. If one person needs to know that virusses don’t use the register, it should be him ??? maybe he just didn’t noticed it…

Well, i won’t lose sleep about it, that’s for sure :wink:

Waldo

Sometimes, Wilders’ forums do not have the desired quality and precision. I have ‘lost’ quite a lot of time following advices than, at last, were not so correct :frowning:

Technical,
I think that it was in the interpretation of the article.
It was not clearly explained.

Waldo,
Raman is correct.
Not all viri enter the registry. It would depend on their purpose. Self executing malware usually will worm their way into the registry. Other viri just change files so they become unusable, or modify them for their own dastardly purposes.

Cojo,
We all have similar troubles at times.

techie

I also wonder,

Does AVAST offers some kind of generic detection (content behavior) or is it
simply signature based ? (i know Mail provider uses heuristics)

Wy do I ask :

because nowadays you can “order” custom made dangerous trojans that are
edited to evade detection from the AV you want.

If you only trust on signature detection > IMHO > your doomed if you encounter a edited and / or polymorphic R.A.T

I also believe that signature is no good against polymorpic malware as they change there content over and over again. You can create with a mutation engine ( do a Google search) thousands of mutated trojans.

Just like the vendors of TDS-3 explain here (Donald Dick RAT):

If this was a normal server, we’d see the same code with every server we created. As we see in the above screenshot, this isn’t the case with polymorphic trojans. With Donald Dick servers, not only are all of the entrypoints and file sizes different, but all the instruction sequences are also very unique! No form of signature-based or conventional detection can be used to detect this trojan.

http://tds.diamondcs.com.au/index.php?page=polymorphictrojans

I wonder of AVAST of any other Av can cope with such threats, and HOW ? please fill me in…

Waldo

This was discussed in the past. Minacross I suppose.
This will be the eternal war against viruses. Some programmers think that only ‘generic’ or heuristic detection will solve the mutation and new virus. Other think that the ‘false positives’ will be so much too irritate. This is the border of the new technologies of viruses detection/prevention/cleaning.

Technical,
you are right, as always… (a K cookie from me) ;D
this is the thread you mean: using heuristics

I forgot this is been discussed before (even though i made a real long post there :))…

It just seems that the content and behavior of the malware is changing drasticly (this year) and i believe it will be even worse in '04 :frowning:

Well, whe will see…I’m sure AVAST will keep us all safe and warm, like it did before ;D

Waldo

Thanks Minacross, Waldo and Hornus (who did a very good explanation of heuristics in Mina’s forum). If I remember, Igor and Pk said something about this in the past too. But I’m not sure, maybe it was Pavel. They want to do what will be the best but they were not sure it will be posible to work just with ‘generic detection’ (or heuristics).

Polymorphic viruses need a special kind of detection, of course - and avast! certainly has it. It’s not a heuristic, however (at least not in the usual sense of the word - i.e. detecting unknown viruses according to their features, behavior, …) - it’s a special piece of code to detect the polymorphic virus. Every polymorphic virus has a special piece of such code, contained in the VPS file, together with the ordinary signatures; you can call this code a kind of “signature” as well, though it’s certainly something more complicated.