Jump to content

MBAM doesn't detect BonziBuddy and ILOVEYOU virus.


Recommended Posts

Hello, I am a Malwarebytes user and a cybersecurity enthusiast. However, when I was testing my favourite product (Malwarebytes), I found out it couldn't detect BonziBuddy or the ILOVEYOU virus. Can you (Malwarebytes devs and team) make sure these unwanted pieces of malware are detected and removed by MBAM in the next update? Thank you in advance for your support.

 

From JP3SpinoFan

Link to post
Share on other sites

14 minutes ago, JP3SpinoFan said:

make sure these unwanted pieces of malware are detected and removed by MBAM in the next update?

Those 2 are ancient and cant run on any current OS that has Malwarebytes installed.

https://en.wikipedia.org/wiki/BonziBuddy

https://en.wikipedia.org/wiki/ILOVEYOU

Edited by Porthos
Link to post
Share on other sites

  • Root Admin

The Love Bug virus was from 2000 which was 23 years ago. We do not cover malware or virus that is no longer in the wild. This has not been a real threat for well over 20 years.

The original BonziBuddy was from 2004 - again, something we do not cover if it's not actively in the wild.

Thank you

 

 

Link to post
Share on other sites

@JP3SpinoFan


Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files via signatures.  That means MBAM will not target; JS, JSE,  PS1, PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents via signatures such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets PE binaries that start with the first two characters being; MZ
They can be; EXE, COM, CPL, SYS, DLL, SCR and OCX. Any of these file types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.  This includes file names that use Unicode Right-to-Left Override to obfuscate an executable file extension.

Image.jpg.25e3a1569e1289737b7bd75486c831

 
MBAM is not an anti virus application.  MBAM targets mainly non-viral malware.  The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
 
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.
 
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file.  Once infected, that infected file can further the infection by infecting other legitimate files.
 
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file.   However that file can not infect other files.  The infection stops with that targeted file.  These files are either deemed to be "trojanized" or "patched".  Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.

MBAM is not a historical anti malware solution.  That is it targets zero-day and current malware.  It applies signatures to new and emerging malware and Malwarebytes culls its database of signatures for old malware.  That's why Malwarebytes requests sample submissions be no older than 3 months (albeit that is a fluid age and not a hard age).  MBAM will rely on heuristics and and anti exploitation module for older malware.

 
NOTE:  Malwarebytes' Anti-Exploit ( MBAE ) is designed to deal with many of the types of malware associated with scripts, documents and media files where MBAE will protect the computer against Exploitation attempts whether they were exploits of software vulnerabilities or taking advantage of an application in an unusual way and works at an "action level" and not a "file level."  The Malwarebytes anti exploitation module provides protection of applications that are commonly  known to be associated with and normally used by the file type.  The Malwarebytes anti exploitation module is a module within the paid-for version of MBAM.


Reference:  MBAE FAQ

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

Thank you very much, but I have another question.

 

What techniques does Malwarebytes use to detect malware?

 

In my testing, Malwarebytes cannot detect Kekpop Ransomware. Just in case you don't know what it is, it is a ransomware that is made out of batch.

 

Can you please ensure that it does in the next update.

 

Thanks in advance,

 

JP3SpinoFan

Link to post
Share on other sites

2 hours ago, JP3SpinoFan said:

In my testing, Malwarebytes cannot detect Kekpop Ransomware. Just in case you don't know what it is, it is a ransomware that is made out of batch.

If it is not based upon a PE binary then it won't be "detected" via signatures but if its actions are malicious then the anti exploit and anti ransomware modules will act upon its activities and mitigate its threats..

 

Link to post
Share on other sites

  • Root Admin
10 hours ago, JP3SpinoFan said:

Thank you very much, but I have another question.

 

What techniques does Malwarebytes use to detect malware?

 

In my testing, Malwarebytes cannot detect Kekpop Ransomware. Just in case you don't know what it is, it is a ransomware that is made out of batch.

 

Can you please ensure that it does in the next update.

 

Thanks in advance,

 

JP3SpinoFan

If you believe there is a valid, in the wild working malware threat that we are not detecting, then please zip it up with a password and attach it to your next reply and we will review it.

 

Thank you

 

Link to post
Share on other sites

9 minutes ago, JP3SpinoFan said:

Ok, here is the ransomware that you asked.

 

On 1/10/2023 at 9:33 AM, David H. Lipman said:

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files via signatures.  That means MBAM will not target; JS, JSE,  PS1, PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents via signatures such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

That batch file would not be detected in a scan as already stated. It would have to be run on a computer with the paid version of Malwarebytes to be blocked.

Edited by Porthos
Link to post
Share on other sites

  • Root Admin

Where was the original source of this file?

This was last seen in the wild 8 months ago

As we've said a few times now. We generally only keep definitions for programs that have been seen active in the wild in the last 3 months. After 3 months we may at our discretion remove certain detection rules.

https://www.virustotal.com/gui/file/89bd722b481dcfe487a56e7bd3d9867a6571720eee9ef47d82cf46274fe8867d?nocache=1

 

Link to post
Share on other sites

On 1/10/2023 at 12:00 AM, JP3SpinoFan said:

I am a Malwarebytes user

I would also suggest turning off the following setting to allow Windows security to re-enable alongside if you are not using any other products except Malwarebytes for added protection.

image.png.79baa915a6dbffafabb6b039ccc6d831.png

Link to post
Share on other sites

  • 2 weeks later...
Quote

We apologize, but we will not be adding corrupted files, archived/collections(Old sample(s) 3months + since file creation)  or file infectors. Secondly, we will not add key generators, hacking tools, Joke applications, Casino applications or game cheats unless they contain malicious trojan code.

 

Link to post
Share on other sites

Hello,

 

Sadly, from my testing, Malwarebytes did not detect Kekpop ransomware.

 

I ran it and MBAM on a vm and Kekpop encrypted all of my vm's files.

 

I am very sad, but hopefully in the future MBAM will be able to detect Kekpop.

 

From JP3SpinoFan

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.