Jump to content

ADS content


Recommended Posts

Congratulations and thanks to the developers for this wonderful software tool.

I'm curious about the identification of the ADS threats.

Malwarebytes has found Rootkit.ADS attached to svchost.exe on my computer and identified it "svchost.exe:exe.exe".

Does the last part of the identifier /:exe.exe/ always refers to the same content?

Thank you,

Attila Kovacs

Link to post
Share on other sites

svchost.exe:exe.exe

We suggest you to remove svchost.exe:exe.exe from your computer as soon as possible.

Svchost.exe:exe.exe is Trojan/Backdoor.

Malware: antivirus.exe

Removed:C:\WINDOWS\system32\svchost.exe:exe.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ihaupd32.exe

C:\Documents and Settings\Administrator\av_md.exe

C:\WINDOWS\system32\av_md.exe

This is a direct quote from one of the information sites we use for reference -

I think it is more related to the first section rather than specifically to the exe.exe ending -

Thank You -

Link to post
Share on other sites

This is a direct quote from one of the information sites we use for reference -

I think it is more related to the first section rather than specifically to the exe.exe ending -

Thank You -

Thank you for your quick answer. Sorry to tell you, I do not feel it answers my question. Not sure what it means "it is more related to the first section...".

Let me ask my question another way. Given a particular exe, one adds malware in an ADS stream to it, another malware creator uses the same binary of the exe but adds different malware to its ADS. Will Malwarebytes identify them as different? That is: does ":exe.exe" mean one specific piece /signature/ of malware?

Thank you,

Attila Kovacs

Link to post
Share on other sites

Sorry if I was a bit confusing in the answer -

A description of Svchost.exe in Windows

This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). ...

Svchost.exe is a normal function in your system - The added /:exe.exe/ means it has been hijacked by an intruder -

This is one way to find malware, as the item is not in its normal configeration, and will be noted as different from its usual process -

As to exactly how the process in Malwarebytes works to identify this is not known by me - It just knows the item has changed -

Any other details on the actual operations of the program can only be made by email to malwarebytes.org -

I am not an expert (or company employee) so the answers I give in this forum will be generally basic knowledge of the program -

Thank You -

Link to post
Share on other sites

Just to add, if the malware is called for example malware.exe and it gets detected as Trojan/Backdoor, then I go and rename the file to say freeware.exe, when the file gets scanned it will still be detected as Trojan/Backdoor.

Hope that helps....

Thanks for all the efforts. As I still haven't got the right answer, let me try to further clarify my question.

Given a binary, say xyz.exe, let's assume two malware creators add different ADS code to this binary. Now we have 2 identical binaries with different ADS streams. The question is: if Malwarebytes has knowledge about both ADS infections, will it identify them as different threats? To put it another way, when I read ":exe.exe" in connection with "Rootkit.ADS", does it refer to a specific threat or several sets could produce the same identifier?

I hope it is clear now what I would like to know.

Thank you,

Attila Kovacs

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.