hungrymind Posted June 29, 2010 ID:276391 Share Posted June 29, 2010 Congratulations and thanks to the developers for this wonderful software tool.I'm curious about the identification of the ADS threats.Malwarebytes has found Rootkit.ADS attached to svchost.exe on my computer and identified it "svchost.exe:exe.exe".Does the last part of the identifier /:exe.exe/ always refers to the same content?Thank you,Attila Kovacs Link to post Share on other sites More sharing options...
noknojon Posted June 29, 2010 ID:276432 Share Posted June 29, 2010 svchost.exe:exe.exeWe suggest you to remove svchost.exe:exe.exe from your computer as soon as possible.Svchost.exe:exe.exe is Trojan/Backdoor.Malware: antivirus.exeRemoved:C:\WINDOWS\system32\svchost.exe:exe.exeC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ihaupd32.exeC:\Documents and Settings\Administrator\av_md.exeC:\WINDOWS\system32\av_md.exeThis is a direct quote from one of the information sites we use for reference - I think it is more related to the first section rather than specifically to the exe.exe ending -Thank You - Link to post Share on other sites More sharing options...
hungrymind Posted June 29, 2010 Author ID:276447 Share Posted June 29, 2010 This is a direct quote from one of the information sites we use for reference - I think it is more related to the first section rather than specifically to the exe.exe ending -Thank You -Thank you for your quick answer. Sorry to tell you, I do not feel it answers my question. Not sure what it means "it is more related to the first section...".Let me ask my question another way. Given a particular exe, one adds malware in an ADS stream to it, another malware creator uses the same binary of the exe but adds different malware to its ADS. Will Malwarebytes identify them as different? That is: does ":exe.exe" mean one specific piece /signature/ of malware?Thank you,Attila Kovacs Link to post Share on other sites More sharing options...
noknojon Posted June 29, 2010 ID:276465 Share Posted June 29, 2010 Sorry if I was a bit confusing in the answer - A description of Svchost.exe in Windows This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). ...Svchost.exe is a normal function in your system - The added /:exe.exe/ means it has been hijacked by an intruder -This is one way to find malware, as the item is not in its normal configeration, and will be noted as different from its usual process -As to exactly how the process in Malwarebytes works to identify this is not known by me - It just knows the item has changed -Any other details on the actual operations of the program can only be made by email to malwarebytes.org -I am not an expert (or company employee) so the answers I give in this forum will be generally basic knowledge of the program - Thank You - Link to post Share on other sites More sharing options...
Firefox Posted June 29, 2010 ID:276495 Share Posted June 29, 2010 Just to add, if the malware is called for example malware.exe and it gets detected as Trojan/Backdoor, then I go and rename the file to say freeware.exe, when the file gets scanned it will still be detected as Trojan/Backdoor.Hope that helps.... Link to post Share on other sites More sharing options...
hungrymind Posted June 29, 2010 Author ID:276506 Share Posted June 29, 2010 Just to add, if the malware is called for example malware.exe and it gets detected as Trojan/Backdoor, then I go and rename the file to say freeware.exe, when the file gets scanned it will still be detected as Trojan/Backdoor.Hope that helps....Thanks for all the efforts. As I still haven't got the right answer, let me try to further clarify my question.Given a binary, say xyz.exe, let's assume two malware creators add different ADS code to this binary. Now we have 2 identical binaries with different ADS streams. The question is: if Malwarebytes has knowledge about both ADS infections, will it identify them as different threats? To put it another way, when I read ":exe.exe" in connection with "Rootkit.ADS", does it refer to a specific threat or several sets could produce the same identifier?I hope it is clear now what I would like to know.Thank you,Attila Kovacs Link to post Share on other sites More sharing options...
nosirrah Posted June 29, 2010 ID:276530 Share Posted June 29, 2010 Without going into the tech here (for obvious reasons) there are both direct and generic defs at work here. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now