ADS content

[hungrymind]

Congratulations and thanks to the developers for this wonderful software tool.

I'm curious about the identification of the ADS threats.

Malwarebytes has found Rootkit.ADS attached to svchost.exe on my computer and identified it "svchost.exe:exe.exe".

Does the last part of the identifier /:exe.exe/ always refers to the same content?

Thank you,

Attila Kovacs

[noknojon]

svchost.exe:exe.exe

We suggest you to remove svchost.exe:exe.exe from your computer as soon as possible.

Svchost.exe:exe.exe is Trojan/Backdoor.

Malware: antivirus.exe

Removed:C:\WINDOWS\system32\svchost.exe:exe.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ihaupd32.exe

C:\Documents and Settings\Administrator\av_md.exe

C:\WINDOWS\system32\av_md.exe

This is a direct quote from one of the information sites we use for reference -

I think it is more related to the first section rather than specifically to the exe.exe ending -

Thank You -

[hungrymind]

This is a direct quote from one of the information sites we use for reference -

I think it is more related to the first section rather than specifically to the exe.exe ending -

Thank You -

Thank you for your quick answer. Sorry to tell you, I do not feel it answers my question. Not sure what it means "it is more related to the first section...".

Let me ask my question another way. Given a particular exe, one adds malware in an ADS stream to it, another malware creator uses the same binary of the exe but adds different malware to its ADS. Will Malwarebytes identify them as different? That is: does ":exe.exe" mean one specific piece /signature/ of malware?

Thank you,

Attila Kovacs

[noknojon]

Sorry if I was a bit confusing in the answer -

A description of Svchost.exe in Windows

This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). ...

Svchost.exe is a normal function in your system - The added /:exe.exe/ means it has been hijacked by an intruder -

This is one way to find malware, as the item is not in its normal configeration, and will be noted as different from its usual process -

As to exactly how the process in Malwarebytes works to identify this is not known by me - It just knows the item has changed -

Any other details on the actual operations of the program can only be made by email to malwarebytes.org -

I am not an expert (or company employee) so the answers I give in this forum will be generally basic knowledge of the program -

Thank You -

[Firefox]

Just to add, if the malware is called for example malware.exe and it gets detected as Trojan/Backdoor, then I go and rename the file to say freeware.exe, when the file gets scanned it will still be detected as Trojan/Backdoor.

Hope that helps....

[hungrymind]

Just to add, if the malware is called for example malware.exe and it gets detected as Trojan/Backdoor, then I go and rename the file to say freeware.exe, when the file gets scanned it will still be detected as Trojan/Backdoor.

Hope that helps....

Thanks for all the efforts. As I still haven't got the right answer, let me try to further clarify my question.

Given a binary, say xyz.exe, let's assume two malware creators add different ADS code to this binary. Now we have 2 identical binaries with different ADS streams. The question is: if Malwarebytes has knowledge about both ADS infections, will it identify them as different threats? To put it another way, when I read ":exe.exe" in connection with "Rootkit.ADS", does it refer to a specific threat or several sets could produce the same identifier?

I hope it is clear now what I would like to know.

Thank you,

Attila Kovacs

[nosirrah]

Without going into the tech here (for obvious reasons) there are both direct and generic defs at work here.