a256886572008

Bypass Online Armor 6.0.0.1736

Recommended Posts

1. Virus Total:

https://www.virustotal.com/file/bb72ab3ac1dc5f358391a44b2a9be333d06304d205945f04a768e63c96cb6b5a/analysis/1359101967/

 

2. What can it do:

(1) The malware injects code to the explorer.exe.

(2) The explorer.exe executes a svchost.exe.

(3) The svchost.exe creates an autorun entry.

 

3.Tests:

JEVZ5l1.png

 

eQT0npi.png

 

TgiwbMK.png

 

 

4. Result:

HIPS --> failed

Run Safer --> failed

Autoruns --> failed

 

5.Environment:

Windows XP Pro SP3 32bit

 

6.Product Version:

 6.0.0.1736 Free

Share this post


Link to post
Share on other sites

Hello a256886572008,

Thank you for your report. I looked into the sample and was able to figure out why the code injection wasn't detected properly. We will update Online Armor ASAP.

Share this post


Link to post
Share on other sites

Wow. I'm impressed to see some malware really bypassing Online-Armor. After the fixed OA version is released could you elaborate on the reason why this slipped through OA's defenses? Because of some clever/yet unknown way or because of some wrong implementation/bug by OA?

 

Edit: Found some more info by myself: 1, 2. Looks like OA wasn't the only product which this baddie managed to bypass.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.