[EP_X0FF]

He-he, with simple technique...just hang debugger on processes (including Kaspersky, Dr.Web, Avast and others).

What do you think why the bad guys install a rootkit while AVs are killed anyway?

In a hopeless attempt to prevent manual removal.

[DWS94]

He-he, with simple technique...just hang debugger on processes (including Kaspersky, Dr.Web, Avast and others).

First suspend the process, And then in order to debugger permissions kill AV ?
Kaspersky self-protection Does not prevent himself is hang up ?
Kaspersky's HIPS module not prompt ? :?:
Thank

[EP_X0FF]

First suspend the process, And then in order to debugger permissions kill AV ?
Kaspersky self-protection Does not prevent himself is hang up ?
Kaspersky's HIPS module not prompt ?

http://www.anti-malware-test.com/?q=taxonomy/term/16

Platinum Self-Protection Award



Kaspersky Internet Security 2011 (100%)

[rkhunter]

Kaspersky Internet Security 2011 (100%)

Very famous test-lab.

[EP_X0FF]

Not sure about origin of this malware but mad skills level is the same. PWS OnlineGames equiped with driver agent performing dll injection and AV blacklisting.

Adds + 80 Mb to malware files as overlay.

C:\ProcessFilter\Driver\objfre\i386\ProcessFilter.pdb

Dropper + two extracted drivers attached. For a madskills and lols see driver entry.

+

PsTerminateSystemThread: 0x%08x PspTerminateThreadByPointer: 0x%08x PspTerminateThreadByPointer: 0x%08x Search_PspTerminateThreadByPointer Error

SHA256: 9a5fbbab260b5d75da342726b8a90de506a5bbcbc1326b5a383b4ee4c0e331f8
SHA1: 2951bd26017107670ae592e212fcd75c88b6ac15
MD5: 99f504f9e9010e0a32e609a08edfccc0

https://www.virustotal.com/en/file/9a5f ... /analysis/