PDA

View Full Version : app-level viruses and outpost.



baza
05-11-2005, 01:58 PM
Hi. You know, there are some programs that don't allow to modify their executable. For example, totalcmd.exe. So the virus will be immediately detected. But, virus can do the following: after running infected executable, virus can create it's own instance, unload and HEAL this file; then run it again. Then it should wait until the file will be free, and infect it to ensure population. This is a easy for ring-* viruses.

But there is another problem. I mean 'outpost firewall', and, maybe, some other programs. Once it has a rule for the application, it remembers it's checksum. If checksum doesn't fit, outpost begins to cry that the program may be infected. If it happens once, user usually just press 'ALLOW', and that is all. But if virus infects, heals, then infects again, outpost will cry at least 2 times when running application. First when app is started, then, after it is unloaded, healed and loaded again.

So how to make virus invisible?
Is this a problem for virusmakers, or it is not a problem at all?