Vista Lockdown - Virus Test 2011

Testing with Viruses - 2011

To test the effectiveness of a non-privileged account in blocking viruses and trojans, some of these viruses were downloaded to a local folder, and then double-clicked, with no real-time antivirus protection running.

In many cases, the virus would not run. Sometimes a UAC prompt appeared asking for administrator access, which was denied.

In other cases, the malicious program ran with user privilege, and created files on disk, usually in %homepath%\AppData\Local or %homepath%\AppData\Roaming, e.g. C:\Users\username\AppData\Local. In many cases, an entry was created in the registry under HKEY_USERS\userid\Software\Microsoft\Windows\CurrentVersion\Run. This would allow the malware to be started when the user logged in.

In some cases, the malware performed some network activity, such as trying to contact a remote controller or update centre. One program sent itself via email to addresses found on the local disk. Many programs spawned subprocesses, and some deleted the original infected file. One spawned short-lived subprocesses that in turn spawned other processes, making them impossible to kill manually in task manager.

In all cases, the malicious software was stopped by logging off from the infected account, using ctrl-alt-delete then "log out".

Examples

I-Worm/Stration.dropper/Email-Worm.Win32.Warezov.fh - does not run
Backdoor.Win32.Bredavi.ddt runs Western_Union_details
Email-Worm.Win32.Bagle.fj
Worm.Mydoom.M/Email-Worm.Win32.Mydoom.m creates transcript.txt, starts SMTP
Trojan.Dropper-7526/Trojan.Win32.Pakes.cyu contains xjolie, fails
Trojan.Dropper-4027/Trojan-Downloader.Win32.Diehard.dk contains eCard, tries to run IE, fails
Net-Worm.Win32.Mytob.bi starts SMTP
I-Worm/Stration.FYN - wants administrator access
Trojan.Win32.FakeAv.ahgz - prevents taskmgr from running spawns lsass.exe which is blocked by Windows firewall. Trojan.Win32.FakeAv.ahgz
5mw.exe - popup says security shield has been installed connects to http://69.50.201.140
Trojan.Win32.Scar.dnib - connects on internet
Backdoor.Win32.Gbot.ww - listens on 56586
Trojan-Dropper.Win32.Pincher.hp - runs fake Russian login screen that prevents other activity
16.mw runs, opens port 64383 UDP spawns multiple processes
Trojan-Banker.Win32.Banker.bgmm - deletes browsing history
Trojan-Downloader.Win32.Generic - wants to run priv. deletes itself
Trojan-Banker.Win32.Banker.bghc spawns zzzzheckrt
Trojan.Win32.FakeAV.agij listens on socket, spawns subprocess, creates fake antivirus popups
155.mw opens connection on internet
Trojan horse SHeur3.BOPG - spawns subprocess, wants to run privileged
Trojan-Downloader.Win32.Small.blxo - spawns multiple respawning subprocesses