Testing with Viruses - 2011
To test the effectiveness of a non-privileged account in blocking viruses and
trojans, some of
these viruses
were downloaded to a local folder, and then double-clicked, with no real-time antivirus protection running.
In many cases, the virus would not run. Sometimes a UAC prompt appeared asking for administrator access, which was denied.
In other cases, the malicious program ran with user privilege, and created files on disk, usually in
%homepath%\AppData\Local or %homepath%\AppData\Roaming, e.g. C:\Users\username\AppData\Local.
In many cases, an entry was created in the registry under HKEY_USERS\userid\Software\Microsoft\Windows\CurrentVersion\Run. This would allow the malware to be started when the user logged in.
In some cases, the malware performed some network activity, such as trying to contact a remote
controller or update centre. One program sent itself via email to addresses found on
the local disk. Many programs spawned subprocesses, and some deleted the original infected file. One
spawned short-lived subprocesses that in turn spawned other processes, making them impossible to kill manually
in task manager.
In all cases, the malicious software was stopped by logging off from the infected account, using ctrl-alt-delete
then "log out".
Examples
I-Worm/Stration.dropper/Email-Worm.Win32.Warezov.fh - does not run
Backdoor.Win32.Bredavi.ddt runs Western_Union_details
Email-Worm.Win32.Bagle.fj
Worm.Mydoom.M/Email-Worm.Win32.Mydoom.m creates transcript.txt, starts SMTP
Trojan.Dropper-7526/Trojan.Win32.Pakes.cyu contains xjolie, fails
Trojan.Dropper-4027/Trojan-Downloader.Win32.Diehard.dk contains eCard, tries to run IE, fails
Net-Worm.Win32.Mytob.bi starts SMTP
I-Worm/Stration.FYN - wants administrator access
Trojan.Win32.FakeAv.ahgz - prevents taskmgr from running
spawns lsass.exe which is blocked by Windows firewall.
Trojan.Win32.FakeAv.ahgz
5mw.exe - popup says security shield has been installed
connects to http://69.50.201.140
Trojan.Win32.Scar.dnib -
connects on internet
Backdoor.Win32.Gbot.ww - listens on 56586
Trojan-Dropper.Win32.Pincher.hp - runs fake Russian login screen that prevents other activity
16.mw runs, opens port 64383 UDP
spawns multiple processes
Trojan-Banker.Win32.Banker.bgmm - deletes browsing history
Trojan-Downloader.Win32.Generic - wants to run priv.
deletes itself
Trojan-Banker.Win32.Banker.bghc spawns zzzzheckrt
Trojan.Win32.FakeAV.agij listens on socket, spawns subprocess, creates fake antivirus popups
155.mw opens connection on internet
Trojan horse SHeur3.BOPG - spawns subprocess, wants to run privileged
Trojan-Downloader.Win32.Small.blxo - spawns multiple respawning subprocesses