Humpty Posted October 2, 2007 Share Posted October 2, 2007 AV Killer is currently the king of viruses in China. In the first half of this year, 3 Chinese anti-virus companies published this virus as their top-level virus alert. Most virus writers have the same dream: to disable anti-virus software so the virus can run itself on a computer without any limitation. Therefore, many virus authors try many different methods to disable anti-virus software. AV Killer is this kind of virus, and uses the IFEO method. What is IFEO? IFEO stands for "image file execution options". This technology can redirect execution of a file. For example, if you want to run AA.exe, the computer can be made to run BB.exe instead of AA.exe. This is done because IFEO has an item in the Windows registry as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AA.exe that tells it to run BB.exe instead. We have a sample of AV Killer, so we have reversed this sample, which let us see how it modifies our computer configuration. Article Link to comment Share on other sites More sharing options...
Moderators Andavari Posted October 2, 2007 Moderators Share Posted October 2, 2007 I just love what it has in that registry location you listed on my system next to CurrentBuild, it gave me a bit of a laugh: Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now