ViRobot

Security Info

  • Security Center
    • HAURI Security Report
  • Security Dictionary
  • Security Service
  • Free Download!!

HAURI Security Column

Security Column

  Title File Date  
Repair after reboot? -- 06/05/12
Written by HAURI Virus Lab

Malware used to only consume malware process memory, but recently they started to infect the normal processes of memory.


[Image 1] Usage of memory by malware

By leaving codes in memories, this malware continue to perform and, under certain conditions, have ability to restore the original malware even if the malware was deleted.
Penetrating important process' memory such as Winlogon.exe makes treatment like Process Kill, the easiest method to reset memory space, ineffective.
In order to infect normal process memory, malwares first use OpenProcess() functions and then uses WriteProcessMemory() to paste binary into buffer zone.


[Image 2] Inserting malware binary

Some malwares directly paste their binary into normal process files while others use various methods such as ShellCode to insert their code into numerous threads.


[Image 3] Inserting ShellCode

These codes operate by CreateRemoteThread() function and delete the files or infiltrate into more discrete files.


[Image 4] Operating malware

But these malwares' weakness is that resetting memories makes them inactive. Normally, resetting memories in average PCs is to reboot the computer.
Antivirus software does try to cure memory, but there is risk of causing errors. Unless there is a serious risk, it would be recommended to reboot.
There are reasons to do treatment after reboot, but some users do not fully understand the meaning of it and ignore the message. Such action could leave malwares to continuously operate and monitor user's PC.
List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap