How to use Pacman startuplist

 CastleCops -> Startup Programs
Author: LeVuHoangLocation: USA PostPosted: Sun Jul 22, 2007 11:56 am    Post subject: How to use Pacman startuplist
hello,
Thanks for your good startuplist database.
After I checked the list, I found some problem. There is an item in the data:

Code:

[MsnMsgr]
Number=6684
Confirmed=X
Filename=msnmsgr.exe
Description=Added by the <a href="http://www.sophos.com/virusinfo/analyses/w32annewfam.html" target="_blank">ANNEW-FAM</a> WORM! Note - this is not the valid MSN Messenger utility
Source=Paul Collins Startup list


I checked and saw that, [MsnMsgr] and MsnMsgr.exe is used for Microsoft Live Messenger also.
So, how to detect what is malware compare to the normal item ?
Code:

[msnmsgr]
Number=6682
Confirmed=N
Filename=msnmsgr.exe
Description=MSN Messenger (now superseeded by <a href="http://get.live.com/messenger/overview" target="_blank">Windows Live Messenger</a>) utility. If you don't use MSN Messenger, this can be annoying. Available via Start -> Programs. Go to MS Messenger -> Tools -> Options -> Preferences and uncheck "Run this program when Windows starts"
Source=Paul Collins Startup list


Thank you
Author: mrsuggLocation: Somewhere, over the rainbow... PostPosted: Sun Jul 22, 2007 2:30 pm    Post subject:
Hi LeVuHoang and welcome to CastleCops,
Check this out: http://www.file.net/process/msnmsgr.exe.html

Hope it helps.
Author: LeVuHoangLocation: USA PostPosted: Sun Jul 22, 2007 7:53 pm    Post subject:
hmm... but what happen if Virus writer makes MsnMsgr.exe outside \system32 and It has some fakes company info ?
Author: LeVuHoangLocation: USA PostPosted: Sun Jul 22, 2007 7:59 pm    Post subject:
so, all filename in the list is in \system32 ?
what happen if I write an Anti Virus, which filename is Activeshield.exe and store in \system32 folder ?
Code:

[Active shield]
Number=256
Confirmed=U
Filename=Activeshield.exe
Description=<a href="http://www.securitystronghold.com/" target=_blank>Active Shield</a> is "an heuristic screen that actively protects your computer from trojans, spyware, adware, trackware, dialers, keyloggers, and even some special kinds of viruses"
Source=Paul Collins Startup list

I think this list need something new to avoid false positive ?
Author: mrsuggLocation: Somewhere, over the rainbow... PostPosted: Sun Jul 22, 2007 9:40 pm    Post subject:
If you ever have any questions about a file, then you can upload it to Virus Total and it will be scanned online by several scanning engines at once.

Just click on the "Browse" button (on the Virus Total page) and navigate to where the file is on your computer. Click on the file name to highlight it and then click "Open" and then "Send File". The file will be sent and then it will start scanning. It may take a few minutes.

This will not detect all forms of malware, but it is rather reliable.

Hope this helps.
Author: LeVuHoangLocation: USA PostPosted: Sun Jul 22, 2007 10:32 pm    Post subject:
Just because I would like to bring this database to my application but I think it should used for warning than confirm that It's malware. Thank mrsugg for your help.
Author: mrsuggLocation: Somewhere, over the rainbow... PostPosted: Mon Jul 23, 2007 1:10 am    Post subject:
You're very welcome.
CastleCops -> Startup Programs

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group