noeska
20-12-2009, 02:35 PM
Have a read here:
http://forum.sysinternals.com/forum_posts.asp?TID=21226
Sigh ...
I suppose new heuristics will produce false positive until worked on but Avira I've found always generate a lot - but as long as they're catching they have good scores eh.
Originally posted by ntunldr
Smallest trojan :)
So called "heuristics" checks Import table and if LdrLoadDll || LdrGetProcedureAddress found then -> TR/Dropper.Generic found!
And another funny detection DR/Delphi.Gen [dropper]
var
dll: THANDLE;
p1: pointer;
begin
dll := LoadLibraryW('wininet.dll');
if (dll <> 0) then
begin
p1 := GetProcAddress(dll, 'InternetSilentTrojanDownloadW');
if (p1 <> nil) then;
DbgPrint('RUSTOCK');
LdrUnloadDll(dll);
end;
end.
Lol
http://forum.sysinternals.com/forum_posts.asp?TID=21226
Sigh ...
I suppose new heuristics will produce false positive until worked on but Avira I've found always generate a lot - but as long as they're catching they have good scores eh.
Originally posted by ntunldr
Smallest trojan :)
So called "heuristics" checks Import table and if LdrLoadDll || LdrGetProcedureAddress found then -> TR/Dropper.Generic found!
And another funny detection DR/Delphi.Gen [dropper]
var
dll: THANDLE;
p1: pointer;
begin
dll := LoadLibraryW('wininet.dll');
if (dll <> 0) then
begin
p1 := GetProcAddress(dll, 'InternetSilentTrojanDownloadW');
if (p1 <> nil) then;
DbgPrint('RUSTOCK');
LdrUnloadDll(dll);
end;
end.
Lol