Piggyback remover?

Piggyback remover?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Piggyback remover? Moonchild 03-15-2008
Posted by Moonchild on March 15, 2008, 9:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hey folks,

I've been searching far and wide for something to remove a piggyback
from a program, but I'm having no luck. Does anyone here have something
I can use for it?

The problem is, that AV software these days are all able to recognise
piggyback software like trojan droppers or downloaders, but, unlike the
way it used to be, NONE of the AV suites out there are able to remove
wrappers or loaders that drop this kind of stuff on your system. Usually
they are very simple programs just slapped onto the original program, to
run a spyware/dropper first and then the actual program. All the AV
suites do these days (very cheap IMHO) is to just tell people to delete
the program. well, there are plenty of cases where you can't do that.

I can't even find a simple binary splitter to extract the separate
executable files from the piggybacked program (I'm all talking Windows
PE executables here, by the way). If I had the time and wasn't so rusty
with my programming I would even consider writing one myself. It can't
be that hard.. search for .EXE headers in the file and save the separate
binaries to files...

But, before I invent the wheel twice, does anyone know if there is
software out there to remove this kind of thing from a program, or even
something to just split up .EXE files into the "real" program and the
malware?

--
Signed: Moonchild
(remove nospam. when replying!)

"When one door closes another door opens;
but we so often look so long and so regretfully upon the closed door,
that we do not see the ones which open for us."
, ,
|\---/|
/ , , |
__.-'| / \ /
__ ___.-' ._O|
.-' ' : _/
/ , . . |
: ; : : _/
| | .' __: /
| : /'----'| \ |
\ |\ | | /| |
'.'| / || \ |
| /|.' '.l \_
snd || || '-'
'-''-'

Posted by VanguardLH on March 15, 2008, 10:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>
> I've been searching far and wide for something to remove a piggyback
> from a program, but I'm having no luck. Does anyone here have
> something
> I can use for it?
>
> The problem is, that AV software these days are all able to
> recognise
> piggyback software like trojan droppers or downloaders, but, unlike
> the
> way it used to be, NONE of the AV suites out there are able to
> remove
> wrappers or loaders that drop this kind of stuff on your system.
> Usually
> they are very simple programs just slapped onto the original
> program, ...

Exactly. So how does any program know exactly where the code for the
wrapper ends and the code for the original program begin without
knowing the exact copy of the original program's code? There are way
too many programs and versions of each to be tracking the exact
codebase for them all. What if the malware "slapped" itself after the
80-byte exe header instead of including its own? Is the code splitter
supposed to keep the exe header that is somehow magically discovered
after whatever byte length for the prepended maleware code or is the
exe header at the start of the file to be retained and the one after
the magically discovered byte length to be removed? Just because some
AV programs attempt to disinfect a file doesn't mean they guess how to
do it correctly. Don't expect anti-malware programs to always return
you to a usable or prior state to the infection. Sometimes the amount
of effort to thoroughly get rid of a pest is more than doing a fresh
install of the OS and applications.

Besides, once identified, you yourself could easily just replace the
entire file with an original copy from your backups. If you don't do
backups then you have deliberately deemed your files as trivial and
reproducible. You could also install the program in a VM and yank a
copy of the file from there rather than have to uninstall and
reinstall on your host OS.

> --
> Signed: Moonchild
> (remove nospam. when replying!)
>
> "When one door closes another door opens;
> but we so often look so long and so regretfully upon the closed
> door,
> that we do not see the ones which open for us."
> , ,
> |\---/|
> / , , |
> __.-'| / \ /
> __ ___.-' ._O|
> .-' ' : _/
> / , . . |
> : ; : : _/
> | | .' __: /
> | : /'----'| \ |
> \ |\ | | /| |
> '.'| / || \ |
> | /|.' '.l \_
> snd || || '-'
> '-''-'


Geez, you have no concept of Usenet netiquette. Signatures should be
4 lines, OR LESS, in length.


Similar ThreadsPosted
spysheriff spyware remover? October 8, 2005, 11:39 pm
Vundo remover safe? April 18, 2006, 12:45 am
Coolwebsearch Software Remover !!!!! June 6, 2008, 11:38 pm
Warning! Spyware detected on your computer? Install an antivirus or spyware remover to clean your computer. Bugs crawling on desktop June 4, 2008, 2:59 pm

The site map in XML format XML site map

Contact Us | Privacy Policy