link virus info needed

[gizmofreak]

Can anyone please explain how virues are created with *.dll files.Also how do we detect or fightback such viruses(without using antivirus software).

[el-half]

? Do you mean like they use functionality of some dll file??

[nihil]

I am not sure what you mean? a virus could be disguised as a "harmless" .dll file, and coould work in all sorts of ways depending on what the viral code actually was.

Try http://www.Runtimeware.com

There is a product called "Sentinel" that monitors .dll and other files for changes that might be malicious.

Cheers

[Alphaflux]

thats a fairly broad question, please try and be a little more specific and i may be able to help

[ali1]

Why would you like to detect a dll virus without using an AntiVirus software,huh?

[nihil]

That one is easy:

Why would you like to detect a dll virus without using an AntiVirus software,huh?

Because they are too damn late

I am assuming that this is "traditional" AV scanning software like Norton & McAfee.

Cheers

[ali1]

Watcha mean they're late?

[nihil]

By "late" I mean the following:

1. Traditional AV looks for patterns in code....or it looks for potential generic patterns (heuristics)
2. It may also look for simple text identifiers like "dead cow" or whatever.

What they will not detect are completely new malwares, that do not have a match in their "signatutre", "pattern" or "dat" files. This is why they let stuff through.

Compounding this is the speed at which they release updates, and the speed at which users apply these updates. A virus could have 10 days on the run, so to speak....that is far too long

I am sure that we all appreciate this "latency" problem?

Cheers

[tsunami]

Ok a few points to raise

There are viruses that propagate them selves using .dll files. But there are some important things to note about these.
They do NOT arrive on the target machine as a dll file, they are dropped by something else.
A dll file containing virus code can be run very simply by adding an entry in HKLM/Software/Microsoft/Windows/CurrentVersion/Run
with a value of (eg)

rundll32 c:/Winnt/System32/hdueknat.dll, -boottime

The important thing to notice here is that rundll32 is a valid windows utility, but the dll file that it is going to run has been dropped into a directory that most users wont look at, let alone know what should be in there. Also the dll file has a very obscure name, in most cases completely random, which makes it hard to place as a file for a specific program.
This can get even more complicated when the dll file in question doesnt contain any viral code in the normal storage way, but has an adition 'alternative data stream' or ADS. This is referenced by using a ':' rather than a '/' when it comes to stating the file name.
Adware and spyware use the technique of running dll files at start up a lot more than viruses do however.

There are a handful of viruses that work in this way
http://www.sophos.com/virusinfo/anal...coreflooc.html <dll file virus with ADS>
http://www.sophos.com/virusinfo/anal...32dumarua.html <ADS virus>


Nihil is absolutely right when he mentioned the subject of being 'late'. It is imposible for an AV company to be pre-emptive or proactive against virsues. They can in essense only be reactive about viruses. The one exception to this is heuristic scanning, which in all honesty, to begin with, looked like a good idea. But in practice this technique of scanning creates a lot of false/positives, and even a number of false/negatives.
The best way to stay virus free is to implement a firewall, be it hardware or software, either on the gateway, or on the host machine. The keep up with all security patches, whether these are related to windows systems, or unix/linux, or mac, etc. Dont open attachments on emails that u are not expecting (it still makes me groan in anguish when a customer rings us and says they have this virus, and they blatently opened an unsolicitated file). The last line of defence should be your AV software. If it is kept up to date, then u have a better the good chance of stopping anything from actualy getting into the core of the machine. But there will always be exceptions, as viruses change.