virusprevention with mutexes

[Karl Unge]

Hi all,

is there a possibility to shut out viruses by defining mutexes?
Actual viruses are defining mutexes to be sure running once on a computer -
so if there is a mutex named like the one the virus uses - the virus is not
starting again.
So if i create a mutex and name it like the one the virus names his own -
keep me that from being infected by viruses like Korgo, Sasser, Mydoom, ...?

for example to prevent my computer from the Sasser i open a mutex named
"Jobaka3".

if it is possible can someone post how it works?

i tried it that way - but i think it didn't work

------------------------------------------------------
int _tmain(int argc, _TCHAR* argv[])
{
if (argc < 2) {
cout << "mutex name [names]\n\n";
return false;
}

for (int i = 1; i < argc; i++) {
cout << argv;
HANDLE hMutex = CreateMutex(NULL, false, argv);
OpenMutex(SYNCHRONIZE, false, argv);
if(GetLastError() == ERROR_ALREADY_EXISTS) {
cout << " - exists";
}
cout << "\n";
}

while (true) {
Sleep(1000000);
}
return 0;
}

 

[null]

Hi all,

is there a possibility to shut out viruses by defining mutexes?

Have you researched the 100,000 + known malwares to learn how many
create a mutex? Pretty small percentage, I think.


Art
http://www.epix.net/~artnpeg

 

[Frederic Bonroy]

is there a possibility to shut out viruses by defining mutexes?

Oh, certainly but is it worth the effort?

Such tricks may work only against a very small percentage of viruses.

 

[Karl Unge]

Hi Art,

the last dangerous Viruses like Sasser, Blaster, Korgo, MyDoom - are
creating mutexes.

so i don't want to block all maleware - i only want to block special wide
distributing viruses and viruses that are in our corporate network when our
patching is not gone that far.

i'd like to open this mutexes with the logonscript.

 

[Karl Unge]

hi frederic,

the last dangerous(Korgo, MyDoom) once creating mutexes to be sure running
once on a computer. so i only want to block the fast distributing like these
once in our corporate network with the help of the logonscript, if there is
a break out.

do you know other little dirty tricks to block viruses?
why my programm doesn't work?

 

[Michael]

Hi Art,

the last dangerous Viruses like Sasser, Blaster, Korgo, MyDoom - are
creating mutexes.

so i don't want to block all maleware - i only want to block special wide
distributing viruses and viruses that are in our corporate network when our
patching is not gone that far.

i'd like to open this mutexes with the logonscript.

The Blaster and Sasser variants I looked at used exploits in DCOM and
LSASS. There is absolutely no reason for most companies to have those
ports exposed to the internet. Unfortunately one infected box nails the
internal network.

Moreover, a decent sized company should be running an IDP or firewall
that drops buffer overflows. Microsoft will have decent overflow
protection soon enough. Even AIM beta has overflow protection now.
It's about time as VMS stopped this years ago.

The worm coders are poor at exploit development, so this will stop whole
classes of attack.

michael