Viruscope Generic detections

Anyone thinks Viruscope should also cover those old but still active malware that pretends to use dual extensions, whitespace sequences, underscore sequences etc…

Dual extension examples:

Dual extension with whitespace sequence examples:

video.avi                                                                                .exe
document.pdf                                                                                   .exe
naked_girl.jpg                                                                                  .exe

Dual extension with underscore sequence examples:

The thing is, despite the age of these tricks, Windows still seems to display these files in a way where it looks like there is no second extension after it (especialyl with second two examples). Would kinda make sense to detect these since getting false positive on these is virtually impossible yet it can still prevent a lot of malware, because it’s still using these tricks.

I think that Heuristic engine should react with “Heur.DualExtension” alert.

First I think it has to be an actual executable to for it to be detected as “Heur.DualExtension”, for example I made a text file and just renamed it to “Test.txt.exe” but that didn’t give anything, then I took my “Test Viruscope.exe” program and renamed it to “Test Viruscope.txt.exe” and then I got a “Heur.DualExtension” alert for it, BUT if I instead renamed it “Test Viruscope.pdf_.exe” then it was not detected, it wasn’t detected if I exchanged the “_” for a normal space either, so from that it seems that it only detects it if there are two extensions directly after each other like “.pdf.exe” but not “.pdf .exe”.

So yeah I agree with this.

Yes you’re right, it needs to be named like “a.pdf.exe” for example.

Yes, malware creators could easily take advantage of this by simply naming it “a.pdf .exe” instead…