Soaring Eagle 666 wrote:
Thanks for posting the source. Posts here take time to go through, and yours hadn't gone through yet when I asked.
Most people don't keep proper backups, so deleting the Documents folder can be a devastating loss. And how about ransomware, which you mentioned as a "real" virus? That simply involves encrypting instead of deleting. If you don't pay, then it's exactly the same as deletion! Regardless, the VB virus I mentioned writing is a full-fledged RAT that can evade every static antivirus I've tested. I actually wrote it with no malicious intent as an enhanced version of Remote Desktop. However, it could easily be packaged as a Trojan Horse to let me gain full control over the victim computer. Sometimes a real-time antivirus will catch the outgoing network connection, but a ransomware wouldn't even have that weakness.
My point is just that an online antivirus scan is only meaningful when it finds a virus.
I understand that and I apologize if I've jumped the gun on you.
The difference between simply deleting a file, and encrypting it is that the file becomes unusable after the fact, and a smart programmer would learn how to circumvent ways to recover those files by usual means, for instance, deleting every System Restore point.
Viruses typically embed themselves within a computer's startup files through the registry, and a standard way of getting around that is to hit F8 upon the computer being started up, so you could go into safe mode. Now, since everything's been encrypted, that's out of the question because the machine becomes virtually unusable, even if the Ransomware doesn't start up with the computer under those circumstances.
It's a smarter version of those old "Rogue Antivirus" programs, which were popular in the Windows XP era of computers.
Was your RAT a direct-connection rat, to where you must connect to the user's computer by typing in his LAN address (assuming you're testing using VMs) like old trojan horses in the 90s (Netbus, Sub7, etc) or was it a reverse connection rat, like the ones that have become conventional today to where your computer acts as the server, and each victim's computer becomes a client connecting to a DNS that you set up? Or as you said, something with no malicious intent like a Teamviewer clone?