Written by HAURI Virus Lab
Malware used to only consume malware process memory, but recently they started to infect the normal processes of memory.
[Image 1] Usage of memory by malware
By leaving codes in memories, this malware continue to perform and, under certain conditions, have ability to restore the original malware even if the malware was deleted.
Penetrating important process' memory such as Winlogon.exe makes treatment like Process Kill, the easiest method to reset memory space, ineffective.
In order to infect normal process memory, malwares first use OpenProcess() functions and then uses WriteProcessMemory() to paste binary into buffer zone.
[Image 2] Inserting malware binary
Some malwares directly paste their binary into normal process files while others use various methods such as ShellCode to insert their code into numerous threads.
[Image 3] Inserting ShellCode
These codes operate by CreateRemoteThread() function and delete the files or infiltrate into more discrete files.
[Image 4] Operating malware
But these malwares' weakness is that resetting memories makes them inactive. Normally, resetting memories in average PCs is to reboot the computer.
Antivirus software does try to cure memory, but there is risk of causing errors. Unless there is a serious risk, it would be recommended to reboot.
There are reasons to do treatment after reboot, but some users do not fully understand the meaning of it and ignore the message. Such action could leave malwares to continuously operate and monitor user's PC.