Jump to content

Tools To Analyze A Virus?


pizzaguy

Recommended Posts

I hope this isn't breaking any rules...

Some of my school's computers were recently infected with a virus. It appears to have been a relatively mild thumb drive virus. The only noticeable effects are that it automatically copies a hidden folder with a single exe file in it to attached (thumb)drives, and it copies a new autorun.inf file in. The inf file shows that it copies that exe file somewhere into the AppData folder of windows (I think, I don't actually remember where specifically). But really, this is all beside the point.

I'm really just curious about what the virus is doing. So, can you recommend any applications to safely analyze the virus itself? Today I tried using a simple decrypter to look over it's assembly structure. Although, admittedly, I don't know a thing about Assembly so I was just really looking over text strings and deducing meaning through logic.

Can anyone recommend any more elegant methods to examine what it's doing? I'm just really curious. Any suggestions as to a way to make analysis safer as well? Today I was just doing it on the school computer since it was already infected. I figure if I do try to bring it home I'd use a virtualbox to look it over, but does anyone know of any better methods?

Link to comment
Share on other sites

Link to comment
Share on other sites

There is a sandbox you can run it in. Some website for malware analysis would run it and tell you what it tried to do.

http://www.sunbeltsoftware.com/Malware-Res...belt-CWSandbox/

http://mwanalysis.org/?site=1&page=submit

Thanks for these, they look like they'll be quite helpful!

Ahh yes. I had forgotten about 404. And thanks for the irongeek one, I hadn't yet familiarized myself with Process Monitor's controls. I guess I will have to bring the file home, because I had tried using Process Monitor, but I didn't have admin rights, so it wouldn't run. I ended up toying around with Process Explorer just to see if it could help at all.

Link to comment
Share on other sites

I'd suggest if you don't know what you are doing in reverse engineering the best thing to do would be to upload it to VirusTotal and see if it detects it as being a virus. If it does then it will give you a name. Google that name.

Let people who know what they are doing do all the hard work then just read their research.

Link to comment
Share on other sites

Let people who know what they are doing do all the hard work then just read their research.

I guess its all part of learning, but getting someone else to do the dirt work for you to an extend its Ok. But at some point, you got to do the dirty work yourself as well.

But I see where you are coming from, it takes a lot time, practice and experience to understand how/what a virus is doing.

Edited by Infiltrator
Link to comment
Share on other sites

If you want to learn reverse engineering starting on a virus isn't the way, they are usually deliberately obfuscated and packed to deter people reversing them.

If you want to get into malware analysis there are loads of good sources on the net but they will all say the same thing, start simple then work up.

Link to comment
Share on other sites

Well I never said it would be easy to analyse a malware, most malwares are designed to protect themselves and prevent analysts from reverse engineering them.

There are certainly tools that can help analyse the behavior of virus, but disseminating the virus would be very difficult , even more if you are not an experienced user.

Edited by Infiltrator
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...