pizzaguy Posted October 21, 2010 Share Posted October 21, 2010 I hope this isn't breaking any rules... Some of my school's computers were recently infected with a virus. It appears to have been a relatively mild thumb drive virus. The only noticeable effects are that it automatically copies a hidden folder with a single exe file in it to attached (thumb)drives, and it copies a new autorun.inf file in. The inf file shows that it copies that exe file somewhere into the AppData folder of windows (I think, I don't actually remember where specifically). But really, this is all beside the point. I'm really just curious about what the virus is doing. So, can you recommend any applications to safely analyze the virus itself? Today I tried using a simple decrypter to look over it's assembly structure. Although, admittedly, I don't know a thing about Assembly so I was just really looking over text strings and deducing meaning through logic. Can anyone recommend any more elegant methods to examine what it's doing? I'm just really curious. Any suggestions as to a way to make analysis safer as well? Today I was just doing it on the school computer since it was already infected. I figure if I do try to bring it home I'd use a virtualbox to look it over, but does anyone know of any better methods? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 21, 2010 Share Posted October 21, 2010 (edited) There is a sandbox you can run it in. Some website for malware analysis would run it and tell you what it tried to do. http://www.sunbeltsoftware.com/Malware-Res...belt-CWSandbox/ http://mwanalysis.org/?site=1&page=submit Edited October 21, 2010 by Mr-Protocol Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 22, 2010 Share Posted October 22, 2010 I would recommend watching these videos. http://www.hak5.org/episodes/episode-404 http://www.irongeek.com/i.php?page=videos/procmon1 Quote Link to comment Share on other sites More sharing options...
pizzaguy Posted October 22, 2010 Author Share Posted October 22, 2010 There is a sandbox you can run it in. Some website for malware analysis would run it and tell you what it tried to do. http://www.sunbeltsoftware.com/Malware-Res...belt-CWSandbox/ http://mwanalysis.org/?site=1&page=submit Thanks for these, they look like they'll be quite helpful! I would recommend watching these videos. http://www.hak5.org/episodes/episode-404 http://www.irongeek.com/i.php?page=videos/procmon1 Ahh yes. I had forgotten about 404. And thanks for the irongeek one, I hadn't yet familiarized myself with Process Monitor's controls. I guess I will have to bring the file home, because I had tried using Process Monitor, but I didn't have admin rights, so it wouldn't run. I ended up toying around with Process Explorer just to see if it could help at all. Quote Link to comment Share on other sites More sharing options...
digininja Posted October 22, 2010 Share Posted October 22, 2010 I'd suggest if you don't know what you are doing in reverse engineering the best thing to do would be to upload it to VirusTotal and see if it detects it as being a virus. If it does then it will give you a name. Google that name. Let people who know what they are doing do all the hard work then just read their research. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 22, 2010 Share Posted October 22, 2010 (edited) Let people who know what they are doing do all the hard work then just read their research. I guess its all part of learning, but getting someone else to do the dirt work for you to an extend its Ok. But at some point, you got to do the dirty work yourself as well. But I see where you are coming from, it takes a lot time, practice and experience to understand how/what a virus is doing. Edited October 22, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
digininja Posted October 22, 2010 Share Posted October 22, 2010 If you want to learn reverse engineering starting on a virus isn't the way, they are usually deliberately obfuscated and packed to deter people reversing them. If you want to get into malware analysis there are loads of good sources on the net but they will all say the same thing, start simple then work up. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 22, 2010 Share Posted October 22, 2010 (edited) Well I never said it would be easy to analyse a malware, most malwares are designed to protect themselves and prevent analysts from reverse engineering them. There are certainly tools that can help analyse the behavior of virus, but disseminating the virus would be very difficult , even more if you are not an experienced user. Edited October 22, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.