Strange File

Networking/Security Forums -> Viruses // Worms

Author: itexltd PostPosted: Sun Jan 13, 2008 7:21 am    Post subject: Strange File
    ----
I would like to an inspect an trojan. I found unusual exe file in my home computer. However i have formated my home pc and reinstalled the window. But i kept the .exe, I would like to test exe in vmware to see what exactly it does. What would you recommend me to sniff traffic and see what is that all about?

Thank You!

Author: White ScorpionLocation: The Netherlands PostPosted: Thu Jan 17, 2008 8:33 am    Post subject:
    ----
why don't you upload it to virusscan.jotti.org or www.virustotal.com ?
It should be much faster then analyzing the file yourself (and less risky).
Once you know what it is you might find some information on the net on how to remove it.

Author: bj0rnLocation: Chicago, IL PostPosted: Mon Jan 21, 2008 10:07 pm    Post subject:
    ----
Do some heavy amounts of research before messing around with malware samples. I agree with lepricaun ; I recommend uploading it to SunBelt Sandbox [ http://research.sunbelt-software.com/Submit.aspx ] It gives you a detailed log of what the file tries to do, so you don't have to go through the trouble.

However, if you are interested in some more advanced malware analysis, here are a few links to some advanced tools that will be helpful:

F.I.R.E - http://fire.dmzs.com/?section=tools
http://vladimir44.googlepages.com/home [decompilers like IDA, network monitoring with tools like SNORT, tools from sysinternals, and other things that will be handy]

Author: PhiBerLocation: Your MBR PostPosted: Wed Jan 23, 2008 9:13 pm    Post subject:
    ----
You may also wish to take a look at a piece of software called InCtrl5. It basically allows you to specify an executable to launch and will track changes to the registry, system drives, ini files, and any text file changes.

Couple this with wireshark, TCPView, and Process Monitor and you just may be able to better understand what the virus does.

Do note that often times, a trojan might not actually start trying to run commands from your PC but will wait for commands from a central location. As such, network activity might be lacking from the get-go.

I also advise you to run malware within a virtual environment to prevent any system damage. Unfortunately though, some malware detects when it is being run within a virtual machine and will not activate to prevent analysis.



Networking/Security Forums -> Viruses // Worms


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group