Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Not sure if this is a good idea or not...

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    8

    Not sure if this is a good idea or not...

    My AV picked up a .COM virus...I am wondering...I would like to convert it to text and/or code and viewed as text and/or code. I thought I might simply change the extension from .COM to .TXT and open it with a text editor but the access is denied. I can copy it for example but I can not paste it. Read-only is not selected in its properties and notepad actually does open, though blank along with the access denied message. One: Is there a way I can accomplish this and, Two: Is it a good idea in the first place? I am just curious, really as to what it contains and it may or may not have some useful information in it. I have no intention of using it in viral form..it is simple enough to just code or copy code from one if that were my aim. If this is not a proper question or if it seems as if it may lead to some evil please let me know and I will not repeat it. Truly, it is now really more the principle of the matter...it *seems* as if I should be able to do this though I am unsure how.
    thanks.
    A sensible, moral, well-bred man will not affront me; and no other can.~~~~~~~~~Ne Humani Alianum Puto

  2. #2
    Senior Member
    Join Date
    Feb 2004
    Posts
    620
    One: Is there a way I can accomplish this
    Even if you could open it in notepad (I'm not sure why it would give you an access denied--maybe it's running?) all you would see is garbage cause the program's in its binary form. You could disassemble it but you would need very extensive knowledge in assembly to understand it. Other than that, I have no idea.

    Two: Is it a good idea in the first place?
    I don't see any harm in it, though there's probably not much point in doing it anyways.

    Just out of curiosity, what specific virus is it?

    Later

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    If access is denied it suggests one of two things to me.....

    1. Your antivirus is doing its job
    2. The damn thing is actually running

    Boot into safe mode if it is #2, and you should be able to get at it.

    You won't see anything that you will understand by viewing it in a text editor as you will be looking at a compiled executable that is probably packed and may well be encrypted as well.

    It is quite a lengthy and complex process to reconstruct the actual virus from its executable form. You need the right tools and to know what you are doing

    Cheers

  4. #4
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    Ok thanks you guys, that helped. It wasnt running, I dont think, I had quarantined and moved it into virus chest before fiddling with it. I was also pretty sure it would be gibberish and no, I wouldnt know what I was doing....yet ;0) Thanks again for the (wow) really quick response....
    By the way...its name is: A0012962.txt.vir I changed the extension already from a .COM
    A sensible, moral, well-bred man will not affront me; and no other can.~~~~~~~~~Ne Humani Alianum Puto

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    A0012962.txt.vir I changed the extension already from a .COM
    The .vir extension indicates that it is a quarantined item. That way it won't get re-detected every time you run your AV.

    Some AVs will detect a virus with a text (.txt) extension, whilst others do not (AVG for example) this does NOT mean that the AV product is no good, it is just the way it works.

    Copying questionable executables into .txt files is a reasonable first shot at seeing if they are malicious..............even though most of it may be undecipherable, there are frequently clues as to the origin and intent of the code.

    DO NOT open them in Word, or Write Use notepad or wordpad, the first two can launch executables............macros for example.

    Cheers

  6. #6
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    Right. Thanks again nihil. I changed the extension myself from .com to .txt. I was relatively sure that the AV (I use Avast!) would still detect the virus in text form but I thought that by changing the extension I might make the virus somehow unable to execute. Is this logical?
    A sensible, moral, well-bred man will not affront me; and no other can.~~~~~~~~~Ne Humani Alianum Puto

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes, in general a .txt is safe, but as I said you need to use a plain text editor like notepad, wordpad, vi to look at it.

    That is what I do with suspect files, a .txt file won't execute but if you opened an embedded macro? What I am saying is that you can generally open .txt and .com files (OK .scr, .reg and all the rest as well ) in a programmer's text editor.

    I have e trust EZ Armor on this machine...................it spots them in .txt form.

    You might look at your AV settings, it should be scanning ALL files, heuristic scan, and compressed (ZIP) files. AVG doesn't react to .txt files, because it considers them to be non-executable..........if I rename a virus to .exe then it will light up and say "tilt"

    Hope that helps to explain?

  8. #8
    i know thqat you have had plenty of help on this thread, but i would recommend (if you really want ot look at the files contence) that you google spybot.. at there website you will find some freeware called fileanalyzer download it and install it. right- click on the file and you should see a menu that say's analyze....

    just a thought

  9. #9
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    I really appreciate all the help. It was, I must say, more than expected. Outstanding.
    A sensible, moral, well-bred man will not affront me; and no other can.~~~~~~~~~Ne Humani Alianum Puto

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you want to analyze spyware, viruses, trojans or any other kind of malware IDA Pro is the way to go. You will have to understand a great deal of assembly and C/C++ before you're able to make sense of it though.

    http://www.datarescue.com/idabase/
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •