Virus analysis

Printable View

July 20th, 2004, 01:34 AM
hellforgedangel

Virus analysis

Ok a friend wanted help today when their norton security suit went crazy and died, I asked about what had been done on the computer and the guy had got a trojan that hadnt been picked up by his AV (Thanks AVG you saved my computer again :D) However google supplyed no answers and norton didnt notice it, AVG noticed it but couldnt give any info on it. I got the dude to hijackthis his computer and i noticed some suspiciuos registry entries, now we think hes rid of it. All this however made me want to learn more about virii and trojans. I would like to learn if there are ways to analise what they do and how they do it. Im ok as far as a test box goes so i basically want to play about and see what i can find out about them. I mean how do AV companies work out whats a virus and how do they write signatures, basically im curious :D Thanks
July 20th, 2004, 02:15 AM
DeadAddict

http://www.symantec.com/region/reg_e...antivirus.html
I would use a disassembler to take it apart
many newer viruses are designed using programming tricks that make them hard to disassemble (the process of interpreting the code into a form that is easier to analyze so that the virus can be combated.
Source: http://www.pcguide.com/care/data/virus/index.htm
July 20th, 2004, 02:20 AM
muert0

Here's a tut to give you a little better understanding of virii and there are a few links at the bottom of the tut that you may can find other stuff you are looking for.
http://www.antionline.com/showthread...hreadid=244114
July 20th, 2004, 11:52 AM
SirDice

First you'll need to learn the correct plural of "virus", it's "viruses" not "virii" ;)

Then as DeadAddict noted get yourself a disassembler, a link to the MSDN libraries (for API references), lots of coffee and lots of spare time :D

But it's fun though, I always like to take new ones apart.
Just to see what makes them "tick".

For disassembly I can definitely recommend getting IDA Pro.
See http://www.datarescue.com/idabase for more info.
July 20th, 2004, 04:00 PM
hellforgedangel

Thanks for the feed back. hmmm viruses eh? I read that it was virii im sure, oh well. I suppose its another mice/mouses one :D
July 20th, 2004, 04:40 PM
AngelicKnight

Any freeware disassemblers out there you're fond of?