AnsweredAssumed Answered

vrf Virus-Activity

Question asked by VRFuser on Feb 4, 2004
> I hope that each of you has a good AV-PGM !

Here's an example where your basic skeptical attitude makes all the dif. The
first time I got that was from the IETF mailing list & Norton hadn't updated
yet so it slipped by. Then I saw this attachment called Text.exe and
immediately thought "yeah, right!". Opening Text.exe with a dependency
checker showed imports from ws2_32.dll - so what's a supposed text file
display program doing importing from Windows Sockets? Del...

It's probably not completely safe to open a suspect .exe with Microsoft's
depends.exe (god I love that name!) because it uses LoadLibrary. The problem
with this is that if the executable is a .dll masquerading as an .exe - or
indeed if it's any executable that exports a DllMain function - and if
depends.exe tries to load the file as a library then DllMain will be
executed and you'll probably be infected. I don't know exactly what depends
tries, but there's no need for it to call LoadLibrary on the file under
examination.

A much safer way is to load the file with LoadLibraryEx with the
LOAD_LIBRARY_AS_DATAFILE flag set. This way, DllMain is not executed,
relocations are not fixed up and nothing in the file is actually executed.
>From there, you can examine the file in any way you wish without fear of
infection.

Another method is to simply open the file (using CreateFile, or FromFile in
VEE) and use the PE header info to walk the Imports table chain.
ProcessView.vee uses this technique, though I never actually finished the
resource directory walking code. Unless the author is *very* clever (not
likely in today's world of skiddies), or produces a very large worm by
statically linking sockets code in you'll always find clues as to just what
the code does by looking at what functions it imports from what dlls.

Of course, all this applies only ifn' you're curious and you can afford to
make mistakes. As always, the positively best way to deal with any nasty of
any kind is to simply delete it. After all you can't win if you don't play,
but out-of-the-box Windows makes it difficult to determine when you're
playing and when you're not. Always show all files, never let Windows hide
any file extensions, use common-sense judgment and you'll never have a
problem even without a virus scanner.
-SHAWN-
'Member the Byte Brother's ParaScan?


---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list,  email "vrf@agilent.com". 
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Send your favorite VEE example to "VRF-EXAMPLES@agilent.com" for possible inclusion in VEE 7.0!

Outcomes