Virus analyzing

Post Reply New Topic

Hello every one!
I would like to do virus analyzing.
But i cant find any websites that have this dangerous content.
i want something where there are pop ups and things saying that my pc is infected.
I will be doing it all in vmware fusion 3.
On my mac.
Thanks .

Ow hello.

I'm a virus.

I used my copy of Matt Pietrek's PE Dump program. I still haven't perfected it yet.

Dump of file C:\INST.EXE

File Header
Machine: 014C (I386)
Number of Sections: 0004
TimeDateStamp: 440F9934 -> Wed Mar 08 18:55:48 2006
PointerToSymbolTable: 00000000
NumberOfSymbols: 00000000
SizeOfOptionalHeader: 00E0
Characteristics: 818E
EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED
BYTES_REVERSED_LO
32BIT_MACHINE
BYTES_REVERSED_HI

Optional Header
Magic 010B
linker version 165.60
size of code 7EFE8
size of initialized data FEFC1
size of uninitialized data 434A
entrypoint RVA 1000
base of code 1000
section align 1000
file align 200
required OS version 0.06
image version 2905.32075
subsystem version 5.00
Win32 Version 0
size of image 1DE000
size of headers 400
checksum 0

Section Table
01 .text VirtSize: 0007F000 VirtAddr: 00001000
raw data offs: 00000400 raw data size: 0007E200
relocation offs: 00000000 relocations: 00000000
line # offs: 00000000 line #'s: 00000000
characteristics: 60000020
CODE EXECUTE READ ALIGN_DEFAULT(16)

02 .mdata VirtSize: 00001000 VirtAddr: 00080000
raw data offs: 0007E600 raw data size: 00000200
relocation offs: 00000000 relocations: 00000000
line # offs: 00000000 line #'s: 00000000
characteristics: 40000040
INITIALIZED_DATA READ ALIGN_DEFAULT(16)

03 .data VirtSize: 0007F000 VirtAddr: 00081000
raw data offs: 0007E800 raw data size: 0007F000
relocation offs: 00000000 relocations: 00000000
line # offs: 00000000 line #'s: 00000000
characteristics: C0000040
INITIALIZED_DATA READ WRITE ALIGN_DEFAULT(16)

04 .resour VirtSize: 000DE000 VirtAddr: 00100000
raw data offs: 000FD800 raw data size: 00002E00
relocation offs: 00000000 relocations: 00000000
line # offs: 00000000 line #'s: 00000000
characteristics: 40000040
INITIALIZED_DATA READ ALIGN_DEFAULT(16)



Resources (RVA: 100000)
ResDir (0) Entries:02 (Named:00, ID:02) TimeDate:00000000
--------------------------------------------------------------
ResDir (ICON) Entries:02 (Named:00, ID:02) TimeDate:00000000
ResDir (1) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 000000A0
DataRVA: 00000 DataSize: 00000 CodePage: 0
ResDir (2) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 000000B0
DataRVA: 00000 DataSize: 00000 CodePage: 0
--------------------------------------------------------------
ResDir (GROUP_ICON) Entries:01 (Named:00, ID:01) TimeDate:00000000
ResDir (1F4) Entries:01 (Named:00, ID:01) TimeDate:00000000
ID: 00000409 DataEntryOffs: 000000C0
DataRVA: 00000 DataSize: 00000 CodePage: 0


Section Hex Dumps
section 01 (.text) size: 0007E200 file offs: 00000400
00000000: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 MZP.............
00000010: b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 ........@.......
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................
00000040: ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 ........!..L.!..
00000050: 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e This program can
00000060: 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f not be run in DO
00000070: 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 S mode....$.....
00000080: 7d 54 71 98 39 35 1f cb 39 35 1f cb 39 35 1f cb }Tq.95..95..95..
00000090: 39 35 1e cb e7 34 1f cb 30 4d 8c cb 26 35 1f cb 95...4..0M..&5..
000000A0: 30 4d 8a cb 3f 35 1f cb 30 4d 8d cb 38 35 1f cb 0M..?5..0M..85..
000000B0: 30 4d 9c cb 2f 35 1f cb 30 4d 9b cb 13 35 1f cb 0M../5..0M...5..
000000C0: 30 4d 8b cb 38 35 1f cb 30 4d 8e cb 38 35 1f cb 0M..85..0M..85..
000000D0: 52 69 63 68 39 35 1f cb 00 00 00 00 00 00 00 00 Rich95..........
000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100: 50 45 00 00 4c 01 04 00 34 99 0f 44 00 00 00 00 PE..L...4..D....
00000110: 00 00 00 00 e0 00 8e 81 0b 01 a5 3c e8 ef 07 00 ...........<....
00000120: c1 ef 0f 00 4a 43 00 00 00 10 00 00 00 10 00 00 ....JC..........
00000130: 00 00 08 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
00000140: 00 00 06 00 59 0b 4b 7d 05 00 00 00 00 00 00 00 ....Y.K}........
00000150: 00 e0 1d 00 00 04 00 00 00 00 00 00 02 00 00 00 ................
00000160: 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 .....@..........
00000170: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000180: 00 00 08 00 d3 00 00 00 00 00 10 00 00 2e 00 00 ................
00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001C0: 00 fe 0f 00 18 00 00 00 00 00 00 00 00 00 00 00 ................
000001D0: 00 00 00 00 00 00 00 00 28 00 08 00 24 00 00 00 ........(...$...
000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001F0: 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 .........text...
00000200: 00 f0 07 00 00 10 00 00 00 e2 07 00 00 04 00 00 ................
00000210: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
00000220: 2e 6d 64 61 74 61 00 11 00 10 00 00 00 00 08 00 .mdata..........
00000230: 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 ................
00000240: 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 b9 7e ....@[email protected]..~
00000250: 00 f0 07 00 00 10 08 00 00 f0 07 00 00 e8 07 00 ................
00000260: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 ............@...
00000270: 2e 72 65 73 6f 75 72 00 00 e0 0d 00 00 00 10 00 .resour.........
00000280: 00 2e 00 00 00 d8 0f 00 00 00 00 00 00 00 00 00 ................
00000290: 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........

Just FYI, many modern viruses detect when they're inside a virtual machine, and shut down.

Then how do i analyze virus's?
How do i get to see the virus effects?
Do i just pull out a pc or put in another hard dirve?
I want to do videos on the effects of virus's.

I have not seen ant .mdata section in Visual C++ 6 binary code
all the program's instructions are in the .text section.

The program I was using was not able to get win64 information, and I quarantined and deleted the suspicious program

Antivirus companies have many different means of analyzing viruses. First of all, they can afford to create internal VMs which are not available to the public and thus virus creators cannot detect them. Then, they run special tools that trace the potential results of a virus execution without actually executing it. Most importantly, they disassemble and analyze the virus code itself.

No offense Madbones, but you sound like a person who's right in the middle between "know-nothing" and "know-all". This makes you more dangerous to yourself than either one of the extremes.

You're playing with fire.

I am a little new to the virus area.
I do know a lot more then this lol.
But thanks for the heads up!
I think i will just continue with stuf in other area.
I think i will probably be working on my visual basic skills.

well, you could always start as a 'script kiddie'...
Actually, unless you're working on defenses, please don't bother..
I think there's a mag called 2600, which may give you a start