C:\>strings.exe z:\7e3b35c870d3bf23a395d72055bbba0f >foo.txt
C:\>more foo.txt
.text
.data
Chapter 20: Collecting Malware and Initial Analysis
511
PART V
InternetGetConnectedState
wininet.dll
USERPROFILE
%s%s
c:\
Gremlin
Soft%sic%sf%sind%ss%sr%sVe%so%sun
ware\M
ww%sic%ss%s%so%c
KERNEL32.DLL
ADVAPI32.dll
GetSystemTime
SetFileAttributesA
GetFileAttributesA
DeleteFileA
CopyFileA
CreateMutexA
GetLastError
lstrlenA
Sleep
ReadFile
CreateFileA
RegOpenKeyExA
RegCloseKey
RegSetValueExA
wsprintfA
!"#&(+,-./0123456789=>?@ABCDPQ
As we can see in the preceding, the binary makes several windows API calls for directories,
files, registries, network calls, and so on. We are starting to learn the basic functions
of the worm such as those marked in boldface:
??? Network activity
??? File activity (searching, deleting, and writing)
??? Registry activity
??? System time check and wait (sleep) for some period
??? Set a mutex, ensuring that only one copy of the worm runs at a time
Reverse Engineering
The ultimate form of static analysis is reverse engineering; we will save that subject for
the next chapter.
Live Analysis
We will now move into the live analysis phase.
Pages:
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891