Unrar nicely showed at the beginning what will happen if we execute this file: This is typically used when you download an installation file that has been compressed with WinRAR as a self extracting archive (so you don’t have to have WinRAR on your machine to decompress this). The author used WinRAR’s possibility of specifying the setup script. We can see an interesting thing here as well. So it’s a bunch of files packed with WinRAR. UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal This can be unpacked with any RAR handling application, and I simply used unrar on Linux: Oh! So the file is “packed”, but it is basically just a self extracting archive created with WinRAR. Running strings on this malware showed something interesting: If the file is not packed we will be able to see all text strings in the file, provided that the author didn’t protect this differently. If a file is packed, the strings command typically just shows us couple of imported functions and the rest will be garbled. However, before starting PEiD, I usually go the easiest way and that’s to run the strings command on the file. This allows you to determine if a file is packed or not, without knowing the packer – files with high entropy are almost certainly packed or encrypted.
PEiD can do most of the job for us as it has a database of fingerprints for well known packers, and besides this it has a really nice feature of calculating the entropy of the analyzed file. There are various ways of identifying packed malware – probably the best way to do this is by using PEiD ( ), a nice utility for identifying PE (Portable Executable) files. At this stage we typically want to know if the malware is packed or not, as that can delay the analysis. So it was definitely a Windows executable. PostCard.exe: MS-DOS executable (EXE), OS/2 or MS Windows The link was pointing to sk/.exe (the site is still up and happily serving malware).Īfter I downloaded the malware I did couple of quick tests on my Linux machine, as always with new malware: The main difference was that this was an HTML e-mail, without any attachments, but with a “hidden” link to malware (of course, by moving your mouse over the link shown by the HTML message, one was able to see where it really goes). It looked different than those seen around Christmas so I went to investigate what’s going on here. This weekend I received another “postcard” e-mail.
0 kommentar(er)
