A virus is a malicious program (malware) that infects other normal programs and files by injecting its own malicious source code into these files. Learn how a virus not only infects files in the same directory but also replicates when this happens. Find out how the virus only self-replicates when it is executed by a user, which is different from a worm that requires no user interaction to spread.
- [Instructor] Let's start analyzing this virus by first seeing it in action. I have here a folder filled with all sorts of files, text documents, DLLs, pictures, and log files. At the very bottom is our virus. If I doubled-click on this Text executable, we can see the message saying, "Hello, this is a test program." I'll put it into the Command prompt. If I click on this document, we can see the clear text plainly say, "This file will be infected." Same thing with document number two. This file will also be infected.
We have some Microsoft Office programs here as well. If I click on this picture, we can see the Windows logo. Now, if I run the virus at the bottom, it will infect every file on this directory. So, let's run it, and we can see it saying "Infecting hello world, infecting test." And after it infects every file in this directory, let's exit out. Now, let's reopen the text documents and we can now see that they are damaged. Let's reopen this one.
And let's reopen the picture as well. You can see that can no longer be opened. Every file in this directory is now corrupted, damaged, and unusable. Now, let's * up the text executable that previously outputted a message to the command prompt. And put this in another directory filled with undamaged files. If I open up these documents, we can see that they're undamaged. This file will be infected. Same thing with the picture, it shows the Windows logo again.
Now after running this test file, we can see that the output has changed and is now infecting these files in this directory as well. If we close out of that. We can see that this picture is no longer opened. It is now damaged and corrupt. Now that we have seen the virus in action, let's start analyzing it by going to virustotal.com. This is a site that scans suspicious files that are uploaded. It computes the hash signature of the uploaded file and cross checks the databases for every antivirus and anti malware program in existence.
The database is for all the listed programs are constantly being updated. So even though these files might be able to evade most anti virus and anti malware programs right now, this could change further down the road. So, let's upload it. As we can see, the virus can currently evade over 50 anti viruses. And it is only detected by 11 of them. The fact that some anti viruses detected this virus means it's popular enough to have gained it's own anti virus database signature.
Furthermore, this means that professional hackers are using the very same virus we are going to analyze. This virus was uploaded in its original form. No criptors or packers were used to reduce detection. What this means is that if the virus was encrypted, the detection rate would be lower. So instead of 11 anti viruses detecting it, maybe only five would. Clicking on the File Details reveals more information about the file we uploaded. This is a very handy view when looking at a file you suspect.
It tells us this is a 132 portable executable file. If I scroll down to the Import section, I can see what DLLs were used. Functions that reside in these libraries are shown. If we expand a DLL like kernel 32, we can see functions like get current process, find first file, and find next file. We'll see some of these functions being called when we inspect the source code later on. From this initial list of functions, we can see that the virus is performing file related operations.
This is something to note down.