[unisog] Decompiling virus binaries

Gary Flynn flynngn at jmu.edu
Tue Jul 22 12:43:52 GMT 2003


Martin Sapsed wrote:

> Jeff Bollinger wrote:
>
>> We received what we believed to be a recent/(new to us) virus
>> attachment, and short of running `strings` against the binary, what
>> other methods/tools have y'all used to determine the contents of a virus
>> binary?  I guess what I'm really asking is, do you know of any good
>> de-compilers (hopefully for x86 Linux, GCC 3) that would be useful in
>> this instance, or can I use an existing compiler to break the virus down
>> to its source code?
>
>
> Way too complicated for me - I just send it on to my Anti-Virus 
> company (currently Sophos) and ask them to check it out. With all the 
> encryption and stuff I'd doubt that strings would help much? 

Same here. I let the people that do it for a living go after it. :)

If I have spare time and am curious or if time is important, I might run 
it on a system reserved for the purpose
with tools to monitor file, process, API calls, and network access. 
Strace could be used
for linux. The winternals tools for windows.

gary





More information about the unisog mailing list