[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New Virus?

To: focus-virus@xxxxxxxxxxxxxxxxxx, incidents@xxxxxxxxxxxxxxxxxx
Subject: RE: New Virus?
From: Harlan Carvey <keydet89@xxxxxxxxx>
Date: Mon, 15 Aug 2005 15:54:20 -0700 (PDT)
Cc: Ragnar Harper <ragnar@xxxxxxxxx>, Alex Arndt <aarndt@xxxxxxxxxx>
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=JigiyQ4C7sSuGsjrrG3vGcZLaTDYXeKC2HTFACYx7nmZyb98vZ5fMxipWutEBW0Gi7TAPfgsCb8kD1hHY6+A6dV+f0HS+ByUVKC8Xa03edNecXREQSzarLyWyVGY2c4GOesISYWG/RKjzDjwL1tw2zEq9JIZj1J0/jmdtxPnDsM= ;
In-reply-to: <D1AF907CAC16294FB299EB5708363AB803AF3B@ht-srv1>
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm

There are several things that folks can do prior to
submitting to the list(s), or to A/V companies...

1.  Post the file for others to view, or make it
available upon request.

2.  Perform some analysis of the file.  Strings.exe
from Sysinternals.com or BinText from FoundStone
obviate the need for a Linux box just to run strings. 
Try PEDump from http://www.wheaty.net/downloads.htm. 
Or Dependency Walker from dependencywalker.com.

3.  If the file is obfuscated or encrypted, try PeID
from http://peid.has.it/ to determine which method is
used (if possible).

Thanks,

Harlan


------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

References:
- RE: New Virus?
  - From: Ragnar Harper

Prev by Date: RE: New Virus?
Next by Date: DNS cache poisoning?
Previous by thread: RE: New Virus?
Next by thread: DNS cache poisoning?
Index(es):
- Date
- Thread