This step is very simple, we need an anti-virus scanner to identify what the heck is `that thing`.
You might already have installed an anti-virus for your system like Kaspersky Internet Security, Panda Antivirus, ClamAV, AVG, NOD-32....whatever :D
I also use online virus scanners to detect virus.
Here the list of online scanners:
- VirusTotal: http://www.virustotal.com/
- BitDefender Online Scanner: http://www.bitdefender.com/scanner/online/free.html
- Kaspersky Lab: http://www.kaspersky.com/virusscanner/
- TrendMicro - Housecall: http://housecall.trendmicro.com/
- F-Secure Online Virus Scanner: http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/
- Panda Active Scan: http://www.pandasecurity.com/homeusers/solutions/activescan/
Let's start our journey!
First, we need a malware, I pick a Trojan, Trojan.Win32.VirtualRoot (or CodeRed).
Click here to download Trojan.Win32.VirtualRoot
Then, extract the file, don't double click on it or you're dead. Assuming that you are under virtual machine, ok? Don't do this on your main system.
Access VirusTotal homepage and upload the file (extracted one ...), here the result:
Interesting, huh? As you can see most of scanners identify it as VirtualRoor or CodeRed.
Also, there are something interesting below:
It let us know its MD5 and SHA1 hash, PE information, entry point address, library import/export (kernel32.dll, advapi32.dll) and all API called if it is activated (double-click :D).
Wow, they're valuable information for us in order to monitor and tracking events. Especially, it's very helpful for dissassemly.
Remember, whether you can identify the malware or not, we still need to test it in reality in order to confirm the malware. It's great to write an analysis about the one not being reported yet, isn't it?
Let's stop here!
Have fun!