- Prison Code Breaker Diary -

We need some monitoring tools loading up before tracking the malware. In this case, I open ProcessXP, ProcMon and TCPView.




The malware I use this time to monitoring is Trojan.Win32.DesktopPuzzle
Now, activate virus to see what happen next...(s.c.a.r.y... :D)

A dialog appears with some note, like a joke
Don't click OK yet, switch to ProcessXP to check its info



It's like the author intentionally leaving his name there.
The PID is 1424 (it is different from your system), then we switch to ProcMon to filter.
Press CTRL+L or menu Filter->Filter then choose PID, input the malware process id, click Add, Apply, then OK, you will have this result similarly:


Ok! Now it's time to click the OK button of the "Joke Dialog".

This is the funny result after clicking it ...

Yea...it's frikkin' weird..

Now press Ctrl+Alt+Del, the task manager will show up, just kill the malware process and everything comes back to normal.

Check again on ProcessXP, we can see that it stopped and nothing else spawns, which means there is no weird thing running and system is just fine by now.

View on the event log in ProcMon, we can easily see that it doesn't do anything harm to the system. It just creates several files unharmed and access some DLL to create viewport of desktop, which makes desktop like a puzzle.
Since this is just a simple sample of malware, so it's a good practice to start with.
Simple but require lots of skills, you may find a hard one later on.
You can find lots of malware out of Internet and try yourselves.

The one that I use here is called "Joke Slider" - unwanted program :))

Have fun!