- Jan 9, 2013
- 1,457
I'll share my procedure in analysing malwares. I'll use a vbs worm as an example
1. Turn off the AntiVirus
2. Launch regshot with the following settings and click 1st shot | shot
3. Launch the worm
4. Click 2nd shot | shot
5. Click Compare. Comparison result opens in your default browser
6. Analyze (Open content of worm.zip to view contents)
Values Added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kpcgrhynko: "wscript.exe //B "C:\Documents and Settings\user\Application Data\kpcgrhynko..vbs""
Files Added:
C:\Documents and Settings\user\Start Menu\Programs\Startup\kpcgrhynko..vbs
E:\syslin.lnk
E:\.lnk
E:\kpcgrhynko..vbs
E:\WIN51IP.lnk
E:\winsetup.lnk
E:\menu.lnk
E:\ldlinux.lnk
E:\lupu-528.lnk
E:\lupu_528.lnk
E:\LOST.DIR.lnk
E:\.android_secure.lnk
E:\DCIM.lnk
E:\Android.lnk
E:\.estrongs.lnk
E:\TouchPalv5.lnk
E:\media.lnk
E:\Toolbox.lnk
E:\Mantano.lnk
E:\Digital Editions.lnk
E:\Pictures.lnk
E:\viber.lnk
E:\backups.lnk
E:\.myebook.lnk
E:\.adc2.lnk
E:\.cr3.lnk
E:\.adobe-digital-editions.lnk
E:\.mbazaar.lnk
E:\Documents.lnk
Removal
Since taskman is not disabled, launch it and terminate wscript.exe process
or Run this TASKKILL /F /IM WSCRIPT.EXE
Launch regedit and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value kpcgrhynko
Launch explorer and delete the worm
C:\Documents and Settings\user\Start Menu\Programs\Startup\kpcgrhynko..vbs
C:\Documents and Settings\user\Application Data\kpcgrhynko..vbs
Delete all shortcuts and vbs worm on external drive
Lastly run at the CMD prompt: ATTRIB <DRIVE:\*.*> -S -H /S /D
App(s) used in this tutorial:
regshot
1. Turn off the AntiVirus
2. Launch regshot with the following settings and click 1st shot | shot
3. Launch the worm
4. Click 2nd shot | shot
5. Click Compare. Comparison result opens in your default browser
6. Analyze (Open content of worm.zip to view contents)
Values Added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kpcgrhynko: "wscript.exe //B "C:\Documents and Settings\user\Application Data\kpcgrhynko..vbs""
Files Added:
C:\Documents and Settings\user\Start Menu\Programs\Startup\kpcgrhynko..vbs
E:\syslin.lnk
E:\.lnk
E:\kpcgrhynko..vbs
E:\WIN51IP.lnk
E:\winsetup.lnk
E:\menu.lnk
E:\ldlinux.lnk
E:\lupu-528.lnk
E:\lupu_528.lnk
E:\LOST.DIR.lnk
E:\.android_secure.lnk
E:\DCIM.lnk
E:\Android.lnk
E:\.estrongs.lnk
E:\TouchPalv5.lnk
E:\media.lnk
E:\Toolbox.lnk
E:\Mantano.lnk
E:\Digital Editions.lnk
E:\Pictures.lnk
E:\viber.lnk
E:\backups.lnk
E:\.myebook.lnk
E:\.adc2.lnk
E:\.cr3.lnk
E:\.adobe-digital-editions.lnk
E:\.mbazaar.lnk
E:\Documents.lnk
Removal
Since taskman is not disabled, launch it and terminate wscript.exe process
or Run this TASKKILL /F /IM WSCRIPT.EXE
Launch regedit and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value kpcgrhynko
Launch explorer and delete the worm
C:\Documents and Settings\user\Start Menu\Programs\Startup\kpcgrhynko..vbs
C:\Documents and Settings\user\Application Data\kpcgrhynko..vbs
Delete all shortcuts and vbs worm on external drive
Lastly run at the CMD prompt: ATTRIB <DRIVE:\*.*> -S -H /S /D
App(s) used in this tutorial:
regshot
