looking at a virus in ollydbg in Security

looking at a virus in ollydbg in Security http://www.dslreports.com/forum/r21377050 en Thu, 26 Nov 2009 17:19:24 EDT Thu, 26 Nov 2009 17:19:24 EDT Re: looking at a virus in ollydbg http://www.dslreports.com/forum/remark,21377627 cdavfrew : Ollydbg is good for looking at malware, but I prefer sandboxes. CWSandbox is great for determining whether something is malware, because it tells me what files, registry entries, and networking activity the file creates or changes. This way, you can see what the file did to your system.

If you could upload the file to www.uploadmalware.com, this will give it to antivirus labs to study, so that if it is malware, your current antivirus will detect it and remove it.

Best Regards :D]]> http://www.dslreports.com/forum/remark,21377627 Tue, 04 Nov 2008 22:08:23 EDT Re: looking at a virus in ollydbg http://www.dslreports.com/forum/remark,21377313 anon : Thanks, I did, almost half found something. :/

After more research, apparently when you load a .dll in ollydbg, the .dll start up code executes before the break point.

As I have no idea what exactly the start up code for the .dll does, I'm just going to assume it fully activated the virus, to err on the side of caution, and start looking through removal steps to see if I can find any hint of it. ]]> http://www.dslreports.com/forum/remark,21377313 Tue, 04 Nov 2008 21:25:09 EDT Re: looking at a virus in ollydbg http://www.dslreports.com/forum/remark,21377197 koma3504 : upload it the dll to »virusscan.jotti.org/ and »www.virustotal.com/ to see what they see.]]> http://www.dslreports.com/forum/remark,21377197 Tue, 04 Nov 2008 21:07:13 EDT looking at a virus in ollydbg http://www.dslreports.com/forum/remark,21377050 anon : I found a .dll that I think is a virus. I loaded it into ollydbg so I could try to look at referenced strings and api calls.

My understanding is that this is probably harmless unless I actually hit F9 to RUN, or step through the code so that something can execute.. That ollydbg simply analyzes the file, displays the disassembled code, then stops at the first instruction before any code has a chance to execute.

Is that correct?

Or have I accidentally gone and made sure the virus was able to execute now? :-(]]> http://www.dslreports.com/forum/remark,21377050 Tue, 04 Nov 2008 20:41:54 EDT