jubii
@rogers.com
| looking at a virus in ollydbg
I found a .dll that I think is a virus. I loaded it into ollydbg so I could try to look at referenced strings and api calls.
My understanding is that this is probably harmless unless I actually hit F9 to RUN, or step through the code so that something can execute.. That ollydbg simply analyzes the file, displays the disassembled code, then stops at the first instruction before any code has a chance to execute.
Is that correct?
Or have I accidentally gone and made sure the virus was able to execute now? :-( |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX | upload it the dll to »virusscan.jotti.org/ and »www.virustotal.com/ to see what they see. |
|
jubii
@rogers.com
| reply to jubii
Thanks, I did, almost half found something. :/
After more research, apparently when you load a .dll in ollydbg, the .dll start up code executes before the break point.
As I have no idea what exactly the start up code for the .dll does, I'm just going to assume it fully activated the virus, to err on the side of caution, and start looking through removal steps to see if I can find any hint of it. |
|
cdavfrew
join:2008-06-29
| reply to jubii
Ollydbg is good for looking at malware, but I prefer sandboxes. CWSandbox is great for determining whether something is malware, because it tells me what files, registry entries, and networking activity the file creates or changes. This way, you can see what the file did to your system.
If you could upload the file to www.uploadmalware.com, this will give it to antivirus labs to study, so that if it is malware, your current antivirus will detect it and remove it.
Best Regards  |
|
