Create a virus hunter to show you how to capture computer virus samples

1. Boot virus capture

Virus extraction in the boot area is simple. First, use Format A:/S to copy the boot system file to A floppy disk, and then copy some system execution files from the hard disk to the floppy disk. The specific steps are as follows: Enter the MS-DOS mode, Format A system disk, Format A:/s, for different systems, copy the following files to the same disk:

For the gdi.exernl286.exe1_progman.exe files under Windows 3.x: beibeibeiwindowssystem.

For the gdi.exe1_krnl386.exe1_progman.exe files under Windows 95/98/ME: beibeiwindowssystem.

For the gdi.exe1_krnl386.exe1_progman.exe files under Windows NT, Windows 2000: beibeiwindowssystem32.

If a disk crashes during formatting, follow these steps: Enter "damaged during infected format as boot disk" on the label of the disk ". Copy the files listed on different systems to different floppy disks in the same way.

2. File/Macro virus capture

If you suspect that the virus is a file type, copy the command.com file in the root directory of the C drive to a floppy disk and name it command to remove the extension.

If you suspect that the virus is a MS Word macro virus, copy the "normal. dot" file in the C: Program FilesMicrosoft OfficeTemplates directory and all the files in the C: Program FilesMicrosoft OfficeOfficeStartup directory to the floppy disk.

If you suspect that the virus is a Microsoft Excel macro virus, copy all files in the XLSTART directory to a floppy disk. XLSTART is located in multiple locations on the computer. You can use the Windows Search function to find all directories and copy all files in these directories to a floppy disk.

If you suspect that the virus is a PowerPoint macro virus, do the following: open an empty Power Point file, save it as a file, and select the Save type as "presentation design template ", then, set the extension. copy the pot file to a floppy disk.

Enter "contains infected files" on the label of the floppy disk and try to store as many files with viruses as possible. Make a floppy disk into an image file.

Iii. Trojans virus capture

Run the regedit.exe file to open the Registry Editor. Record the files involved in the following registration items.

Files involved in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.

Files involved in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices.

Open the Win. ini file and record the files involved in the "load =" and "run =" lines in the file.

Determine the file names and their directories Based on the above information, and compress these files into a zip file.

4. introduce several virus tool software

ClrText.zip: when the virus you submit is a Word or Excel macro virus, this tool can clear the content of your infected file, but only keep the macro, this prevents leakage of confidential information.

SaveMBR.zip: this tool can read your infected hard disk MBR into a file, and then send the file to NAI for virus analysis.

RWFLOPY.zip: The RWFloppy software can restore or generate a floppy image file. It is used to generate an image file and send it by email when you do not want to send virus samples by mailing a floppy disk. Especially for boot zone viruses, because it is hidden in the 80 and 81 sectors of the floppy disk, the general software cannot read these two sectors.

Readt80.zip: To correctly detect the virus in the BOOT zone, we need a floppy disk containing the virus. FORMAT/s:

The reason for the need for a floppy disk is: viruses in the boot area usually hide themselves in areas not readable by common DOS software (for a m floppy disk, there are 80 sectors, from 0 to 79, the virus in the boot area hides the virus code in sectors 80 and 81)

If you use a general software to generate a floppy image file that does not contain 80 or 81 sectors, you cannot analyze the virus. This software is used to read the 80 and 81 sectors of the floppy disk containing the virus code and write them into a file.

SYSU.zip: this software is used to restore systems infected with various macro viruses.