How to capture computer virus samples

As we all know, computer viruses are different from medical viruses. They do not exist naturally. They are programs with special functions developed by some people to exploit the inherent vulnerabilities of computer software and hardware. It lurks in computer storage media (or programs) in some way and is activated when certain conditions are met, it is a set of programs or commands that infect other programs and disrupt computer resources by modifying their own exact copies or forms that may evolve into other programs.

People who operate computers for a long time will find that viruses often keep up with the pace of computer development and frequent upgrades. From the initial destruction of software to the destruction of hardware, computer viruses are both feared and hated. Therefore, early detection and removal of viruses are an important means to minimize the damage caused by viruses, if the virus still occurs and causes file loss or system damage when the virus software is installed and the virus definition code and virus detection and removal engine are the latest version, this is the latest virus attack. In this case, a new virus sample should be extracted for analysis and research by anti-virus experts to update the virus code base in the shortest time. The method for extracting a new virus sample is as follows:

1. Boot virus capture

Virus extraction in the boot area is simple. First, use Format A:/S to copy the boot system file to A floppy disk, and then copy some system execution files from the hard disk to the floppy disk. The specific steps are as follows: Enter the MS-DOS mode, Format A system disk, Format A:/s, for different systems, copy the following files to the same disk:

For Windows 3.x: copy the gdi.exernl286.exe1_progman.exe files under WindowsSystem.

For Windows 95/98/ME: copy the gdi.exe‑krnl386.exe‑progman.exe files under WindowsSystem. (See Figure 1)

Figure 1

For Windows NT and Windows 2000: copy the gdi.exe1_krnl386.exe1_progman.exe files under WindowsSystem32.

If a disk crashes during formatting, follow these steps: Enter "damaged during infected format as boot disk" on the label of the disk ".

Copy the files listed on different systems to different floppy disks in the same way.

2. File/Macro virus capture

If you suspect that the virus is a file type, copy the command.com file in the root directory of the C drive to a floppy disk and name it command to remove the extension.

If you suspect that the virus is a MS Word macro virus, copy the "normal. dot" file in the C: Program FilesMicrosoft OfficeTemplates directory and all the files in the C: Program FilesMicrosoft OfficeOfficeStartup directory to the floppy disk. (See figure 2)

Figure 2

If you suspect that the virus is a Microsoft Excel macro virus, copy all files in the XLSTART directory to a floppy disk. XLSTART is located in multiple locations on the computer. You can use the Windows Search function to find "XLSTART" and copy all files in these directories to a floppy disk.

If you suspect that the virus is a PowerPoint macro virus, do the following: open an empty Power Point file, save it as a file, and select the Save type as "presentation design template ", then, set the extension. copy the pot file to a floppy disk.

Enter "contains infected files" on the label of the floppy disk and try to store as many files with viruses as possible.

Make a floppy disk into an image file.

Iii. Trojans virus capture

Run the regedit.exe file to open the Registry Editor. Record the files involved in the following registration items.

Files involved in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. (3)

Figure 3

Files involved in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices.

Open the Win. ini file and record the files involved in the "load =" and "run =" lines in the file.

Determine the file names and their directories Based on the above information, and compress these files into a zip file.

4. Several virus tool software

ClrText.zip:

When the virus you submit is a Word or Excel macro virus, this tool can clear the content of your infected file, but only keep the macro, so as to avoid leakage of your confidential information.

SaveMBR.zip:

This tool can read your infected hard disk MBR into a file, and then send the file to NAI for virus analysis.

RWFLOPY.zip:

The RWFloppy software can restore or generate a floppy image file. It is used to generate an image file and send it by email when you do not want to send virus samples by mailing a floppy disk. Especially for boot zone viruses, because it is hidden in the 80 and 81 sectors of the floppy disk, the general software cannot read these two sectors.

Readt80.zip:

To correctly detect the virus in the BOOT zone, we need a disk containing the virus. FORMAT/s:

The reason for the need for a floppy disk is: viruses in the boot area usually hide themselves in areas not readable by common DOS software (for a m floppy disk, there are 80 sectors, from 0 to 79, the virus in the boot area hides the virus code in sectors 80 and 81)

If you use a general software to generate a floppy image file that does not contain 80 or 81 sectors, you cannot analyze the virus. This software is used to read the 80 and 81 sectors of the floppy disk containing the virus code and write them into a file.