Manual analysis of virus samples under Linux operating systems

Principle: Use the different MD5 value to carry on the contrast of the file.

Operation background:

XP installation CD-ROM;

Virus samples;

U

Ubuntu 7.10 LiveCD

Several programs needed to compare MD5 and convert binary file formats

Operation Process:

1. Overall format, while installing Windows (also can be used ghost back, but must pay attention to other disk possible virus infection)

2. In the newly installed Windows, export the registry. Put the export file into the C-packing directory. I'm named 1.reg here.

3. Into the Ubuntu system, note that before entering the F2 select Simplified Chinese mode

4. Mount C:

MKDIR/MNT/HDD1 (production system C-Disk mount point)

Mount-t Ntfs-o IOCHARSET=CP936/DEV/HDD1/MNT/HDD1 (Mount the system C disk to the/MNT/HDD1, note that the file format and equipment number depending on the circumstances)

5. Mount U disk:

MKDIR/MNT/USB (Generate USB disk mount point)

Mount-t Vfat/dev/sda1/mnt/usb (Mount the U disk to/mnt/usb, the same note file format and device number)

6. Put the exported registry information into the U disk:

Suppose there is already a test directory on the U disk, and there are parse.sh,parsewinreg,showlist three programs under the test directory.

Cp/mnt/hdd1/1.reg/mnt/usb/test (Copy the exported registry to the/mnt/usb/test directory)

Cd/mnt/usb/test (Access to U Disk Test directory)

./parsewinreg 1.reg Origreg (format conversion of exported registry, build Origreg)

7. Calculate MD5 value of all files in C disk:

Rm/mnt/hdd1/pagefile.sys (this file is too large to affect the calculation speed, delete)

/mnt/usb/test/parse.sh/mnt/hdd1/>/mnt/usb/origfile (calculates the disk file MD5 value and exports the result to the USB disk Test directory Origfile)

8. Re-access windows, while activating virus files

Note: First put the virus file into the disk, unplug the USB disk, unplug the network cable, and then inspire!

9. Repeat 3,4,5,6,7 Steps

Mkdir/mnt/hdd1

Mount-t Ntfs-o IOCHARSET=CP936/DEV/HDD1/MNT/HDD1

Mkdir/mnt/usb

Mount-t Vfat/dev/sda1/mnt/usb

Cp/mnt/hdd1/2.reg/mnt/usb/test (This assumes that the exported registry is 2.reg)

Cd/mnt/usb/test

./parsewinreg 2.reg Newreg

Rm/mnt/hdd1/pagefile.sys

/mnt/usb/test/parse.sh/mnt/hdd1/>/mnt/usb/newfile

10. At this point, we have the original system information: Origreg, Origfile, after the virus information: Newreg, NewFile

11. Comparison file differences: Diff-nur origfile newfile > Filediff

12. Compare registry differences: Diff-nur Origreg newreg > Regdiff

13. Analysis of Filediff and Regdiff to obtain conclusions

Analysis Tips:

In general, the previous + is the virus released,-there have been changes (infection), if the MD5 value is paired to appear (A + and A-), that line is generally not, if there is no sign before, that means not. We have to delete the useless, leaving only a single + or single-, it is best to look at the file path, that is, the virus generated files or infected files.