Whats up all.

I was wondering as to what steps everyone takes in analyzing a suspicisous file.

I received an virul email with an exe attached and I want to find out more about it.

These were the tools I was thinking I needed:
1. A safe environment (vmware or such)
2. A hex editor
3. Possibly a decompiler
4. PEID to detect what packer was used.

Can anyone else suggest any more tools that I might use in this process.

Thanks for your help.

Iced.

filemon and regmon from sysinternals.. for the rest the most important tool is your brain... also a debugger like ollydbg to step through the program could be extremely useful IMO.

a verry good tool is Icntr (or in control), released by pc magazine some years ago, compares registry and file system before and after. what files changed, added deleted, same for registry. (basicly file and regmon in one)

Also it's wise to start a sniffer... for the obvious reasons.

Awesome stuff guys, thanks a lot.

This definitely puts me in the right direction. Good idea with the sniffer, I didn't even think of that one.

It seems incntr5 is hard to find these days. Google no longer returns anything.
So I've uploaded it for you on this board, since I think it's useful for many.

http://www.governmentsecurity.org/forum/in...t=0#entry116546

Softice can be used as well, if you run Win98 in your environment. Instead of decompiler, a disassembler is better. Because there's no decompiler that reconstructs all the source.

wath you say abaut this tool: Total Uninstall..

hxxp://www.softpedia.com/get/Tweak/Uninstallers/Total-Uninstall.shtml

ozzy

IDAPro .. I hear it is the best Disassembler.. todate.

This is the exact topic i was lookin for.

Thanks for the tips.I'll analyze the .exe that i received today as a email