096607aa89ea6f17e5a815a67b94bc245ecbf18a87705e1dec2f1d85f8350e32

Metadata

SHA256: 096607aa89ea6f17e5a815a67b94bc245ecbf18a87705e1dec2f1d85f8350e32
Difficulty: advanced
Platform: Windows
Tags: polymorphic virus self-modifying virut hooking packed
Likes: 1
Views: 2
Submitter: struppigel

Analysis

Goal

Unpack the virus body of Virut and find the file infection code, figure out:
* Which file extensions does it target for infection and what other conditions must be true, e.g., values in the PE headers?
* What is the infect marker?

Description

Virut is a polymorphic file infector that features API hashing, ntdll hooking and self-modifying code. For that reason it is an advanced sample. This is old malware, I recommend to use Windows XP for dynamic analysis.

Recommended Tools

ghidra python x64dbg

Solutions

Virut's File Infection, Part 3 Reference by struppigel
Virut's Ntdll Hooking and Process Infection, Part 2 Reference by struppigel
Virut, Unpacking a Polymorphic File Infector, Part I Reference by struppigel

Sample

Metadata

Analysis

Goal

Description

Recommended Tools

Solutions

Image

Video

Comments