Tools
HEX editors
One of the main tools for static basic analysis is the HEX editor. There are many of them, but first of all it is necessary to mention Hiew. This is the undisputed leader and bestseller. In addition to the direct functions of the HEX editor, it implements many additional features related to file analysis: a disassembler, a viewer of import and export sections, and an executable file header analyzer. The main drawback is that all this is not free (although it is very inexpensive - from 555 rubles).
HEX editor Hiew
If you don’t want to spend money, then you can pay attention, for example, to Hex Editor Neo (there is a free option) or to HxD Hex Editor.
Packer detectors
If you suspect that the file is packed, then using the packer detector you can try to determine which packer was used and try to unpack the file in question. For a long time, the PEiD program was the undisputed leader here, and in principle you can use it, but support has long been discontinued and no one is releasing new signatures for determining packer types. An alternative is Exeinfo PE.
Exeinfo PE
This program, in addition to detecting packers, has many other functions for analyzing Windows executable files, and in many cases you can get by with it alone.
Specialized utilities for examining Windows executable files
The CFF Explorer program from the Explorer Suite is a true Swiss army knife for PE file explorers. Allows you to obtain a huge amount of varied information about all components of the PE file structure and, among other things, can serve as a HEX editor.
CFF Explorer
So I highly recommend CFF Explorer, especially since the program is free.
Python module pefile
The pefile Python module allows you to use only the Python interpreter when analyzing PE files. With it, almost all operations on basic static analysis can be implemented by writing small scripts. The beauty of all this is that you can do research on PE files on Linux.
The module is present in PyPi, and you can install it via pip:
pip install pefile
Yara
Well, to complete the list, a very popular and sought-after tool that has become a kind of standard in the antivirus industry is the Yara project. The developers position it as a tool that helps malware researchers identify and classify malicious samples. A researcher can create descriptions for different types of malware in the form of so-called rules, using text or binary patterns.
What is Bytefence Anti-Malware
Bytefence Anti-Malware is software that fights viruses and removes them from your computer. This is a development from Malwarebytes Corporation. The utility works in manual mode. The user needs to launch it independently and specify the partitions to scan. Its paid version offers scheduled disk scanning, as well as a number of additional functions.
The antivirus uses heuristic scanning technologies. The actions of the antivirus are primarily aimed at identifying and neutralizing spyware, network worms, Trojan software and other things. Another feature is the recovery of damaged system files that have been damaged by viruses. In general, the program has a number of traditional functions for a modern antivirus.
May be relevant for you: http server error when updating Avast
Precautionary measures
To secure the system when conducting basic static analysis of suspicious files, you must:
- set a ban on the operation of reading and executing the analyzed file (the “Security” tab in the “Properties” context menu);
- change the file resolution from .exe to something else (or even remove the extension of the analyzed file);
- do not try to open the file with word processors and browsers.
You can get by with these measures and not use a virtual environment, although for complete security you can install, for example, Virtual Box and carry out analysis in it (especially since, as a rule, you cannot do without a virtual environment during dynamic analysis).
Why is it harmful?
After penetrating the Windows system, the win32 malware gen infection does not manifest itself in any way, but still poses huge risks to the computer and the data stored on it. Often, such malicious programs act as a prerequisite for the penetration of more harmful and cunning viruses. Immediately after penetration, the infection communicates with the server and can easily carry out its pre-selected plan, providing an opportunity for other malware to also enter the system.
Couldn't fix the problem? Contact a specialist for help!
Ultimately, the user realizes that his laptop is infected, but it is already quite difficult to do anything, since viruses have completely infected the system and are beginning to destroy it. Moreover, not all antiviruses are able to detect these malicious programs and get rid of them.
Therefore, we always recommend additionally using special scanners; they are very effective and do not require installation.
File Type Determination
I think you know that the sign of a PE file in Windows is not only the extension .exe, .dll, .drv or .sys. It contains other distinctive features as well. The first of them is a signature of bytes of the form MZ (or 0x4d, 0x5a in hexadecimal representation) at the very beginning of the file. The second is a signature also consisting of two PE bytes and two zero bytes following (or 0x50, 0x45, 0x00, 0x00 in hexadecimal).
The offset of this signature relative to the beginning of the file is written in the so-called DOS header in the e_lfanew field, which is located at offset 0x3c from the beginning of the file.
Malicious threat penetration strategies
Trojans or malware can enter your computer in several ways. However, most of the time, users are deceived themselves. These cyber threats rarely attack by exploiting system vulnerabilities.
In most cases, malware infects a system when the user:
- opens an infected email attachment;
- downloads illegal or deceptive programs;
- installs fake updates;
- clicks on malicious advertisements or downloads any content from them.
Win32:Malware-gen contains various cyber threats, so penetration strategies may vary. Therefore, you should be careful and pay attention to internet security tips to avoid being attacked:
- install software or its updates from official developer websites;
- do not use unknown sites for file sharing or P2P networks;
- Do not click on aggressive or attractive pop-ups that offer to download software, warn about available updates, or provide other security warnings;
- Get antivirus software that provides real-time protection;
- Avoid visiting gaming, gambling or adult websites;
- Check the sender information before opening an unknown attachment included in an email.
Security experts from semvirus.pt also remind you not to download illegal content, including programs, movies, music, books, etc. These entries usually contain malicious components, including Win32:Malware-gen.
WWW
- Description of the PE format on the Microsoft website
- "Exploring Portable Executable" (Codeby.net)
By and large, the presence of these two signatures in the file and a suitable extension indicates that this is a PE file, but if you wish, you can also look at the value of the Magic field of the Optional Header. This value is located at offset 0x18 relative to the start of the PE signature. The value of this field determines the bit depth of the executable file:
- the value 0x010b indicates that the file is 32-bit (remember that in memory numbers are arranged in reverse byte sequence, low byte first and then high bytes, that is, the number 0x010b will be represented by the sequence 0x0b, 0x01);
- a value of 0x020b indicates that the file is 64-bit.
There are several ways to view this. The first is using a HEX editor.
Signs of a PE file in the Hiew HEX editor
The second is using CFF Explorer or Exeinfo PE. They clearly show the meanings of the specified signatures.
The third way is to use the power of Python by running a script like this:
with open(<
you can use this rule for Yara:
import “pe” //import the Yara module pe rule is_pe_file { strings: $MZ_signature = “MZ” condition: ($MZ_signature at 0) and (pe.is_32bit() or pe.is_64bit()) }
Description of the threat
Executable file name:
Win32.Malware.Gen
(random).exe
Trojan
Win32 (Windows XP, Windows Vista, Windows Seven, Windows
Win32.Malware.Gen infection method
Win32.Malware.Gen copies its file(s) to your hard drive. A typical file name is (random).exe . Then it creates a startup key in the registry with the name Win32.Malware.Gen and the value (random).exe . You can also find it in the list of processes named (random.exe or Win32.Malware.Gen) .
If you have additional questions regarding Win32.Malware.Gen, please fill out this form and we will contact you shortly.
Search in VirusTotal by hash
You can send to VirusTotal for verification not only the file itself, but also its hash (md5, sha1 or sha256). In this case, if the same file has already been analyzed, VirusTotal will show the results of this analysis, while we will not display the file itself on VirusTotal.
I think you know very well how to find out the hash of a file. As a last resort, you can write a small script in Python:
import hashlib with open(<
The result of calculating the helmet hash on VirusTotal or we use my recommendations from the article “Total verification. We use the VirusTotal API in our projects” and automate this process using a small Python script.
import sys import requests ## we will use the 2nd version of the VirusTotal API api_url = 'https://www.virustotal.com/vtapi/v2/file/report' ## do not forget about the access key to the VirusTotal functions params = dict(apikey =<
you see, the script receives the hash value passed as a command line argument, generates all the necessary queries for VirusTotal and displays the analysis results.
If VirusTotal returned some analysis results, this means that someone has already uploaded the file under analysis for analysis and it can be uploaded there again and get more relevant results, at which point the analysis can be completed. But if VirusTotal does not find the file in the databases, then it makes sense to move on.
Continuation is available only to members
Option 1. Join the “Xakep.ru” community to read all materials on the site
Membership in the community during the specified period will give you access to ALL Hacker materials, allow you to download issues in PDF, disable advertising on the site and increase your personal cumulative discount! More details
What problems can it cause?
Let's look at how dangerous the win32 malware gen virus is and what it does to the system. Despite its invisibility for users, it runs as a process in the background and is actually harmful. It is designed to provide third parties with access to a PC and the ability to steal personal data, including passwords, information about bank cards, credit cards, etc. In addition, he can steal funds from any electronic wallets.
In addition to the above, there are more serious problems associated with the effects of this virus. They include:
- Computer problems.
- Registry changes.
- System failures.
- Antivirus malfunctions.
- Unstable Internet access.
- High risk of infection by other threats.
- Blocking some sites.
Yes, the presence of a generic malware virus in a system is absolutely harmless. However, even if there is no direct threat, at one point an infection can lead to a failure and the well-known “blue screen”. As a result, you will lose all existing data, information and files, and then it will be too late to do anything.