CEH v8 Labs Module 07 Viruses and Worms PDF

C EH
Lab
M a n u a l
V ir u s e s a n d W orm s
M o d u le 07
Module 07 - Viruses and Worms
V ir u s e s a n d W o rm s
A vims is a sef-replicatingprogram thatproduces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until apredetermined logical circumstance is met.
I CON KEY
Z7 Valuable information Test your knowledge
=
L a b S c e n a r io
A computer virus attaches itself to a program or tile enabling it to spread from one computer to another, leaving infections as it travels. The biggest danger w ith a w orm is its capability to replicate itself 011 your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands o f copies o f itself, creating a huge devastating effect. A blended threat is a more sophisticated attack that bundles some o f the worst aspects o f viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks 111 one payload. Attacker can launch Dos attack 01 install a backdoor and maybe even damage a local system 01 network systems. Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that damage 01 steal the organizations information. You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detected by antivirus programs 01 able to bypass the network firewall.
Web exercise
m Workbook review
L a b O b je c t iv e s
The objective o f this lab is to make students learn how to create viruses and worms. 111 this lab, you w ill learn how to: Create viruses using tools Create worms using worm generator tool & Tools L a b E n v ir o n m e n t demonstrated in To earn this out, you need: this lab are available in A computer running Window Server 2012 as host machine D:\CEHTools\CEHv8 Window Server 2008, Windows 7 and Windows 8 running 011 virtual Module 07 Viruses machine as guest machine and Worms A web browser w ith Internet access Administrative privileges to run tools
CEH Lab Manual Page 530
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b D u r a t io n
Tune: 30 Minutes
O v e r v ie w o f V ir u s e s a n d W o r m s
A virus is a self-replicating program that produces its own code by attaching copies o f it onto other executable codes. Some viruses affect computers as soon as their codes are executed: others lie dormant until a predetermined logical circumstance is m et Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most worms are created only to replicate and spread across a network consuming available computing resources. However, some worms carry a payload to damage the host system.
= TAS K 1
Overview
Lab
T asks
Recommended labs to assist you 111 creating Viruses and Worms: Creating a virus using the |PS Y 11 us Maker tool Vims analysis using ID A Pro Yinis Analysis using Virus Total Scan for Viruses using Kaspersky Antivirus 2013 Yinis Analysis Using OllyDbg Creating a W orm Using the Internet W orm Maker Tiling
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Give your opinion on your targets security posture and exposure.
PLEASE T A L K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS R E LA T ED TO T HI S LAB.
C r e a t in g a V ir u s U s i n g t h e J P S V ir u s M a k e r T o o l
JP S V irus M aker is a tool to create viruses. I f also has afeature to convert a virus into a irorm.
I CON KEY L a b S c e n a r io
1 1 1 recent rears there lias been a large growth 111 Internet traffic generated by malware, that is, Internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected 01 during the epidemic stage o f a new worm , when the Internet becomes unusable due to overloaded routers. W liat is less well-known is that there is a background level o f malware traffic at times o f non-epidemic growth and that anyone plugging an unhrewalled machine into the Internet today w ill see a steady stream o f port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organizations information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and i f they bypass the firewall.
1._ Valuable
information
Test your knowledge
: Web exercise ea Workbook review
H Tools demonstrated in Tlie objective o f tins lab is to make students learn and understand how to make this lab are viruses and worms. available in L a b E n v ir o n m e n t D:\CEHTools\CEHv8 Module 07 Viruses To earn out die lab, you need: and Worms JPS tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker
A computer running Windows Server 2012 as host machine Windows Server 2008 running on virtual machine as guest machine Run tins tool on Windows Server 2008 Administrative privileges to run tools
Time: 15 Minutes
O v e r v ie w o f V ir u s a n d W o r m s
A virus is a self-replicating program diat produces its own code by attaching copies o f it onto odier executable codes. Some vinises affect computers as soon as dieir codes are executed; odiers lie dormant until a predetermined logical circumstance is met.
Lab T asks k* TAS K 1

Make a Virus 1. 2. 3. 4. Launch your Windows Server 2008 virtual machine. Navigate to Z:\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker. Launch die JPS Virus Maker tool. Installation is not required for JPS Virus maker. Double-click and launch the jps.exe hie. The JPS (Virus Maker 3.0) window appears.
JPS ( Virus I ta k e r 3.0 )
V ir u s O p t i o n s :
Note: Take a Snapshot of the virtu al machine before launching the JPS Virus Maker tool.
U i Theop tio n ,A u to S ta rtu pis a lw a y sc h e c k e d b yd e fa u lta n ds ta rtth e viru sw h e n e ve rth es y s te m b o o tso n .
Disable Registry Disable MsConfig Disable TaskManager Disable Yahoo Disable Media Palyer Disable Internet Explorer Disable Tim e Disable Group Policy Disable Windows Explorer Disable Norton Anti Virus Disable McAfee Anti Virus Disable Note Pad Disable Word Pad DisableWindows Disable DHCP Client Disable Taskbar Disable Start Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver
Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide Al Pioccess in Taskm gr Hide Al Tasks in Taskm gr Hide Run Change Explorer Caption Clear Windows XP Swap Mouse Buttons Remove Folder O ptions Lock Mouse & Keyboard Mute Sound Always CD-ROM Tun O ff M onitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard Term inate Windows Hide Cursor Auto Startup
FIGURE 1 .1 :JPSV iru sM a k e rm a inw in d o w

5.
& This creationofa viru sison lyfor k n o w le d g e p u rp o s e s ;d o n tm is u s eth is to o L
JPS lists die Virus Options; check the options that you want to embed 111 a new virus hie.
JPS ( Virus M aker 3.0 ) Virus O p tio n s:
m A list ofn a m e sfo r th eviru s afte rinstall is s h o w ninth eN a m ea fte r Install d ro p d o w nlist.
Disable Registry Disable MsConfig Disable TaskManagei Disable Yahoo Disable Media Palyei Disable Internet Explorer Disable Tim e Disable Group Policy Disable Windows Explorer Disable Norton Anti Vitus Disable McAfee AntiVirus Disable Note Pad Disable Word Pad Disable Windows Disable DHCP Client Disable Taskbar Disable Stait Button Disable MSN Messenger Disable CMD Disable Security Center Disable System Restore Disable Control Panel Disable Desktop Icons Disable Screen Saver Restart
Hide Services Hide Outlook Express Hide Windows Clock Hide Desktop Icons Hide All Proccess in Taskm gt Hide All Tasks in Taskm gr Hide Run Change Explore! Caption Clear Windows XP Swap Mouse Buttons Remove Folder O ptions Lock Mouse 1 Keyboard Mute Sound Allways CD-ROM TurnOff M onitor Crazy Mouse Destroy Taskbar Destroy Offlines (YIMessenget) Destroy Protected Strorage Destroy Audio Service Destroy Clipboard Term inateWindows Hide Cursor Auto Startup
OLogOff OTurn Off

J
OHibrinate ONone
~~| | |
Name A fter Install: |Rundll32
Se rv e r Name: |Send er.exe
About JPS Virus Maker 3.0
||
Cieate Virus*
FIGURE 1 .2 :JPSV iru sM a k e rm a inw in d o ww itho p tio n ss e le c te d

6. Select one o f die radio buttons to specify when die virus should start attacking die system after creation.
O Restart O L o g U ff O Turn Off J O Hibrinate O None
Name After Install: Rundll32
Server Name: Sender.exe
About JP S Virus Maker 3.0
Create Virus!
J
FIGURE 1 .3 :JPSV iru sM a k e rm a inw in d o ww ithR e s ta rts e le c te d
m Alist ofserver n a m e s isp re s e n tinth eServer N a m ed ro p d o w nlis t. Select a n ys e rve rn a m e .
7.
Select the name o f the service you want to make virus behave like from die Name after Install drop-down list.
FIGURE 1 .4 :JPSV iru sM a k e rm a inw in d o ww ithd ieN a m ea fte rIn sta llo p tio n
Select a server name for die virus from die Server Name drop-down list.
CEH Lab Manual Page 534 Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
O Restart
O Log Off
OTurnDff
O Hibrinate
O None
Name After Install: Rundll32
Server Name: Svchost.exe Svchost.exe Q I Kernel32.exe I spo o lsv .e x e ALG.EXE svchost.exe
Don't fo rg e tto c h a n g ed ie s e ttin g sfo r everyn e wviru sc re a tio n . O th e rw ise, b yd e fa u lt,it ta k e sth es a m en a m ea sa n e a rlierv iru s.
Create Virus!
JPS Virus Maker 3.0
FIGURE 1 .5 :JPSV im sM a k e rm a inw in d o ww ithS e rv e rN a m eo p tio n

9. Now, before clicking on Create Virus! change setting and vinis options by clicking die icon. Create Virus!
JPS Virus Maker 3.0
FIGURE 1 .6 :JPSV iru sM a k e rm a inw in d o ww ithS e ttin g so p tio n

10. Here you see more options for the vims. Check die options and provide related information 111 die respective text held.
m TAS K 2
Virus O p tio n s:
PS ( Virus M aker 3.0 )
Make a Worm
Change XP Password: J p @ sswQ (d Change Com puter Name: Test Change IE Home Page
j w w w !uggyboy com
Close CustomWindow: [Yahoo1Me ;n g e r Disable Custom Service :Alerter Disable Custom Process : [ypaget.exe Open CustomWebsite : | -,-!ey blogta c :
Run Custom Command: |

Enable Convert to Worm ( auto copy to path's) Worm Name : | Copy After : | 1
[!I Sec'.
lU s a Youc a ns e le cta n y iconfro mth ec h a n g eico n o p tio n s. A n ewiconc a nb e a d d e da p a rt fro mth o s eo n th elist.
Change Ic o n :
OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3
ODoc Icon OPDF Icon OIPG Icon OBMP Icon OHelp Icon
O EXE Icon BAT Icon Setup 1 Icon Setup2 Icon ZIP Icon
O O O O
JPS Virus Maker 3.0
FIGURE 1 .7 :JPS V iru sM a k e rS e ttin g so p tio n

11. You can change Windows XP password. IE home page, close custom window, disable a particular custom service, etc. 12. You can even allow the virus to convert to a worm. To do diis, check die Enable Convert to Worm checkbox and provide a Worm Name.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
13. For die worm to self-replicate after a particular time period, specify die time (111 seconds) 111 die Copy after held. 14. You can also change the virus icon. Select die type o f icon you want to view for die created vims by selecting die radio button under die Change Icon section.
IPS ( Virus M aker 3.0 )
M a k es u retoc h e c k all th eo p tio n sa n ds e ttin g s b e fo reclick in go nC re a te V iru s!
V ir u s O p t i o n s :
Change XP Password :
Change Com puter Name |jP S Change IE Home Page |www ^ -
Close CustomWindow : [Yahoo' Me n g e r Disable Custom Seivice : J Alerter Disable Custom Process : I Open CustomWebsite : | .. , . c<
Run Custom Command: | Enable Convert toWorm ( auto copy to path's)

Worm Name : |fedevi| Copy After :
f!
I Sec's
OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3

Name After Install: Rundl32
O Doc Icon O PDF Icon JPG Icon O BMP Icon Help Icon
O O
O EXE Icon BAT Icon Setup 1 Icon Setup2 Icon ZIP Icon
O O O O
ORestart OLogOff OTurn Off Fe a tu re s C h a n g eXP P a ssw o rd C h a n g eC o m p u te rN a m e C h a n g eIE H o m eP a g e C lo seC u s to mW in d o w s D isab leC u s to mS ervice D isab leP ro ce ss O p e nC u s to mW e b site R u nC u s to mC o m m a n d En ab le C o n vertToW o rm -A u toC o p yServerT o ActivePadiWithC u s to m N a m e& T im e C h a n g eC u s to mIconFor yo u rc re a te dVirus (1 5 Icon s)
OHibrinate ONone
Server Name: Svchost.exe
JPS Virus Maker 3.0
FIGURE 1 .8 :JPSV k u sM a k e rm a inw in d o ww ithO p tio n s

15. A fter completing your selection o f options, click Create Virus!
FIGURE 1 .9 :JPSV k u sM a k e rM a inw in d o ww ithC re a teV k u s !B u tto n

16. A pop-up window with the message Server Created Successfully appears. Click OK.
JPS ( Virus Maker 3.0 )
FIGURE 1 .1 0 :JPSV k u sM a k e rS e rv e rC re a te ds u c c e s s fu llym e s s a g e
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
17. The newly created virus (server) is placed automatically 111 the same folder as jps.exe but w ith name Svchost.exe. 18. N ow pack tins virus w ith a binder or virus packager and send it to the victim machine. ENJOY!
L a b A n a ly s is
Document all die tiles, created viruses, and worms 111 a separate location.
PLEASE T A L K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELA T ED TO T H IS LAB.
T o o l/ U t ilit y
In fo rm a tio n C o lle cte d /O b je ctive s Achieved T o m ake V iru s options are used: Disable Yahoo Disable Internet Explorer Disable N orton Antivirus Disable McAfree Antivirus Disable Taskbar Disable Security Restore Disable Control Panel Hide Windows Clock Hide A ll Tasks 111 Task.mgr Change Explorer Caption Destroy Taskbar Destroy Offlines (YIMessenger) Destroy Audio Services Terminate Windows A uto Semp
JPS V iru s M a ke r Tool
Q u e s t io n s
1. 2. Infect a virtual macliine with the created vkuses and evaluate the behavior o f die virtual macliine. Examine whedier the created viruses are detected or blocked by any antivirus programs or antispyware.
In te rn e t C onnectio n R equired Yes P la tfo rm Supported 0 !Labs 0 No
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
V ir u s A n a l y s i s U s i n g IDA P r o
Computer n orms are malicious programs that replicate, execute, and spread themselves across netirork connections independently, nithont human interaction.
con
k ey
Virus, worms, or Trojans can erase your disk, send your credit card numbers and passwords to a stranger, 01 let others use your computer for illegal purposes like denial o l service attacks. Hacker mercenaries view Instant Messaging clients as their personal banks because o f the ease by which they can access your computer via the publicly open and interpretable standards. They unleash a Trojan horse, virus, 01 worm , as well as gather your personal and confidential information. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01 steal the organizations inform ation. You need to construct viruses and worms, try to inject them 111 a dummy network (virtual machine), and check their behavior, whether they are detected by any antivirus programs 01 bypass the firewall o f an organization.
/ Valuable information
S Test your knowledge ________ _____
flB Web exercise

m
Workbook review
The objective of tins lab is to make students learn and understand how to make vinises and worms to test the organizations firewall and antivirus programs. IS 7 Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
L a b E n v ir o n m e n t
To earn* out die lab, you need: IDA Pro located at D:\CEH-T00 ls\CEHv8 Module 07 Viruses and Worms\Malware Analysis Tools\IDA Pro as host machine
A computer running Windows Server 2012
Windows Server 2008 running 011 virtual machine as guest machine Run tins tool 011 Windows Server 2008 You can also download the latest version o f IDA Pro from the link http: / / www.hex-ravs.com / products / ida / lndex.shtml
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Administrative privileges to run tools
Time: 15 Minutes
Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.
Lab T asks TAS K 1

IDA Pro 1. 2. 3. Go to Windows Server 2008 Virtual Machine. Install IDA Pro, which is located at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Malware Analysis Tools\IDA Pro. Open IDA Pro, and click Run 111 die Open File-Security Warning dialog box.
Open File - S e c u rity W arning
The publisher could not be verified Are you sure you want to run this software?
Name: .. .rs\Administrator\Pesktop\idademo63_windows.exe Publisher: Unknown Publisher Type: Application
Licen sea g re e m e n tb e fo re p ro c e e d in gfu rth ero nth is too l
m Youh a v etoa g re eth e
From: C: '!]Users\Administrator desktop 'jdademoo 3_windo...
Run I ? Always ask before opening this file
Cancel
This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run~
FIGURE 2 .1 :IDAProA b o u t.
4. Click Next to continue die installation.
\ Setup - ID A Demo v6_S
xj
IM
W elcom e to th e ID A Demo v6.3 Setup Wi zard

This will install IDA Demo v6.3 on your computer. It is recommended that you dose all other applications before continuing. Click Next to continue, or Cancel to exit Setup.
R e a dth eLice n se A g re e m e n tcarefu llyb e fo re a c c e p tin g . Dem o Version 6.3

Hex-Rays 2012
Cancel
FIGURE 2 .2 :IDAProS e tu p
5. 6. Select the I accept the agreement radio button for the ID A Pro license agreement. Click Next.
^ Setup - IDA Demo v63 License Agreement Please read the following important information before continuing.
S'R e lo a dd iein p u t file T h is c o m m a n dre lo a d sth e s a m ein p u t filein toth e d a ta b a s e . IDA trie sto re ta ina sm u c hin fo rm a tio n a sp o s s ib leinth ed a ta b a s e . All th en a m e s ,c o m m e n ts , s e g m e n ta tio nin fo rm a tio n a n dsim ila rwill b ere ta in e d .
Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation. IDA License Agreement SPECIAL DEMO VERSION LICENSE TERMS This demo version of IDA is intended to demonstrate the capabilities of the foil version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project. The IDA computer programs, hereafter described as 'the software are licensed, not sold, to you by Hex-Rays SA pursuant to the
z\
( I accept the agreement C I do not accept the agreement
< Back
Next >
Cancel
FIGURE 2 .3 :IDAProlic e n s e .
7. Keep die destination location default, and click Next.
a A d db re a k p o in t T h is c o m m a n da d d sa b re a k p o in ta tth ec u rre n t a d d re s s . If a nin stru ctio n e x is tsa td iis a d d re s s ,a n in stru ctio nb re a k p o in tis c re a te d . Or e ls e , IDA o fferstoc re a teah a rd w a re b re a k p o in t, a n da llo w sth e u s e rtoed it b re a k p o in t s e ttin g s .
FIGURE 2 4 : IDAProd e s tin a tio nfo ld e r

8. Check the Create a desktop icon check box, and click Next.
^ Setup - IDA Demo v6 3
JH
Select Additional Tasks Which additional tasks should be performed?
Select the additional tasks you would like Setup to perform while installing IDA Demo v6.3, then dick Next. Additional icons:
HT racew in d o w In tillsw in d o w ,y o uc a n views o m ein fo rm a tio n re la te dtoall tra c e de v e n ts . T h etra c in ge v e n tsa reth e in fo rm atio ns a v e dd u rin g th ee x e c u tio nofap ro g ra m . D ifferent ty p eoftra c e e v e n tsa rea v a ila b le : in stru ctio ntra cin ge v e n ts, fu n ctio ntra c in ge v e n tsa n d w rite, re a d /w riteo r e x e c u tio ntra c in ge v e n ts .
W Create a desktop icon
< Back
Next >
Cancel
FIGURE 3 .5 :C re a tin gIDAPros h o rtc u t

9. The Ready to Install window appears; click Install.
\ Setup
Ready to Install
Add execution trace
Setup is now ready to begin installing IDA Demo v6.3 on your computer.
T h is c o m m a n da d d sa n e x e c u tio ntra c etoth e cu rren ta d d re s s .
Click Install to continue with the installation, or dick Back if you want to review or change any settings. Destination location: C: ,'Program Files (x86)\IDA Demo 6.3 Additional tasks: Additional icons: Create a desktop icon
Lj
< Back Install Cancel
LJ In structio ntra c in g T h is c o m m a n ds ta rts in stru ctio ntra c in g . Youc a n th e nu s eall d ied e b u g g e r c o m m a n d sa su s u a l: th e d e b u g g e rwill s a v eall th e m o d ifie dre g is te rv a lu e sfo r e a c hin stru ctio n .W h eny o u clicko na nin stru ctio ntra c e e ve n tinth etra c ew in d o w , IDA d is p la y sth e c o rre s p o n d in gre g is te r v a lu e sp re ce d in gth e e x e c u tio nofth is in stru ctio n . In th e'R esu lt' co lu m nofth eT race w in d o w ,y o uc a na ls os e e w h ichre g is te rsw e re m o d ifie db yth is in stru ctio n .
FIGURE 2 6 :IDAProin s ta ll
10. Click Finish.
. Setup - IDA Demo v6 3
10*
C om pleting th e ID A Demo v6.3 Setup Wi zard

Setup has finished installing IDA Demo v6.3 on your computer. The application may be launched by selecting the installed icons. Click Finish to exit Setup. R Launch IDA Demo
Dem o Version 6.3

I Hex-Rays 2012 Finish
FIGURE 2 .7 :IDAProc o m p le tein s ta lla tio n

11. The IDA License window appears. Click I Agree.
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
IDA License Agreement
T h eco n fig u ra tio nfile s a res e a rc h e dinth e IDA .EXE d ire cto ry. In th e co n fig u ratio nfiles, y o uc a n u s eC ,C + +s ty le c o m m e n tsa n din clu d efile s . If n ofileis fo u n d , IDA u s e sd e fa u ltv a lu e s .
SPECIAL DEMO VBISION LICENSE TERMS This dem o version of IDA is intended to demonstrate the capabilities of the full version of IDA whose license terms are described hereafter. The dem o version of IDA may not, under any circumstances, be used in a com m ercial project. The IDA computer programs, hereafter described as 'the software" are licensed, not sold, to you by Hex-Rays SA pursuant to the terms and conditions of this Agreement. Hex-Rays SA reserves any right not expressly granted to you. You own the m edia on which the software is delivered but Hex-Rays SA retains ownership of al copies of the software itself. The software is protected by copyright law. The software is licensed on a "per user" basis. Each copy of the software can only be used by a single user at a tim e. This user may instal the software on his office workstation, personal laptop and home com puter, provided that no other user uses the software on those computers. This license also allows you to Make as many copies of the installation m edia as you need for backup or installation purposes. Reverse-engineer the software. Transfer the software and all rights under this license to an other party together with a copy of this license and all material, written or electronic, accompanying the software, provided that the other party reads and accepts the terms and conditions of this license. You lose the right to use the software and all other rights under this license when transferring the software. Restrictions
// C o m p ilea nIDC sc rip t. // T h ein p u ts h o u ldn o t co n tainfu n c tio n sth a ta re // c u rre n d ye x e c u tin go th e rw is eth eb e h a vio rof th ere p la c e d // fu n c tio n sisu n d e fin e d . // in p u t -if isfile !=0 , th e nth isisd ien a m eoffile toc o m p ile // o th e rw is eit h o ldth ete x ttoc o m p ile // re tu rn s : 0-o k , o th e rw is eit re tu rn sa n e rro rm e s s a g e . strin gC om p ileEx (stri11g in p u t, lo n gisfile);
You may not distribute copies of the software to another party or electronically transfer the software from one computer to another if one computer belongs to another party. You may not modify, adapt, translate, rent, lease, resell, distribute,
rr rrm xtmrW 1\/;hva A !r v r lc cKcaiH1 irvn n
c n ft\ A > A r < nr *rtv /rvart
I Agree
I Disagree |
FIGURE 2 .8 :IDAProL ic e n s ea c c e p ts .
12. Click die New button in die Welcome window.
\ ID A : Quick s ta rt
New
I Disassemble a new file
Go
| Work on your own
f // C o n v e n ie n c em a c ro :
Previous | Load the old disassembly
# d efin eC o m p ile(file) C om p ileEx (file, 1 )

W Display at startup
FIGURE 2 .9 :IDAProW e lc o m ew in d o w .
13. A file browse window appears; select Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Livel\face.exe and click Open.
0 D9n
_j?rr
Function tracing
Povari* Lr*3 U Desktop jil Dqcutc-C
T h is c o m m a n ds ta rts fu n ctio ntra c in g . Youc a n th e nu s eall d e b u g g e r c o m m a n d sa su s u a l: th e d e b u g g e rwill s a v eall a d d re s s e sw h e reacall toa fu n ctio no rare tu rnfro ma fu n ctio no c c u re d .
g} k u c t:
|| :aarod'iec | . | tvp. _ ^ f^ 2 i 2 0U12S0_=ieFod_ -;?.:):3:0;^^ Apsfcatisr V 2 6 Z Z Q 39:52PM Apdc335r ^:3/2003 1:0 2A M A p p licatio n 20031 0 :3 6 /2 7,... Apdraiior
Qf RecentlyCen5ed P S&atch I I PiMc
S l Add/Edit an enum
Action name: AddEnum Action name: EditEnum These commands allow you t o define and t oe d i t an enum t y p e . You need t o s p e c i f y : - name of enum - its serial number
FIGURE 2 .1 0 :IDAProfileb ro w s ew in d o w .
14. The Load a new file window appears. Keep die default settings and click
OK
^ Load a new file
Load file Z:\CEHv8 Module 07 Viruses and Worms\V1rusesV0ez Virus Live!\face.exe as Portable executable for 80386 (PE) [pe.ldw]
Processor type Intel 80x86 processors: metapc Loading segment 10x00000000
B
Analysis
(1 ,2 .. .)
representation of enum members
W Enabled
Loading offset |0 Options
W Indicator enabled
W Create segments
Load resources 1 Rename DLL entries P Manual load F Rll segment gaps 17 Make imports segment Processor options Kernel options 2
V Create FLAT group

DLL directory |C:\W ndows OK Cancel Help
FIGURE 2 .1 1 :L o a dan e wfilew in d o w .

15. I f any warning window prompts appear, click OK.
16. The Please confirm window appears; read die instructions carefully and click Yes.
m Selectap p ro p ria te o p tio n sa sp e ry o u r re q u ire m e n t
IDA-View has now a new mode: proximity view. This mode allows you to browse the interrelations between functions and data items. When inside a function, press to toggle the proximity viewer and '+ ' to zoom back into a function. Do you want to switch to proximity view now?
I Don't display this message again
FIGURE 2 .1 2 :C o n firm a tio nw iz a rd .

17. The final window appears after analysis.
File Edt Jjmp Search View Debuacer Options Windows Help
&TMP o rTEMP: Sp ecifiesth ed irecto r)' w h e reth ete m p o ra ryfile s will b ec re a te d .
^ Hill -II* * ]* f a^ ||>a ||g|g|Mrii *f + X|ll OO F W dlfrlrf Ija ir r III hex View-A J j [a] Structures l =ajrrs j gf] Imports 1 m Exports I
Finction rone
3s u b _ < 0 1 1 9 8 3s u b _ 0 1 2 8 4 3 su b . ():^ 3s u b jIO U f A

71 StartAddress
71 sub_^0:0C0
3s u b _ 1 0 1 7 * 3s u b _ < 0 : 8 C 8 7 1 ub.-W ietl 3s u b _ < 0 ; 8 t 9 3t u b _ 0 1 A IE 3s u b _ < O * 0 2 7\ sub_40220C 3 u b _ < 0 2 3 : 9
T j tub_0:74* B
i t
', m MltM'i
100.03% <4193,30 | (377,171:1 |300C73I2 0C4073Z2: WinMain
a A d drea d /w ritetra c e T h is c o m m a n da d d sa re ad /w ritetra c etoth e cu rren ta d d re s s . Eachtim eth eg ive n a d d re s swill b ea c c e s s e din re a do rw ritem o d e , th e d e b u g g e rwill a d datra c e e ve n t toth eT racew in d o w
Compiling f i l e 'C:\Fr3grem F ill :3)MDA Eemo S. 3 \ id c\ 9 n le ai. id c Executing runc-lar. ' OaLo=a' . . . IDA i s a n a ly s in g th e in p u t r i l e . . . You may s t a r t to e x p lo re th e in p u t f i l e r ig h t
!Pawn
FIGURE 2 .1 3 :IDAProw in d o wa fte ra n a ly s is .

18. Click View ^Graphs >Flow Chart from die menu bar.
File Edt
Jurro Sea<
Deougger Opliors Windows Help Open stbvtews k /*
s i X l It
| r debugger
J | fc | ^ ]
fl) ---------------- 3
Ill
f Functions vwndow Q r
oofears Cacuator. . Ful screen Output ivirdcw , Graph Cvervew ^ Reiert sapt3 Database snapshot manager... jp] Pmt segment registers Print nterral flags Alt+F9 CtH4-Shift+T ct!1 +5pace F Ctri+NuT1pad+CtH-lNunpodi f ? F ll ^ FuncfoncaDs 1 Xrefisto Xrefs from CtH4F12 | | 1 Imports
J mE x p o r t s
BC re a tea lig n m e n t d irective A ctionn a m e :M a k e A lig n m e n t T h is c o m m a n da llo w sy o u toc re a tea na lig n m e n t d irective.
3 SUbj-OlOOO 3 Sllb_401198 3 sub_4012S4 3 5ub_013A9 3s u b _ 4 0 1 3 F A 7 1StartAddrcss J sub_017 3 sub_<017^ 3 *ub_4018C8
Flticoot rame
.S i User *refs * a r t. .
= rtoe fr U O TiO C ttoeal 3*. unr*oeal X Occfc hidden o'co Seuc hdden item s
S
3 3
7 1s u b j0 1 E C 2 ub_4032CC 3 sul_402319 7 ]5ub_020* 7 ]Subj02C38 3 *uh_4000 7 ]sub_402D72 7 1S u b _ 4 0 2 D C E 2 1 sub_-i02EE0 [

!Oltpu: window
sub_4018l sub_*018F9 9ub_401A:E
SUb_ O26 *_40680
LOO.OO[T4i9C.- -:j
:1 14,25) OOCO 312 C0 < 0 3 1 2 : M ir.M air.(I,
E x e c u tin g fu n c tio n ,m a in *_ _ Con pilin a f i l e 'C :\Eroara 2! F ile s (x6)\IEA Demo S.3 \ id c \ cn lo ad .id c' Executing fur-etian ,OnLoad . . IDA i a an alysing the in put f i l e . . . Toa may 3 - a r t t o e x p lo re one la p u c r i l e r ig h t now. IDC | D isplay flow c h art c f the cuirene fu n ction
FIGURE 2 .1 4 :IDAProflo wc h a rtm e n u .

19. A Graph window appears w ith die flow; zoom to view clearly.
Edit Jump Search Debugger Option;
JD Jx j
III
Function name 7 ] sub_H01 0 71 sub_401196 sub_401284 71 Sub_H013^9 SUb_4013R\ 71 StartAdcress 7] 7] 71 sub_4017-e sub_4017Ê sub_01303 SUb_<DlMl sub_4013B 6ub_401A IE SUb_401E02 sub 40220C eub_402319 5ub_H0^)* sub 40268 sub_40234D su b jo acs sub 402DCD ub_402D72 s u b je z x t sub 02EED
Rk View Zoom Move Hep
Z o o mintoh a vea b e tte rviewofth ed e ta ils
ca
3 3
no v Ha (xer! !xen
tp, 6 e f . e a -c 2 ] j preciu ; im ionteqfiaM
JL
enp |jz byte.41nni4, P ehort 1 0 c.4d 74;d|
3
71 71 3 7] 71 3 71 71
.
t Wlo
3 3 3 3
1 0c_7*
pwft
[ftp*v*r_8!, 0 lp*v*r_4|, 0 04m , [tp*vrv1cot4nr4M] < p*-3v13Urtr4bH.lj8v v], 0ff**t 5*r v1cMil# w 1 lp9rvlo3trtTt01 (&p*?rvl 034.r<T ab1 * .1pflccvtocfr0 ], effort lot_4l7 r d: 3t1rt3erv1osctrIDUp*toherA
J=c
E x e c u tin g ru n c t C o g p ilin g f i l e E x e c u tin g fu n c t i s a n a ly s ir. 57 !4% (0 0) 8 nodes, 2 edge segments, 0 crossirgs You may S t a r t t u IDC id l e Dcwn
-1 n . p x il . m .x i . ^ j u uliil j..l).1ut . u n .
FIGURE 2 .1 5 : IDA Pro flow chart
Z o o mintoh a v ea b e tte rviewofth ed e ta ils
FIGURE Z 1 6 : IDAProz o o mflo wc h a rt.

[ 3 W nG raph 32 Graph at _WnMain>16
~ 1 1 x|
jFte M ew
2001
How
Hejp
___________________________________
[|a|1K 3. % * IIIR* 5 * *
byte_4 10004, 0 sh ort loc_407420
tru e
arp jz
dword_4938F8, 0 sh ort loc_407449
push c a ll test pop
jn z
o ffs e t byte_4100D4; lpFileName sub_4CJ5B0F eax , eax ecx sh ort loc_407457
end and lea rov push rov c a ll
[et)p+-var_8l , 0 [ebp+-var_4J, 0 eax, [ebp+Ser v ice S ta rtT a b le ] [ebp^ ServiceStartT able.lp ServiceN am e], o ffs e t ServiceNare eax ; lp Serv iceSta rtT a b le [ebp+ServiceStartTable .lp S e r v ic e P r o c ], o ffs e t loc_4073C3 d s :S ta r tS e r v iceC trlD ispatcherA
|ca11
sub_4tn2F2|
nor leave retn
eax, eax lOh
85.71% (-153,-240) 8 nodes, 28 edge segments, 0 crossings
__ A
if1
FIGURE 2 1 7 :ED AProz o o mflo wc h a rt

20. Click View ^Graphs ^Function Calls from die menu bar.
tJ'fm X I
III
Function rame sub ] 7 _ sub 1198 3 sub _ 40124 SUb_*013A9 sub_*013FA 3 StartAddress 7 1 ,
~odbdrs p ] Camahr. . H i screen r Output tvirdw Graoh Cvervev> Recent sarpts Database snapshot manager... Ip] Pnnt segment registers Print nterral flags Alt+F9 Ctri+Shift+T ctri+5pace F Ctr1+Num pad+Ct7H4J1m pod-f* Hweal v}, urmoean
Flow chart F I2 Print flow c!at labels F ll
J Q
0 10 0 0
2 1
r | J
1 Xrefisfran 1 User xrefe :Kart..
] | 13jJ Impotls
| [f+] Expoits
2 1
I s u b _ 4 0 1 7
sub ] 7 _*017^
5 u b _ 1 0 1 8 c e
2 1
= ftoe
sub_*01 8 *l ]7 sub_<018F9 3 5ub_-H)lA ] 7 sub_<01EC2 ]7 ib_40:?cr 3 9ub ]7 _*0 2 3 1 9 5ub ] 7 _ 4 026 C
^ Dccfc Hddcn oco

Seuc hdden item s
1 h _ < 0 ?fiP 0
. 1 1 _____
S Empty input file The i n p u tf i l ed o e s n ' t c o n t a i nany i n s t r u c t i o n s 01 d a t a .i . e .t h e r ei s nothing t od i s a s s e m b l e . Some f i l ef o r m a t s allowt h es i m a t i o n when t h ef i l ei sn o t empty b u ti td o e s n ' t c o n t a i nany t h i n gt o d i s a s s e m b l e . For example, COFF/OMF/EXE f o r m a t s could c o n t a i na f i l eheader whichj u s t d e c l a r e st h a tt h e r ea r e no e x e c u t a b l es e c t i o n s i nt h ef i l e .
sub _K( 28 sub_<02C3B 2 tub_4O3D0D 3 sub _K)2D72 Sub 71_ 02DCE ub* ] 7 _s0XE0
2 1 2 1
]2
L in e7of 2 5 8 v w n c o w
LOO.00%[ (419C, - 6 ) i r s
d |000073Ei !00407112: U d fa in b .z .z t z >
E x e c u tin g fu n c tio n ,m a in . .. C o n p ilin a f i l e C :\E ro a ra n F ile s (x 6 )\IE & Dem3 6 .3 \ id c \o n lo a d . id c ' I x a c u tin g fu r.e tia n ,O n lo a d .-IDA i s a n a ly s in g ta e in p u t f i l e . . . Tou may 3 - a r t t o e x p lo re one in p u t; r i l e r ig h t now. 10C |
D isplay graph of fu c c tio n c a lls
FIGURE 2 .1 8 :IDAProF u n c tio nc a lkm e n u .

21. A qindow showing call flow appears; zoom to have a better view.
FIGURE 2 .1 9 :IDAProc a llflo woffa c e .
H Emptr input file The i n p u tf i l ed o e s n ' t c o n t a i nany i n s t r u c t i o n s o rd a t a .i . e .t h e r ei s nothing t od i s a s s e m b l e .
FIGURE 2 .2 0 :IDAProc a llflo woffa c ew ithz o o m . TH3

- ? f
22. Click Windows ^Hex View-A. Some f i l ef o r m a t s I V I D A Z : \ C C It v eM o d u l e 0 7 V it u s e s a n d W o r m s \ V 1 r u s c s \ K lc z V ir u sL iv e 1 \ f o c c . c x c allow t h es i m a t i o n File Edt Jump Sead* Vtew De9ugger Opbors I Windows I Help when t h ef i l ei sn o t L * l1 X J O Q | to debugger 1 + *111 * j] % ] & 1 ^ I f I Load desktop... empty b u ti td o e s n ' t r P Sjve decctop. . III ___________________________ i Delete desktop... c o n t a i nany t h i n gt o 7 | Functions wooov D ? !ID A V i e w R e s e td e s k t o p * 10 Ev*ns j 51 Import d i s a s s e m b l e . For Reset hidden messages. . 7 ] Sub_H)10C0 example, 7 1 sub_011S8 Windows list COFF/OMF/EXE 2 sub_4012S4 Next v\lndow 7 ] SUb_013A9 Previous window Shift+F6 f o r m a t s could c o n t a i na [Z ] sub_^013FA ] Ctose windo/v AltH = 3 71 StartAddress f i l eheader whichj u s t Focus com m and Ine ' SUb_4017^J d e c l a r e st h a tt h e r ea r e 3 sub_4017Ê jT] Functions window Ait41 6ub_^018C8 no e x e c u t a b l es e c t i o n s ! 1 IDA WewA At42 3 SUb_40JB41 3 sub_^018E9 i nt h ef i l e .
7 ] 6ub_401A 7 ] sub_-0C2 3 7] 3 7) 7] 3 3 7] sub_40220C 5ub_402319 sub_<0*<6 sub_<080 3ub_*028 sub_402C sub_403XC 5ab_-K)2D72 I Al Structure3 Enums ]01 5H ! ports Export 0 Alt44 Alt+ 5 At-K) Alt 47
J [I] Export
H sub_402xt V n sub.OPFFO
1L
Line 7 of 258 [T] Outpu: wncov.
100.00* [ (4190,-76) | (1S2, 21) |0000?3^ -04073E2: WmMslc(x, x, x,x '
--A'-' . TTBK i 'BUU E x e c u tin g f r a c t io n m a in * ... Compi1in g f i l e 'C rv lro g ra a Fil (xSCJVICA Dema 6.3\ide\onload idc ix cu tia g fur.ctisr. ,Onl-o&d1- -IDA i s a n a ly s in g tn e input- r i l e . . . You may s t a r t to e x p lo re cfce in p u t; f i l e r ig h t a!
~ n
_zj
1
r o cr
.l i e Down
FIGURE 2 2 1 :IDAProH e xV ie w Am e n u .
23. The tollowmg is a window showing Hex View-A.
Zi\CMv8 fKxkj*e 07 /irusndiH l Wonm\V)nn<f*\Kk^ V 1ru 5 Lvc!\ld tc.cxc Tile Edit Junp Ssaci 'ftew Debugger Opboro Windows help
II1 ^slII
Functions windovr cton na ne sjb_KD10X sjb_40113S sub_401234 SJb_4013A9 sub_4013FA StartAodress SJb_ W17<* sjb_40174E SJb.'WlSDfi sjb 401841 cub_4018E5 SJb 401A 1E SJb_401K)2 eub_4022X SJb_40231 S sub_40264e Cjb_40263C SJb 40280 SJb_402C3C Cjb_402D00 SJb.402C72 sjL 402CCE sjb 402EC 1 T ] Dutpu: v.irdovi -
* I4 |j|g 0 |
d!DAMe>v-A 004073B2 8C4073B2 5G4073C2 9C4073D2 464073E2 8P4073F? 0G4O74O2 8P40741? 9G407422 flP40743? 9G407 442 0P4O745? 00407462 0 0 4 0 /4 /2 00407482 0 0 4 0 /4 y 2 00407*102 004074B2 00407MC2 0 0 4 0 /4 0 2 0O4O74E2 004074F2 00407502 00407512 0040752? 00407532 - I 0040754? 00407552 H 00 93 00 00 6B 54 D4 F8 45 00 FB 38 UO 75 10 oc 08 3B 3U FB IE F8 33 5C 06 00 00 00 D8 68 60 8B 0? E8 08 38 F ft FF 9R 01 00 rc 8D 33 88 45 11 00 46 89 F6 37 8D FF 80 00 FF 7C 00 EC FF F5 41 49 r.7 15 FF 00 8B 75 85 CO O C 0C 00 73 40 47 EB 04 85 75 45 FF FF 73 03 81 15 F9 80 00 45 U4 FF E0 D8 87 /4 8D O H 72 fb 11 EB FC 48 53 74 FT 16
0S I # s + &
II
|no cebugger
H ilt s la r hr
| (j*\ Expons
10]hexvew-AQ | ]Structures 35 85 40 1C EC F0 FF F8 00 F0 D0 FF r6 33 33 U/ BD 84 E9 06 38 EF 89 88 F8 C7 RD 83 1C CO 60 39 fiO 01 FF F4 74 nr. 40 33 on F6 CO FE 78 C9 3B 41 C1 81 17 45 64 FE 44 C4 39 74 68 49 01 40 80 E6 20 33 00 CO 00 3b E9 FE C7 74 45 3B 73 7D 83 F8 00 FF 37 1C 49 05 DC 00 00 00 3D FF 83 49 E8 09 00 Db DD 56 FE O D O C 4D C1 F8 C7 89 00 50 04 89 00 E8 33 E8 60 FB D4 FF 65 00 ro 0? 53 59 00 50 FF 88 73 0U 8B 10 08 75 00 8D FF 18 FF 33 49 9D 8D FF 06 85 F8 50 D7 r6 89 86 1H 3B 8C 4n r/ 55 27 8B FC 8B 46 75 80 15 FF 00 FF 85 F1 41 CQ 00 C7 FF 00 TF 5D 00 5.1 45 IE 8B F1 08 00 C1 88 F0 04 F4 5D
[JO fruns 58 FF FF FF 60 FF 60 59 83 45 FF 55 75 F4 57 02 O C 46 C8 BB 8A 60 EB F8 RB 50 50 r4 DO FF 15 FF FE FF 00 75 65 F4 85 8R '3( 8V 68 00 73 48 8e D1 14 73 9C Cl 45 E8 Ffi 53 40 C9 34 C2 FF 85 74 37 FC C3 CO EC E8 75 80 00 66 89 55 28 10 OF 89 E7 F8 BD BD E8 00 C2 DO 08 FF CO OF 83 00 73 74 RB 10 FB 38 b:i 8B / 08 DO 88 FF 75 03 57 06 06 87
| 1 ) [irports E8 04 40 08 58 74 68 3D 8D 48 05 8n 0D 89 01 C4 < 1 D FC 80 83 14 45 FC 8D 89 00 00 06
. . . 5 . 9 1 . .x - e .F o * a * t.F 3 .tl|s @ .h 3 1 . . 4 - 0 . j .U .9 I.F . Ui'8 . 8 d ___ Y \ P j . .a -Q .F ft a + t T F ) Q = .A . t . h . A .F()1 a-V117a= " 8 1 . - t a e .a e n .. E=!E = 31 -P ! E(+;P . . .-@ .F u at. F t! 3 + * 8 4 )1 1 5 . . I 8 ..F t...S U u .F .. . . ! ' 3 F : ! Y e J ( e u e u n u .3 * T !...U h g 8 . . . a t ! ! UPFP . . . 3 . 3 * . ; | | E . s fi'H .^ ..a * t. ..F e u n ;E .r T ;E . s JI l+ IU .C < . .u.A;M.rtI+a . s . ; - s - i ' U . e . . . . FQUll . < * . . . S . E e C n e .2 J . 1 -d ou n 3+dH1E e u n i * t . . \7 .S F d . . A*-YFW . . a t ; P . F . P F .. . un .D7 . 1 1( PF ^ . . . i E .a . e . i ] ( S F 5 z i 9 X
Executing fu n c tio n n ^ i n '._ . C o n p ilin g f i l e 'C :\Prcgrazn F ile s . x8S )\ID A Demo 6 . 3 \id c \o n lo a d .id s ii o c i i r i n c fim s tio a *Or-losd1 . . IDA i s a n a ly s in g .Le In p u t r i l e . . . You nay s t a r t to e x p lo re th e in p u t f i l e r ig h t now. IDC [ Disk: S4GS
F I G U R E 2 .2 2 : I D A P r o H e x V i e w - A r e s u lt.
24. Click Windows ^Structures.

I V IDA Z:\CCItve File Sdt
M o d u l e 07 V it u s e s a n d W o r m s \ V 1 r u s c s \ K lc z V ir u sL iv e 1 \ f o c c . c x c
Opbors I Wirdowsl Help 1 ^ I f I Load desktop... rP Sjve decctop. . 1 + *111 * j] % ] &
Jump Sead View De3ugger
___________________________ ! Delete desktop... 7 | Functions woeov [Jcj IE A View Rcse t desktop Ftncaon rarae 7] 71 7] 7] [Z] 71 Sub_ H)10C0 Sub_011 S8 sub_4012S4 SUb_013 A9 sub_^013FA StartAddress 00 40730? 0O4073B2 004073C2 0 0 4 0 /3 0 2 064073E2 0A4073F2 00 407402 00407412 00 407422 0 0 4 0 /4 3 2 00407442 00407452 00407462 00 407472 0 0 4 0 /4 8 2 00407492 0040740? 00407482 0O4074C2 00407402 0O4074E2 Reset hidden messages. .. Windows list Next v\lndow Previous window Ctose windoA Focus commard Ine |71 Functions window f^= ] IDA ViewA [o] hex V1ewA AH+1 Alt+2 Alt43 Alt 44 I ]Enums 51 inports g ] Exports FB 1E F8 33 5C 06 00 00 OB 46 80 T6 37 8D FF BR 73 11 4 0 EB 47 FC ED48 0*53 85 7 4 75 FC 45 1 0 3B EF 89 8D E8 C7 8D 83 C1 81 17 45 64 FE 44 C4 Alt45 A t4< > Alt47 73 7D 83 T8 Oft FF 37 10 C1 F8 C7 89 00 50 04 89 F6 Shift+F6 AH4P3
III
1 0
E v*ns no FF 15 FF FE FF 00 75 65 F4 85 SB 0C 89 68 00 73 >10 80 un C9 3* C2 FF 85 74 37 FC C3 C0 EC E8 75 80 no C2 DO 08 FF C0 OF 83 00 73 74 B8 ID F8 38
| ft!} Imports
f8
| ( ] Export .X -(a .F
3 8 0 8
' SUb_4017^J 3 sub_4017Ê 6ub_^018C8 7] 3 7] 7] 3 7] 7] 7) 7] 3 3 7] sub_40JB41 sub_^018E9 sub_401A SUb_-01EC2 sub_<022CC 5ub_402319 sub_<0 * < 6 sub_<080 3ub_*028 sub_402C3B sub_)2D0D 5ab_-K)2D72
F 5 0 B 3 9 0 F 8 3
71 00 0
58 FF 49 00 FF 9D FF FF 8D 85 6 0 FF E1 FF C O1 1 1 0O 85 CO 59 F8 00 83 5 0 C7 45 D7 FF FF 55 56 FF 75 89 5D F4 157 E8 5 0 02 3B 115 0n PC 1E **6 '*A 80 C8
01* 40 OB 50 7U 68 3D 8D 40 05 8C 00 89 01
0 a+t.F3 U . a
j. . j.U .9 1 - F .
...
5-91-
.1 1 1 b@.h_3I. * * @
+-. P
a+t
TF) = -.A . .t.h + .A.F a+Vu7a81..t de.den.. E| E=_3I.P!E(+S@ . . .-@.Fu* a+t. FCJ 3+ + -. .1 11 8*1 8. . F t . . .SU U.F.. . . 3 < ; ; *V e ](e u e unu.3M;. . .wny8. ..at!! UPFP.. .a.3+.+x!! ;E.sFi'M .o. .a-t .0 .. FOcun
; E . r T ; E .s J l'+ V U .C
18 8 ( > 1
a'|
.a - G .F ft
< . .u .A ;M.rl4 3
00 EB T8 8B 8D *46 (V. 5 0 FF 75 F4 5 0 18 RB 5D FI1 73 9C C1 45 E8 E8 53 OF 89 E7 F8 BO BO F8
0 O 4 0 7 4 F 2
004075 02 00 407512 00407522 00407532 00407542 00 40755?
*ofino. 2J . -dl'iiin
3 :d H i'Eetf11ni0 t . . \ 7 . S F d . . .i- i'E W e . . h t \ \ P .F .P F + .. . u n .D 7 . u ( P F i . . 1 F .a - .P .i](S F g .
.s .;-S -K U .& ..3 . .F 0 d n . > . ' . . s . E
H sub_402xt Vn sub_40/EF0
1L
Line 7 of 258
JQOG73E2 I004073E2 : WinMiin (x,x, x, x) 8 6.2 \ide\onload.idc X
Outpu: vwnoow g^-^-a-1 J:1 t3 .jl'. v . urei TL'^ n m u --e-- E x e c u tin g fu r.c tio n m a in * ... Compi 1in g f i l e C:\Erograa F il a (xfl)\IDA. D1 ix cu tia g fur.ctisr. ,O a lo a i1. . . IDA I s a n a ly s in g tn e in p u t r i l e . . . You may s t a r t to e x p lo re th e in p u t f i l e r ig h t roc
r
.l i e Down
FIGURE 2 .2 3 : IDA Pro Hex Structurem enu
25. The following is a liiid o w showing Structures (to expend structures click Ctrl and +).
File Edt
Jumo Sead View Dexjqcer
Opbors Windows Hdp
Iv^lns
III
7 ] Functions vwnoovr Flticoot rame SUbj-OlOOO ]7 SUb_^011S8 | sub_<012S4 ]7 SUb_4013A9 ]2 sub_4013FA T l StartAddrcss, sub ] 7 _>017 sub ] 7 _>017^ 3 u b _ 4 0 1 8 c e ]7 sub_^018*l ] 7 sub_*018F9 Jub_-K)1A ] 7 sub_01EC2 ] 7 ub_<0??CC sub 3 _^0231 9 sub_>026 5 X | QgiCAView-A BQQ0GGOG 06006090 06006090 06006000 06006090 00006030 0000009*1 06006008 06006008 00006018 06006018 | [0] hex View-A ( X Structures Q |
aoF^
Exmrs | g j Imports
d I*!lain a r r
| 0 Exparts
CPPEH RECORD o ld esp exc p t r r e g is t r a t io n CPPEH RECORD
s tru c dd ?
; SREF: s ta rte r ; c r t L C M a p S t r in q A ir . . . ; X R E F : start+ 2 3 T u ; s t a r t : l o c iiOfi'iUSTr . . . dd ? ; X R E F : s t a r t : l o c J!0 8 5 2 Ftr ; o F f s e t C1 1 3 EXCEPTION REGISTRATION ? ; X R E F : s t a r t : l o c *408*4CVtu : c r t L C M a p s t r in q fH 10fiTw . . . ends
; (5 iz e o f- 0 x 1 8 )
jh _4 0 3 6 a 0
j ] sub_-K( 20 0
& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
5 ub_402C38 ] 7 ub* _ 40 00 sub_-K)2D72 ] 7 SubjSOZXE ]7 sub_40IE0
> 1
24. CPPEH SZCORD:G0G0
j l ojtpu: VtfnGOW
E x e c u tin g fu r . c ti3 n ,m a in *__ C o n p ilin a f i l e 'C :\E ro g ra m F ile s (x 6 '\IE A Demo . 3 \id c \o n lo a d .id c ' E x a c u tin g fu n e tiD n *O nload1. . . IDA i : a n a ly s in g th e in p u t f i l e . . . Toa may 3 - a r t to e x p lo re t i .e In pa o r i l e r ig h t now. IDC D is k . 343B
F IG U R E 2.24: ID A Pro Hex Structure result
26. Click Windows

IV
File Edt Juro
Enums. lafxl
ID AZ : \ C C It v eM o d u l e 0 7 V ir u s e s a n d W o r m s \ V 1 r u s c s \ K lc z V ir u sU v c ! \ o c c . c x c
Sea-d* View Deouooer Opttors | Wirdows | Help
3 Hill || B II I f runcbons vym dovr Ftncaon raree
-|||y= ,* 1 !
* b
I , M l Loaddesktcp,.,
$ Save deolctop... Reset desktop Reset hidden messages. . Windows list Next window Previous window Cose window Focus com m and Ine ' [71 Functions wndow !3 ] IDA View A [y] hex V1ewA
ia I
b
;ture* Q
xj Q
| dD Enuns
|r\0 debugger
1 to1 ^ 1 u an* r
| ||+] Exports
__________________________________ & Delete desktop... S X ICA View| Imports
3 sub_^013FA
7] S U b jK H O C O 71 s u b _ 4 0 1 1 9 8 3 sub_40124 7] S U b _ 0 1 3 A 9
71 StartAddress
eof-0x18) F6 Shift4F6 Alt4P3
; XR EF: s t a r t e r
_ crtLcnapstringfljr ... ; _
3 sub_4017Ê
S U b _ 0 I7 B
; X R E F : start+ 2 3 T u ; s t a r t :1 0 c J4 f l8 5 U 3 t r . . . ; X R E F : s t a r t : lo c J 1 0 8 5 2 F t r ; o f f s e t 10N_REG IST R AT I OH ? ; XREF : s t a r t : l o c J * 0 8 4 c M u
; _ _ crtLCM pStrlngA+l fiTw ...

Alt-tl Alt42 At+ 3 At Alt45 At 46 A lt-47
3 3 5ub_0* C 2 3 sub_<0?2CC
7 ] Jub_102319 V sub_<02b
7 ] sub_*018C8 7 ] sub_<018*l sub_*018E9 7 ! 5ub_401A:E
Strixturca
^ 2 Imports ( 3 Exporto
3 sub_<0?680
71 9ub_4028
71 Sub_02C3B
3 6ub_40X72
< 1
3 Jb _ 4 0 / T X 1 0
sub_402XE cub 403T0 24. CPPEH PZCOXD: C O O O
Line 7 of 258 [1 Outpu: wncow
E x e c u tin g fu r.c tia n *m ain C o m p ilin g f i l o C :\rrog ra 31 F ilc a (S6:\IEA. Doj E x e c u tin g u r.c ti3 n 'O s I-3 e i' . . . IDA l a a n a ly s in g th e in p u t r i l e . . .
1:H *' 1 1 *- *
S .3 \id c \o n lo
You may ssart to explore the input f ile righ t

IDC I H ie Sown
FIGURE 2 .2 5 : IDA Pro Emims m enu.
27. A qindow appears, showing die Enum result.
- xT File Edt Juno Sea-d View Deougger Opliors Windows Help U 1 4 * & 1 % 1 : / 3 3 [7 ] 2] 3 ^ Tj 7] 21 71 3 7] 7] 3 j] T\ 3 7] 7] 3 7] 71 3
*Im I i i s i I j , *e S
| [0]hexVlewA : : : : J (X Structures JD Enure Q J Imports c r e a t e / d e l e t e / e d i t e n u m e ra tio n ty p e s c r e a t e / e d i t a s y n b o l i c c o n s ta n t d e l e t e a s y m b o lic c o n s ta n t s e t a com m ent f o r t h e c u r r e n t i t e n p r e f i x e s d i s p l a y th e b itm a s k
d i f c l f r l i i a i r r
I I I
S X [|ÎCA\/iew-A | (!*] Exparts ; In s /D e l/C tr l- E ; H /C tr l N ; U ; ; or : ; For b it f ie ld s
Functions vwnoovr sub_*01000 sub_^011S8 sub_012S4 SUb_*013A9 Sub_4013FA StartAddrcss sub_*017^b sub_<017^ 5ub_ l018ce sub_4018*l sub_*018F9 8ub_401A sub_<01EC2 ftA_40220C sub_02319 sub_4 026 jb_4056a0 5ub_H)20 SubJ02C3B *ub_40X>00 sub_H)2D72 sub_0Z>CE sub 0 EE0
Function name
th e l i n e
*1 Line 7 of 258 [ f l Outpu: wndow
d Z. 15 X
E x e c u tin g fu n c tio n C o n p ilin a f i l e 'C :\ Eroa ran Fi l e s
(x 6 )\ID A Demo S . 3 \ id c \ o n lo a d . id c '. . . H
IDA. i a a n a ly s in g Che m p u c i l e . . . Tou may 3 - a r t t o e x p lo re tr.e In p u t r i l e

idc
r ig h t now.
r 3 j
FIGURE 2 .2 6 :IDAProE iiu m sr e s u lt. L a b A n a ly s is

Analyze and document the results related to die lab exercise. Give your opinion on your targets security posUire and exposure.
PLEASE T AL K TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS R EL AT ED TO T H IS LAB.
T o o l/ U t ilit y
In fo rm a tio n C o lle cte d /O b je ctive s Achieved F ile name: face.exe O u tp u t:
ID A Pro
View functional calls Hex view-A View structures View enums
Q u e s t io n s
1. Analyze the chart generated with die dow chart and function calls; trv to find die possible detect that can be caused bv the virus file. 2. Try to analyze more virus files from die location D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!.
In te rn e t C onnectio n R equired Yes P latfo rm Supported 0 Classroom 0 1Labs 0 No
3
V ir u s A n a l y s i s U s i n g V ir u s T o t a l
Computer worms are maliciousprograms that rep/icate, execute, and spread themselves across network connections independently, without human interaction.
I C O N K E Y
111 today's online environment it's important to know what risks lie ahead at each click. Even day millions o l people go online to find inform ation, to do business, to have a good time. There have been many warnings issues, about theft o f data: identity theft, phishing scams and pharming; most people have at least heard o f denial-of-service attacks and "zombie" computers, and now one more type o f online attack has emerged: holding data for ransom. Since you are an expert ethical hacker and penetration tester, the IT director instructs you to test the network for any viruses and worms that can damage 01 steal the organizations information. 111 this lab we explain how to analyze a virus using online virus analysis services.
/ Valuable information
y* Test your
knowledge
\\eb exercise
m Workbook review
The objective o f tins lab is to make students learn and understand how to make viruses and worms to test the organizations firewall and antivirus programs. & Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms Analyze virus files over the Internet
To earn out die lab, you need: A computer running Windows Server 2012 as host machine A web browser with Internet connection
Time: 15 Minutes
Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm payloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.
Lab T asks

ASK 1
1. 2.
Open a web browser 111 the Windows Server 2012 host machine, Access die website http: / / www.v 1n 1stotal.com.
V irusTotal [F ie Edit /!ew Free O n lin e Virus, M alw are and URL Scanner M ozilla F ircfox History Bookmarks Tools Help
VirusTotal Scanning service
11 > 1 VrusTotal Free Online Virus, Malware ... ^ A A hrtpcj'/unv^yv 1rurtotal.com Comnuiity Sta'isticb Ducjir entatior FAQ About e l k i ' Google
H v ir u s t o t a l
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms trojans, and all kinds of malware
No fie sc cc:cJ Maximum Tile size 321/18 Dy clicking 'Scan itf. you consent 10 ou! Terms of Ser\ice and allow VirusTotal 10 char this Mo with the security corrmunny See our Privacy Policy tor details.
You may prefsr to scar a URL or search through the VirusTotal datasst
Englsh Espan Rlnn I Twitter I r.nntar.tlfivinisrota: r.nm I fi.inal* rrniios I Tnfi I Prvar.v
FIGURE 3 .1 :V iru sT o ta lH o m eP a g e
3. 4. 5. The A"mis Total website is used to analyze online viruses. Click die Choose file button, and select a vims hie located 111 D:\CEHTools\CEHv8 Module 07 Viruses and WormsWiruses\tini.exe. Click Open.
F
(^ ) v O ~ ^1 Organize New folder Name
VirusTotal
Tree Online Virus, M alw are and URL Scanner File U pload
M ozilla H rcfox
E
Search Viruses
CEHv8Module07v'ru5Ma Viruses
-t m
Date mocEficd 4/12/20111:10 PM 4/12/20111:10 PP^ 4/12/2011 0: pm 4^12/20111:10 PM 4/12/2011 Type File fclder File fclder File fclder File fclder File fclder File fclder File fclder File fclder File fclder WinRARorchivc Application WiaRAR ZIP arehiv* Siz
0o *nJca ' Recent p J 1 Music L1bra1? 0? Documet J 1 Music S i Pictures 8 /deos
J_. Win32.Botvoice.A J . Wm32Cd_infected@Ch J_. Win32.Loretto.Ech Win32.Minip2pCh J . Win32Wamet.B.MassiveW@RMM J* worm_cris J yanetha J . ysor J . levach U netbu17.rar | ' tini cxc
b ioPM
4/12/20111:10 PM 4/12/20*11:10 PM 4/12/2011 1:10 PM 9/22/20122:16 PM 4/4/2011 5:48 PM 02 AM A/A/20)1 H 7 PM
H = y 1Youc a nu p lo a da n y in fectedfiletoa n a ly z e
Compute!
U m! < 0 1 0 3
. L<al&s r
11 0 ( 1 1
D 1 v
You may prefer to scan a URL 01 search thicugh the VirusTotal dataset
Engl sh Espaficl Hlnn I Iwittor I rnntapffeflvmifitiral rnm I :imnie riming I IrS 1Pru/arv nnlirv
FIGURE 3 .2 :S e le c tafilefo rV iru sa n a ly s is

6. Click Scan it!.
VirusTotal Tree Online Virus, M a'w a rc and URL Scanner M ozilla Firefox
Eie Edit Vew Hiilory Bocknidrki looli Help

1 ^ VrutTatil hr** Onhn# Virus, Malware it .. | 4 a ri .-,wwwvmictotal.n C I 15 1 Googl# P
*
faq
Community
Statistics
Documentation
About
& T o o ls demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
2 v i r u s t o t a i
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans and all kinds of malware
Choose File Maximum fie size. 32MB By clicking ,Scan itr. you consent to our Terms of Service and allow VirusTotal to share this file with the security commurwy See our Privacy Policy tbr details
You may prlw to scan a URL or search through tho VirusTotal dataset
Engl!h - bsparicl Bing I Twill ft! I f^nlarJjShiruslnial com 1 beanie a-axa 1Tc 1Privacy nnlicv
FIGURE 3 .3 :Q ickS e n db u tto ntos e n dth efile sfo ra n a ly s is

7. 8. The selected tile w ill be sent to die server for analysis. Click Reanalyse.
VirusTotal
Tree Online Virus, M alw are and URL Scanner
M ozilla Firefox
fie d r. View History Ecckm arks Tools Help

'/rwTotil - frte Onhne Virus. Malware a... | 4 ^ fi https/ w\ virustotalcom
File already analysed

This file was already analysed by VirusTotal cr 2012-09-21 17:32:24. Detection ratio 40/43 You can take a look at the last analysis cc analyse it agar now.
91
Choose HI#
Maximum Me s!2 e 32MB By clicking ,Scan it!* you consent to our ta rn s of Seruce and allow Viruslotal to share this file with the security communty See our Pnvacy Policy for details
You may prefer to scan a URL 01 search thicugh the VirusTotal dataset
FIGURE 3 .4 :S e n d in gFile
9. The selected hie analysis queues are scanned, as shown in die following figure.
A n tiviru s scan fo r b7513cc75c68bdcc96c814544717c413 a t UTC | fie Ij Edit VirusTotal M o zilla fire fo x I x
V ca
Ustory Bookmarks Tools Help
&
4
Antivirus srn ferh/M i##/Vt!HbrUryt>r... j 4 f t ^rtj>c/vwwv1r1.1rtotl.co1n/t11<*/%S4hb;4H1<WHtt;b0hji9b1f>y/r0rt^1Ho ( Community Statistics Documentaihn FAQ About C | Googl
Join our com mu
1 s tv ir u s t o t a l
O Your 13 is at position 4397 in the analysis queue. 9654bb748199882b0fb29b1fa597cOcfe3b9d61Oadi4183aDbUCf3fafEee527 tin! exe V War# dtaiB
SHA256: File name
Comments
Votes
Additional information
l BuqBoppor idontifoc thic filo ac Tinv.aoni More info htto /BuaBoooor c:>1r./M3lwaro rf0.MD5/b7/b76l3co75c&8bd0c96c811S447170413 aeo 1 #tr> #bkdr c #tini n t l M 2 years * oy 1 ighrpo^rtiuy
You havo not signod in. Only rogictorod ucorc can loavo comments sign in and ha%o a voice! S gn h Join the community .
L FIGURE 3 .5 :S c a n n e dFile
10. A detailed report w ill be displayed after analysis.
>
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Antivirus scan for b7513ec75c68bdec96c8l4644717e413 at UTC
VirusTotal
Mozilla Firefox
I I !
x m
[ Filr Fdit View Hiitary root' M i. TooJ\ H lp j |> 1 Antivirus s:3 0t . 5' icc/icbfcbiccVfcc.. | + 1 ^ i h!tpsy/w*w/virustotalxonrvfil/9eS4bo74S' 9M32b0fb29blfa597c0 de3 b9d610adf4l 83a0M 40fJfaf5ee527analy51s/1344J 0418t \ t v C A Statistics Documentation FAQ About 1 41 Google Join our community Sigo in P * 1
i S
i r
SHA266 SHA1: MD5 Fit 520 File name File lype Detect 0 ratio Anal/sis dale
9654bb748199882b0lb29b1fa597c0cfe3b9d610adid 188aDM4 Of3fa5ee527 3f8e7SdO*3e33e8eebOdd991f22ccObb44aOB98c b7513ee75c68bdec96c814W4717e413 3.0 KB ( 3072 bytos ) tro exe 'Art03? EXE 39/42 2012-09-22 08 56 26 UTC ( 1 minute ago ) A M ore deuic 5 0
Antivirus Agntjm AntiVir " ............
Result Backdoor.Tiny'AaycdfDNCxtfi BDS/Tini B .........................
Update 20120921 20120922 ___
FIGURE 3 .6 :FieQ u e u e dfo ra n a ly s is

a F!lt Fdit Viv HkJor/ Fo itr w lv Antivirus scan for b7513ee75c68bdec96c814644717e413 at UTC 70014 M*|p VirusTotal Mozilla Firefox
1 -
1Art!: scar forb513cc75<Mbdc%c. |
I< AhttpR//vm.vvwustotalôm M l t . c 4 <^bb;4ll />tt^bOtb2ybifa59rcOcfcibydOK>adf418fi*Ot)44C1aricc^;/anV'tt'>^W '

Documentation FAQ About Antivirus Agnfcum AntiVir Artiy-AVL Avast AVG BrtDefender ByteHero CAT QuickCal OamAV Comirtouch Comodo DrWeb bmsJDCt eSafe Backdoor.Tiny.c.n3 Trojan Tiny-1 W32fMal\varelda0d Backdoor Win32.Tny.B BackDooi Tiny 88 Backdoor Win32.Trry.c!K Win32 BackDoor IQ B Result Backdoor TinyiAaycdfDNCwQ BDSffini B Backdoor/Win32.Try.g&n Win32:Tmy XU [TnJ BackDoorTiny A Backdoor.Tiny.B
C i f Gooqlc
ll|1d rtl * 20120921 20120922 20120911 20120921 20120922 20120922 20120918 20120922 20120922 20120921 20120922 20120922 20120919 20120920
FIGURE 3 .7 :A n a ly z in gd iefile L a b A n a ly s is
Analyze and document die results related to die lab exercise. Give your opinion 011 your targets security posture and exposure.
Ediical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
PLEASE T AL K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS R EL AT ED TO T H IS LAB.
T o o l/ U tilit y
In fo rm a tio n C o lle cte d /O b je ctive s Achieved Scan R eport shows: SHA256 SHA1 MD5 File size File name File type Detection ration Analysis date
V iru s Total
Q u e s t io n s
1. Analyze more vims files to m D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWiruses w ith the demonstrated process. In te rn e t C onnection R equired 0 Yes P la tfo rm Supported 0 Classroom iLabs No
S c a n fo r V ir u s e s U s in g K a s p e r s k y A n t iv ir u s 2 0 1 3
Computer n onus are maliciousprograms that replicate, execute, and spread themselves across nehvork connections independently, mthout human interaction.
I CON KEY
_ Valuable information Test your knowledge Web exercise
Today, many people rely o il computers to do w ork and create or store useful inform ation. Therefore, it is im portant tor the inform ation on the computer to be stored and kept properly. It is also extremely im portant for people on computers to protect their computer from data loss, misuse, and abuse. For example, it is crucial for businesses to keep inform ation they have secure so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when they are participating in online transactions. A computer security risk is any action that could cause loss o f inform ation, software, data, processing incompatibilities, 01 cause damage to computer hardware. Once you start suspecting that there is spyware 011 your computer system, you must act at once. The best thing to do is to use spyware remover software. The spyware remover software is a kind o f program that scans the computer tiles and settings and eliminates those malicious programs that you actually do not want to keep 011 your operating system. In tliis lab Kaspersky Antivirus 2013 program detect the malicious programs and vulnerabilities in the system.
m Workbook review
L a b O b je c t iv e s & Tools demonstrated in The objective o f tins lab is to make students learn and understand how to make this lab are viruses and worms to test the organizations tirewall and antivirus programs. available in D:\CEHL a b E n v ir o n m e n t Tools\CEHv8 Module 07 Viruses To earn out die lab, you need: and Worms Kaspersky A ntivirus 2013 is located at D:\CEH-T00 ls\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
You can also download the latest version o f Kaspersky Antivirus 2013 from the link http://w w w .kaspe 1sla.com/anti-virus I f vou decide to download the latest version, then screenshots shown 111 the lab m ight differ Run tins tool in Windows 7 virtual machine Active Internet connection
K a s p e rs k yA n tiv iru s2 0 1 3 fro mth elin k h ttp :/ / w w w .k a s p e rs k y .c o m / a n tiv iru s
m D o w n lo a dth e
Time: 15 Minutes
Computer worms are m alicious programs that replicate, execute, and spread across network connections independently, without human interaction. Attackers use worm pavloads to install backdoors in infected com puters, which turn them into zombies and create botnets; these botnets can be used to carry out further cyber-attacks.
Lab T asks TAS K 1

Scan the System to Detect Virus Note: Before running tins lab, take a snapshot o f your virtual machine. 1. 2. 3. 4. Start the Windows 7 Virtual Machine. Before scaminig die disk, nifect die disk w idi vinises. Open die CEH-Tools folder and browse to the location Z:\CEHTools\CEHv8 Module 07 Viruses and WormsYViruses. Double-click die tini.exe file.
1M
FIGURE 4 .1 :T iniV iru sfile
m A d v a n c e da n tip h is h in g te c h n o lo g ie sp ro a c tiv e ly d e te c tfra u d u le n tURLsa n d u s er e a ltim ein fo rm a tio n fro mth ec lo u d ,toh e lp e n s u r ey o u ren o ttric k e din to d is c lo s in gy o u rv a lu a b led a ta top h is h in gw e b s ite s .
5. 6.
Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\netbus17. Double-click the Patch.exe file.
7. 8.
Open die CEH-Tools folder and browse to the location Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Live!. Double-click die face.exe tile.
u
Kaspersky Protects against all viruses by combining cloudbased functionality and powerful security technologies that runs on your PC
Chernobel AVKillah Blaster CodeRed.a
digital doom
+
Doomjuice.a
*
Doomjuice.b
DrDeathviruses
killharddisk
HD-
Living
Lnwtg
Parparosa
FIGURE 4 .3 :F a c eV iru sfile

9. Note diat diese tools will not reflect any changes.
10. Go to die location D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Anti-Virus Tools\Kaspersky Anti-Virus.
m K a s p e rs k yA n tiV iru s 2 0 1 3w o rk sb e liin d th e s c e n e s d e fe n d in gy o ua n d y o u rPCa g a in s tv iru s e s , s p y w a re ,T ro ja n s ,ro o tk itsa n d o th e rth re a ts
11. Install Kaspersky Antivirus 2013 software 111 Windows 7. 12. W lule installing it will ask for activation; click Activate Trial Version and dien click Next. 13. The main window o f Kasperskv Antivirus 2013 as show 111 below figure.
1 *
1 _
'
KA$PER$KY!
Cloud protection
hi
Reports Settings
Computer is protected !
Threats:
m a lw a r e
\/ Protection components:
V ' Databases:
s/
e n a b le d h a v en o tu p d a t e df o ralo n gtim e License: 3 0d a y sre m a in in g
Scan Help Support My Kaspersky Account
Update
5
Quarantine
>
Tools
Licensing
FIGURE 4 .4 :K a s p e rs k ym a inw in d o w
14. Select Scan Icon.
' a _ ' x " KA$PER$KYI y= J.Kas p e rs k yA n tiv iru s 2 0 1 3isfu llyc o m p a tib lew id i M ic ro so ftsla te s to p e ra tin g s y s te m
Cloud protection
hi
Reports Settings
Computer is protected
!
V
Threats:
m a lw a r e e n a b le d 3 0d a y sr e m a in in g
Protection components:
>/ Databases: h a v en o tu p d a t e dfo ralo n gtim e

V License:
Scan Help Support
O
Update My Kaspersky Account
X
Tools
5
Quarantine
>
Licensing
FIGURE 4 .5 :K a s p e rs k v S c a nw in d o w
15. Select Full Scan to scan the computer (Windows 7 Virtual Machine).
kaJper Jk y i
Back
Cloud protection
hi
Reports Settings M anage tasks
Scan
Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
Full Scan
^ Scans your entire computer We recommend you run a Full Scar immediately after installing the application. Note that this may take sometime
Critical Areas Scan ^

Aquick scan of objects that are loaded with the operating system at startup. It does not require much time
Vulnerability Scan
^ Scans your system and applications for vulnerabilities that may allow for malicious attacks For a custom scan of an object drag it here or browse tor it
Help
Support
My Kaspersky Account
FIGURE 4 .6 :K a s p e rs k yS ta rtin gfalls c a n

16. It w ill display die Full scan window. Click Scan now.
Q. X
KA$PER$KYI
Cloud protection
hi
&
Reports Settings
Scan
2 0 1 3iso p tim is e ds oth a tit d o e sn o th a v eas ig n ific a n t im p a c to nn e tw o rka c tiv ity , th ein s ta lla tio nofp r o g r a m s , th ela u n c hofw e bb ro w s e rs o rd iela u n c hofp r o g r a m s .
m K a s p e rs k yA n tiV iru s
Scans your entire com d We recommend you ru immediately alter insta application. Note that tl sometime
Kaspersky Anti-Virus 2013

Full Scan
Databases are out of date.
New threats can be mrssed durng scanning. W e strongly recommend to wait untJ the update is completed.
> that are loaded tem at startup. It !time.
S c a n a f t e r th e u p d a te
(re c o m m e n d e d )
Scan task w i be run after the databases are updated
Vulnerability Scan
^ Scans your system an( for vulnerabilities that n malicious attacks
Scan now Scan task w i be run before update is completed
You are using trial version. You a re a d vtsed to pu rcha se a co m m e rcial ve rsion.
For a custom scan of an object drag it here or
Drowsef o ri t
Help
Support
Licensing
FIGURE 4 .7 :S c a n n in gp r o c e s s
17. Kaspersky Antivirus 2013 scans die computer. (It w ill be take some time so be patient.)
Q . ' 1 x
th ea p p lic a tio n sru n n in go nit h a v e n tb e e nu p d a te dw ithd ie la te s tfix e s ,K a s p e rs k yA n tiV iru s2 0 1 3c a np re v e n t e x p lo ita tio nofv u ln e ra b ilitie s b y : c o n tro llin gth ela u n c hof e x e c u ta b lefile sfro m a p p lic a tio n sw ith v u ln e ra b ilitie s a n a ly s in gth eb e h a v io u r ofe x e c u ta b lefile sfo r a n ys im ila ritie sw ith m a lic io u sp r o g r a m s re s tric tin gth ea c tio n s a llo w e db ya p p lic a tio n s w ithv u ln e ra b ilitie s
m Evenifyo u rPCa n d
k a $p e r $k
C lou d p r o te c t io n
i!i
&
Reports Settings
Scan
Critical Areas Scan

Remainina. - n ules_ n Task Manager
11
Annirk Qran nf nhiprta that are loaded x tartup. It
Full Scan 50%

Scanning: C:\Wlndows\wrnsxs\amd64_miao 30d42t42615860\flpres dll m ul Remaining: 9 minutes Scanned: 1 3 .1 1 8riles Threats: 6 Neutralized: 0 When scan is complete keep the com puter turned on
Close Help Support My Kaspersky Account
FIGURE 4 .8 :S c a n n in gp r o c e s s
18. The Virus Scan window appears; it w ill ask lor to perform a special disinfection procedure. 19. Click Yes, disinfect w ith reboot (recommended).
Kaspersky Anti-Virus 2013 V IR U SS C A N
Active malware detected.
m T h em a inin te rfa c e w in d o wiso p tim is e dtoh e lp b o o s tp e rfo rm a n c ea n de a s e ofu s efo rm a n yp o p u la ru s e r s c e n a rio s in c lu d in g la u n c h in gs c a n sa n dfix in g p ro b le m s
Trojan program:
Backdoor.W in32.Netbus.170
Location: c:\Windows\patch.exe
Do you want to perform a special disinfection procedure?

^ Yes, disinfect with reboot (recommended)
T h em o s tre lia b led is in fe c tio nm e th o d ,a fterw h ic hth e c o m p u te rw illb ere b o o te d .W er e c o m m e n dy o ud o s ea ll r u n n in ga p p lic a tio n sa n ds a v ey o u rd a ta ._________
!# Do not run
O b je c tw ill b ep ro c e s s e da c c o rd in gtoth es e le c te da c tio n , T h ec o m p u te rw illn o tb ere b o o te d .

You are using a trial version.
You a re advised to p u rch ase a com m ercial version.

Apply to all objects
FIGURE 4 .9 :D e te c tin gd iem a lw a re
20. The Advanced Disinfection scan will start; it will scan the complete system (tins may take some tune).
1 a 1 - 1 1'
k a Jper Jk y i
r Task Manager Advanced Disinfection 49%
Object: C \Windows\System32\msasn1 dll Remaining: < 1 minute Scanned: 2,648 tiles Threats: I Neutralized: 1 _ x ts Settings !age tasks
loaded rtup It
Full Scan 'S

Vulnerability Completed: < 1 minute ago Scanned: 83,366 files Threats: 5 Neutralized: 4
Help
Support
FIGURE 4 .1 0 :A d v a n c e dD is in fe c tio ns c a n n in g
21. The cleaned vinises will appears, as shown in the following figure.
r% Detailed report
0 Detected threats Protection Center Scan Components ^2 File Anti-Virus Object D Full Scan: completed 33 minutes ago Event View w | Time Today, 9/24/2012
8
& Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
(events: 38. objects: 83366. time: 00:14:33) 9/24/2012 5:33:55 PM
t l . M ail Anti-Virus Task completed W e b Anti-Virus ^ IM Anti-Virus System Watcher A KeyHook.dll KeyHook.dll O KeyHook.dll tini.exe O tini.exe A patch.exe patch.exe patch.exe patch.exe NetBus.exe m W ill be deleted on reboot... 9/24/2012 5:33:55 PM Backed up: Backdoor.Win... 9/24/2012 5:33:55 PM Detected: Backdoor.Win3... 9/24/2012 5:33:55 PM
Not processed: Backdoor.... 9/24/2012 5:33:54 PM Detected: Backdoor.Win3... 9/24/2012 5:33:40 PM
W ill be deleted on reboot... 9/24/2012 5:33:40 PM Backed up: Backdoor.Win... 9/24/2012 5:33:40 PM Detected: Backdoor.Win3... 9/24/2012 5:33:35 PM
Deleted: Backdoor.Win32.... 9/24/2012 5:33:34 PM Deleted: Backdoor.Win32.... 9/24/2012 5:33:34 PM *
G roup : Full Scan Events: 38
H elp
Save..
FIGURE 4 .1 1 :C le a n e din fe c te dfile s L a b A n a ly s is

Analyze and document the results related to die lab exercise. Give your opinion on your targets security posture and exposure.
PLEASE T AL K TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS R EL AT ED TO T H IS LAB.
T o o l/ U tilit y Kaspersky A n tiv iru s 2013
In fo rm a tio n C o lle cte d /O b je ctive s Achieved Result: List o f detected vulnerabilities 111 the system
Q u e s t io n s
1. Using die tinal report, analyze die processes affected by the virus hies.
In te rn e t C onnectio n R equired Yes P la tfo rm Supported 0 Classroom 0 !Labs 0 No
Lab
V ir u s A n a l y s i s U s i n g O lly D b g
OllyDbg is a debugger that emphasises binaiy rode analysis, nhich is useful when source code is not available. It traces registers, recognises procedures, _4 P I calls, sn itches, tables, constants and strings, as well as locates routinesfrom objectfiles and libraries.
I C O N K E Y
There are literally thousands ot malicious logic programs and new ones come out all the time, so that's why it's im portant to keep up-to-date w ith the new ones that come out. Many websites keep track o f tins. There is no known method for providing 100% protection for any computer or computer network from computer viruses, worms, and Trojan horses, but people can take several precautions to significantly reduce their chances o f being infected by one o f those malicious programs. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organizations mformation. 1 1 1 this lab ollvDbg is used to analyze viruses registers, procedures, A P I calls, tables, libraries, constants, and strings.
_ Valuable information >> Test your knowledge = Web exercise
m Workbook review
The objective o f tins lab is to make students learn and understand analysis o f the viruses. & Tools demonstrated in this lab are available in D:\CEHTools\CEHv8 Module 07 Viruses and Worms
To earn out die lab, you need: OllyDbg tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Debugging Tool\OllyDbg A computer running Windows Server 2012 as host machine You can also download the latest version o f OllyDbg from the link http: / / www.ollvdbg.de / Run tins tool on Windows Server 2012 Admnnstradve privileges to m n tools
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Tune: 10 Minutes
Overview of OllyDbg
The debugging engine is now more stable, especially i f one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints 011 system calls." When active, it requests OllyDbg to set breakpoints 011 KERNEL32.Unl1a11dledExceptionF11ter Q, NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and N TD LL.N tQ uenInlormationProcess(}.
Lab T asks
** t a s k
1.
Debug a Virus
5
File
Launch die OllyDbg tool. Installation is not required for OllyDbg. Doubleclick and launch die ollydbg.exe tile.
1 1
2. The OllyDbg window appears.

OllyDbg
View Debug Trace Options Windows Help
1- 1'
l i i
j j_11J H I M
9 uj jJijM j
_ b j_ mj_ hj H
m Youcana ls o d o w n lo a dth ela te s tversio n ofO llyD bgfro md ielin k h ttp ://w w w .o llyd b g .d e
O lly D b gv 2 .0 0(in t e r m e d ia t ev e r s io n u n d e rd e v e lo p m e n t !) FIGURE 5 .1 :O llyD b gm a inw in d o w

3. 4. 5. Go to File from menu bar and click Open... Browse to D:\CEH-T00 ls\CEHv8 Module 07 Viruses and WormsWirusesWirus Total\tini.exe, Click Open.
R e a d y
OllyDbg
File View Debug Trace Options Windows Help
[&l<4 xj j+jjE *M W E
m D ata fo rm a ts .D u m p w in d o w sd is p la yd a tainall c o m m o nfo rm a ts : h e x a d e c im a l, ASCII, UNICODE, 1 6 a n d3 2 b it s ig n e d / u n s ig n e d / lie x a d e c i m a l in te g e rs ,3 2 / 6 4 / 8 0 b it flo ats, a d d re s s e s , d is a s s e m b ly(M ASM , IDEAL, HLA o rAT&T).
%
uJ
*]I J
Select 32-bit executable and specify arguments

. Virus Total * Vj ^ EH!) * T)
a|
Look in: | Name | [j! tini.exe
Date modified 6/23/2005 4:03 AM
< l
Filename: files of type: Argum ents: |tm 1.exe |Executable file f exe) Open
Cancel
R e a d y
O lly D b gv 2 .0 0(in t e r m e d ia t ev e r s io n u n d e rd e v e lo p m e n t !) FIGURE 5 .2 :S e le c tt in ie x eV itu sto ta l

6.
The output o f CPU-main thread, module tini is shown in die following figure.
OllyDbg - tini.exe
File
View
Debug
Trace
Options
Windows
Help
|<4_xj j] ] MlUiiJll] ^ l | _ u ] _Lj_Ej_Mj Tj_cj- |Bj Mj_Hj

CPU - main thread, module tini
00401005 0040100ft 0040100F 00401011 00401013 00401015 0040101ft 0040101F 00401028 00401032 0040103B 0040103D 00401042 00401048 0040104D 68 14304000 PUSH OFFSET t i n i 00403014 PUSH 101 CALL < JMP.&WS0CK32.115> 60 06 PUSH 6 PUSH 1 60 01 60 02 PUSH 2 JMP.&WS0CK32.023> E8 D0020000 COLL < 03 02314000 M O UD W O RD PTR DS:[4031O2D.EOX O UW O RD PTR DS:[403106 2 , 66: C70S 0631 M O UD W O RD PTR DS:[403100],0 C705 0031400! M O UW O RD PTR DS:[403108],61 IE 66:C705 0831 M PUSH 10 60 10 68 06314000 PUSH OFFSET t i n i .00403106 FF35 02314001 PUSH D W O RD PTR DS:[4031023 JMP.&WS0CK32.#2> E8 85020000 COLL < 60 05
o X
6 80 1 0 1 0 0 0 0 E8 B7020000
m OllyDbgcand e b u g m u ltith re a da p p lic a tio n s. Youc a nsw itchfro mo n e th re a dtoa n o th e r, s u s p e n d , re s u m ea n dkill th re a d so r c h a n g edieirp rio ritie s.
Stack [0018FFS4:=0 Inn=t in i . 00403014
.............
F F 3 c; I Q ?31 4 0fll rr.-lri
pu sh
ni.ir.Rn p t r
n fi- r4 ft3 1 0 ? 1
EAX 754E83CD ECX 00000000 EDX 00401000 EBX 7F4D9000 ESP 0018FF88 EBP 0018FF90 {-SI 00000000 EDI 00000000 EIP 00401000 C 0 ES 002B P 1 CS 0023 A 0 SS 002B Z 1 DS 002B S 0 FS 0053 0 GS 002B
KERNEL32.754E83CD t in i.<ModuleEntryPc
t in i.<ModuleEntryPc 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 7F4DF000(FFF 32bit 0(FFFFFFFF)
0 0 LastErr 00000000 ERROR_SUCC

EFL 00000246 (NO,NB,E,BE,NS,PE,C 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 00 00 00 00 00 00 00 00 00 00 00 00 6F 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00
Ml
t in i.<ModuI eEntryPoint> Address He 00403000 65 00403010 63 6F 60 00 00 00 00403020 00 00 00 00 00 00 00403030 00 00 00 00 00 00 00403040 00 00 00 00 00 00 00403050 00 00 00 00 00 00 00403060 00 00 00 00 00 00 .1. 00 00 00 00403070 00 00403080 00 00 00 00 00 00 00403090 00 00 00 00 00 00 004030A0 00 00 00 00 00 00 004030B0 00 00 00 00 00 00 004030C0 00 00 00 00 00 00
6 1-----
00 00 00 00 00
00 0e 06 06 0s 06 06 0 6 0 6 06 06 06 v
0018FF8C 0018FF90 0018FF94 0018FF98 0018FF9C 0018FFft0 0018FFfi4 0018FFO8 0018FFAC 0018FFB0 0018FFB4 0018FFB8 0018FFBC 001ftFFP.PI
754E830B 7F4D9000 0018FFD4 77D99A3F 7F4D9000 6B4E77CD
aNu RETURN t o KERNEL32.754E
= w M k 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7F4D9000 116F2FC7 FFFFF802 0BD7CB80 FFFFFA80 0018FF9C t.
t. RETURN to ?u Jw .Ehfi
. eM 6
ntdl1.77D99A3
0 0 0 0 0 0 0 0
E n t r yp o in to fm a inm o d u le FIGURE 5 .3 :CPUu tiliz a tio noftin L e x e

7. Click View from die menu bar, and dien click Log (Alt+L).
Paused
Etliical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 07 - V iru ses and W orm s
O l ly D b g - tin i.e x e
File | View | Debug
Trace
Options
Windows
Help
j J j J jwJxl_cJ1d
Executable modules Memory map 004 004 004 004 004 004 004 004 004 004 004 004 004 004 004 Threads CPU Watches Search results Run trace INT3 breakpoints Memory breakpoints Hardware breakpoints t in Odd 00403010 00403020 00403030 00403040 00403050 00463060 00403070
0O4W ^-
|= J 00
sisters (FPU) 754E83CD KERNEL32. 754E83C0 00401000 Xi n i . <ModuieEntryPq 7E546000 0018FF88 0018FF90
re ad , m o d u le tin i
0 Full U N IC O D E support. A ll operations available for A S C II strings are also available for U N IC O D E , and vice versa. OllyDbg is able to recognize U T F strings.
2.a23> [403102],EO X 403106:,2 [4031003,0 ^03108],611E
0 0 0 0 0 0 0 0
00401000 ES 002B CS 0023 SS 002B D S 002B FS 0053 G S 002B
t i n i . <ModuIeEntryPq 32bit 0(FFFFFFFF) | 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 0(FFFFFFFF) 32bit 7E54F000(FFF), 32bit 0(FFFFFFFF)
-8
File... 63 6F M M 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bj 00 06 0 C 06 06 06 06 06 06 06 06 06 v
Paused
m m m m m m m m m m m m
Open Log window
F IG U R E 5.4: Select log information
8. The output of log data t1111.exe is shown 111 die following figure.
O l ly D b g - tin i.e x e
_
_bJm]_hJ
File
View
Debug
Trace
Options
Windows
Help
J T B reakp oin ts: O llyDbg su pports all co m m on kinds o f b reakp o in ts: IN T 3 , m e m o ry and h a rd w a re . You m a y sp e c ify n u m b e r o f passes and s e t co n d itio n s fo r p au se
Address
j]J!J îj>[J!H ^l-UJ _ l J.e J mJZ j.j:d

C P U - m a in t h r e a d , m o d u l e t in i
g 00
L og d a ta M es )OllyDbg v2.00 ( intermediate version - under developmentf
F ile ' D:\CEH-T001snCEHv8 Module 07 Uiruses and Worns\Uiruses\Uirus T o ta l\tin i. exe New process CID 000011F4) created 00401000 Main thread (ID 00000060) created f1M 2^ru u u Unload nodule 00260000 7S4C0000 Unload nodule 754C0000 Unload nodule 00260000 Unload nodule 00260000 00400000 Module D:\CEH-Tools\CEHv8 Module 07 Uiruses and Worns\Uiruses\Uirus T o ta l\tin i.e x e 74E80000 Modu I e Cs\Wi ndows\SVSTEM32\UIS0CK32.d ll D ifferent PE headers in f i l e and in nenory )?Systen update is pending( ModuIe Csindows\SVSTEM32\bcryptPr in i t ives. d11 D ifferent PE headers in f i l e and in nenory )?Systen update is pending( Module Cs\Windows\SVSTEM32\CRVPTBfiSE.dlI D ifferent PE headers in f i l e and in nenory
0 0 2 6 0 0 0 0 0 0 2 6 0 0 0 0
D ifferent PE headers in f i l e and in nenory (Systen update is pending?) ModuIe Cs\Wi ndous\SVSTEM32\KERNEL32. DLL D ifferent PE headers in f i l e and in nenory (Systen update is pending?) 768E0000 Module C:\Windows\SVSTEM32\RPCRT4.d11 D iffe ren t PE headers in f i l e and in nenory (Systen update is pending?) 76990000 ModuIe C: M Ui ndows\SYSTEM32\NSI. d11 D ifferent PE headers in f i l e and in nenory
M o d u l" ^
i l l ddr
SVSTEM32"S
C l' d n
7 ^ . 4 ! :0 0 0 0
Entry point of main module
Paused
F IG U R E 5.5: Output of Log data information of tinLese
9. Click V ie w from die menu bar, and click E x e c u ta b le 10. Hie output of E x e c u ta b le
m o d ules
m o d ule (A lt+E).
is shown 111 die following figure.
C E H Lab Manual Page 572
O lly D b g - tin i.e x e File | View | Debug Trace Options Windows Help
B | |x J lilJL M li i l i i l l l ^ ]JJj _ ! J 1 J h | J j c j d
CPU - m a in th re a d , m o d u le tin i Watches: Watch is an expression evaluated each time die program pauses. You can use registers, constants, address expressions, Boolean and algebraical operations of any complexity
b J m] hJ ]=]
ca
Base 74E80000 75390000 753F0000 75400000 754C0000 768E0000 76990000 76B60000 76E20000 76E70000 77050000 77D40000
IB S S0CK32 00008000 74E810C0 W

00051000 00009000 0001C000 00130000 000RC000 00008000 00033000 0004F000 00005000 00156000 75394955 753F1005 7540PC84 754D0005 7690E42S 76991520 76861005 76E210B1 76E7C575 7706302C
E x e c u ta b le m o d u le s FLle version 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.8 6.2.8400.0 6.2.8400.0 6.2.8400.0 6.2.8400.0 7.0.8400.0 6.2.8400.0 6.2.8400.0
r o o ls s C E H ^ S O u t ?
00
m C:\WLndows\SVSTEM32\WS0CK32.dlI n1 C: Mil i ndows\SYSTEM32Nbcry pt Pr i n i t m C:\Windows\SVSTEM32\CRVPTBfiSE.dI
6 7 U in .
0 0 0 B 1 0 0 0
bcryptPrim CRYPTBPSE SspiCli KERNEL32 R PC R T4 sech ost W S2_32 nswcrt KERNELBRSE n td l I
N S I
m C:\U)indous\SVSTEM32\KERNEL32.DLL ni C:\Windous\SVSTEM32\RPCRT4.dlI m C: Mil indows\SVSTEM32\NSI .d ll m C:\Windows\SVSTEM32\sechost.dll m C:\Windows\SVSTEM32\WS2_32.dll ni CsindousN SVSTEM 32\nsvcrt.dll n1 Cs\y i ndows\SVSTEM32\KERNELBASE. d n1 C: \Wi ndows\SVSTEM32sn t d11. d11
n1 C: \Wi ndous\SVSTEM32\Ssp i C Ii. d11
0018FFB4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 E 0018FFB8 0 0 0 0 0 0 0 0 00 0 00 0 0 00 0 00 0 00 0 1 0 G 0 00 0 0 0 0 0 0 00 0 00 0 0 0 0 00 0 0 0 0 0 0 0 0 E v 0018FFBC 0 0 R F F ra

,.
,,,,,,
----
0C24F950 P-$. FFFFFP80 ? 0018FF9C t. flftflftftfiftfl........

Paused
F IG U R E 5.6: Output of executable modules o f tini.exe
11. Click V ie w from the menu bar, and dien click M em o ry 12. The output of M em o ry
File IViewl Debug Trace Options
M ap (A lt+M ).
M ap
is shown in die following figure.

Help
O lly D b g tin i.e x e Windows
||xj y ji! iiliiliiliil
_!j_EjM]jrj.cjj
bJ m) hj
= 000
CPU - m a in th re a d , m o d u le tin i
^ O lly D b g su p po rts fo ur d iffe re n t d eco d in g m odes: M ASM , Id e a l, HLA and AT&T
Address 00085000 0018C000 0018E000 00190000 001Q0000 001E0000 00290000 00400000 00401000 00402000 00403000 00410000 00550000 74E80000 74E81000 74E84000 74E85000 75390000 75391000 753DC000 753DD000 753F0000 753F1000 753F5000 753F6000 75400000 75401000 75416000 75417000 754C000O 754D 0000
S i 2e 06^(36000 00002000 00002000 00004000 00002000 00004000 00007000 00001000 00001000 00001000 00000000 00075000 00003000 00001000 00003000 00001000 00003000 00001000 0004B000 00001000 00004000 00001000 00004000 00001000 00003000 00001000 00015000 00001000 00005000 00001000 . . . - . . .
Owner
Sect ion
M e m o ry m a p Contains
t t t t
in i in i in i in i
.te x t . rdata .data
W S0CK32 W S0CK32 W S0CK32 W S0CK32 bcryptPr bcryptPr bcryptPr bcryptPr CRVPTBAS CRYPTBAS CRVPTBAS CRVPTBAS SspiCli SspLCli SspiCli SspiCli KERNEL32 KERNEL32
1A 0 0 Type Access I n it ia l acc Mapped as A Pr iv R W Sua R U Guarded = Pr iv R U J Gua R W Guarded W R W Stack of nain t Pr iv R M ap R R W R W Pr iv R W R W Pr iv R R W Pr iv R W PE header Ing R R W E CopyOnW Code Ing R E R W E CopyOnW Ing R R W E CopyOnW Inports Data Ing R W Cop R W E CopyOnW M ap R R \Dev ice\Hard< W R W Pr iv R Ing R PE header R W E CopyOnW Ing R E R W E CopyOnW Ing R W R W E CopyOnW V Ing R R W E CopyOnW ---PE header Ing R R W E CopyOnW Ing R E R W E CopyOnW /\ W Ing R R W E CopyOnW Ing R R W E CopyOnW Ing R PE header R W E CopyOnW Ing R E R W E CopyOnW Ing R W R W E CopyOnW R W E CopyOnW Ing R PE header Ing R R W E CopyOnW Ing R E R W E CopyOnW Ing R W R W E CopyOnW Ing R R W E CopyOnW Ing R PE header R W E CopyOnW V Ing R E R W E CopyOnW V
Paused
F IG U R E 5.7: Output o f Memory map of tiui.exe
12. Click V ie w from die menu bar, and dien click T h re a d s
(A lt+T).
13. The output of T h re a d s is shown 111 the following figure.

C E H Lab Manual Page 573 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
*
File View Debug Trace Options
O lly D b g - tin i.e x e

Windows Help
L > '
hreads \ T \ _____________ _______ T
_____ _____
- g |x
A
Old IIdent !window s t i t Le| Last e rror I Entry I TIB I Suspend IP r io r it User t ine ER R O R SUCCESS (88! t in i <M o. 7E54F808 8 Main 88888868
w W W W W W W W W 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 0e v
I
0018FFB4 8C24F950 P-5. 0018FFB8 FFFFFA88 ? 0018FFBC 0818FF9C t. flftlftFFf-ft
flflflflflflfifl....
Paused
F IG U R E 5.8: Output of threads
Lab Analysis
Document all die tiles, created viruses, and worms m a separate location.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved Result: CPU-main thread Log data Executable modules Memory map Threads
OllyDbg
Questions
1 . Using die hiial report, analyze die processes affected by the virus hies. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs 0 No
C r e a tin g a W o rm U s in g In te r n e t W o rm M a k e r T h in g
Internet Worn/ Maker Thing i sa t oolt oc r e a t e norm'. Ita/so has afeature t o converta vims i nto a n o r / / / .
I CON KEY 1. _ Valuable inform ation

s
Lab Scenario
1 1 1 recent years there has been a large growth in Internet traffic generated by malware, that is, internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected or during the epidemic stage of a new worm, when the Internet becomes unusable due to overloaded routers. Wliat is less well-known is that there is a background level of malware traffic at times of non-epidemic growth and that anyone plugging an unfirewalled machine into the Internet today will see a steady stream of port scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We must better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks. Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms will damage or steal the organizations information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and if they bypass the firewall.
Test your kn o w le d g e
: Web e x e rcise orkbookreview ea W
Too ls
Lab Objectives
The objective of tins lab is to make students learn and understand how to make viruses and worms.
d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHToo ls\C E H v 8 M o du le 0 7 V iru se s and W orm s
Lab Environment
To earn out die lab, you need:
In te rn e t W orm M a k e r Thin g T h in g \G e n e ra to r.e x e
located at D:\CEH-T 00 ls\C EH v 8
M odule 0 7
V iru se s and W orm s\W orm s M a k e rM n te m e t W orm M a k e r
A computer running W in d o w s Run this tool on W in d o w s
S e rv e r 2 0 1 2
as host machine
S e rv e r 2 0 1 2
Administrative privileges to nin tools
Lab Duration
Time: 10 Minutes
Overview of Virus and Worms

A virus is a s e lf-r e p lic a tin g p ro g ra m that produces its own code by attaching copies of it onto other e x e c u ta b le c o d e s . Some vinises affect computers as soon as their codes are e x e c u te d ; others lie dormant until a predetermined logical circumstance is met.
Lab Tasks
TASK 1
M a k e a W orm
1 . Launch die In te rn e t W orm M a k e r Thin g tool. Installation is not required for In te rn e t W orm M a k e r Thing. Double-click and launch die G e n e ra to r.e x e tile. 2. The In te rn e t
W orm M a k e r Thing
window appears. = 1
Internet Worm Maker Thing: Version 4 .0 0 : Pubi c Edition
IN T F R N F TW O R M M A K F RT H IN G V 4
PaybaeeC Activate Payloads On Dote Change Homepage U R L : r BueSaeen Of Death Infection Options: r Infect Bat Files r infect vbs Nes I- Loop Sound r Hide Desktop p Disabfc Malware Rrrrove 1 Discbe Winders File Protection V CcrruDT Artwrus r Hide Virus Fibs r MfenvteNes
N o te : T a k e a S n a p s h o t o f th e v irtu a l m a c h in e b e fo re la u n c h in g th e In te r n e t W o rm M a k e r T h in g to o l.
r r
(v Induck [C] Ncti:e Ouipu* Path:
r OR r r Rardonly Aîvace Payoads r Chance of activating paybads: P 1M | C H A N C E r H<fc A ll Drives [ Dsable Ta^ Manager r Dsable Keybord r Dsable M oose
r~ Message Box
I - 3 I Doable 'Mrdows Secunty
Dkabe Syttnn Ractore r Ourg M0033Tr
CoixJie To E X ESupport
Sheading Optoas Siartup: I- Global Pegsfr Sta*tjp I- Local Regwtry Star xo r V/Wagon 91H Hoot I- Start At Smve Englsh StS'tap
f~ Ge nan starao
rde:
Doable Morten Security Title: Uninstall Ncrton Snnpt Sbdang Disable M acro Security Dsable Run Commrd V Dsable ShutdaAn ( Dsable Logoff Outocx n n 1 _ f Disable 'Mndows Updirc U R L ; V No Search command I- Swap Mouse Butters r Open Webpage U RL: r MuteSoeakefs I- Change IE Title Bar Text: r Delete a Fk Path:
V Ctiange Dnve Icon CLL, EKE, ICO: Index:
(C:\WndowcVJ01
|1 If You Iked Ths Frooran ^tease Voit M e On https/Zxructearr.failcmctAO'k. con If You Know AnythnQ About Y B S Programing Mdp Stupor t This Pfojcct By Matorg AWugr (See Readme). Thinks Conti0 1Pand Generate W arm
AddTo Context Menu r Chooge ClockText r Dooole Regcdt r Disoolc Explorer.exe r open cd onves Lock Workstation r DOAnbadhle U RL; I Change Reg Organisation Crgansaticn: Execute DowHoadec r CPUMonster r chanoerme r Charge '.alpooer Path Or U R L: r Change Reg Owner Text ^lox 8 Chars):
r ioamsh itarxo f~ P erch SV jL jp

r laiiarstartLO
1 -----
p ----
I H a c kD ll
r Keyboard Disco r AddToFo/ontes
?|
F IG U R E 6.1: Internet Worm maker thing main window
t y ! The option, Auto Startup is always checked by default and start die
. 0 3. Enter a W orm
N a m e , A uthor. V ersio n . M essage,

C re a te d W O f lll.
and O utp u t check box.
P ath
tor die
virus whenever die system 4.

boots on.
Check die C o m p ile
to EXE su p po rt
5. 1 1 1startup: select English
S tartup .
Internet Worm Maker Thing: Version 4.00: Pubic Edition
: r
IN T E R N E TW O R M M A K E RT H IN GV 4
r Change horrepogc |JBW orm Author:
C Activate Payloads Cn Dote r t~ l>wbe System Restye
Sue Screen Of Death

infect Bat -1es
[ x i g s i r o y
r
| >jr s y s te m ise f^ e c
f? Indud? [C] Nobre
I- Disable Wndows Security OR

C Rardonly Activate Payloads
Infecfon Cptions:
r
F~ Change M0032Texr
1 Disable Norton Security
Chance of actvawg poybads: 1M | C H A N C E Hde Al Drives r DsaWead< Manager r Dsabk Keybord r Osable M ouse
r WewajeSox
Oulpu: Path:
|c :\ W.
W Conjle To CXI S<xxxjt l
A list o f names for the virus after install is shown in the Name after Install drop-down list.
SDreadnc Optons
T K J e :
Tife: r uninstall Norton 5:nDt sbefcra r Disable Macro Security | Disable Run Commrrf I Disable Shutdown [" Osable logoff I Outooc rtn 1 * I ( Deable W indow! Update r No Seorch Commend r swap Mouse Buttons I- Open Webpage U RL1
r I 1fe:t Vbs Pies Loop Sound

l~ rtde Desktop
f in f e c tv b cr !c 5
r Hide Virus Fibs
[ Disable Mdwere Remove Oiseble V/indovss File Protection V Ccrruot Anth/tcs Change Computer Name
Startup:
VM u t e t o e a k e r s
I Chanoe IE Title Bat Text:
(JobalKeosry sta'tjo
rD r t e t e a l H e
Pad:
r Chaige Drive Icon
r LxdReOstiySteflo
C U , E X E , I C O I n d e x :
|c:\Wr>dowsY!OT [I If You Lked TH5 Progr an *lease Veit M * On
ht://xrusteafr. falemetA0k.0 > f ~le d To Context Menu
r wmlixjon Sid M cxx r Start A s Set vice

W Englsh Ste'tjpi
T e x t :
r r DisaoteReoedt 01saDleExplorer.exe V Oanoe Reo Owner Oner:
Change W in Media PbrerTxt
I ----r DdeteaFofcfci
J C h a n o e C l o d c T e x t
T e x t ( M a x 8 C h a r s ) :
I
I- Ccnan Startup I- Spanish Starxp r Perch Statjp I Itaiar Startup
r OpenCd Drives
I- LockWorkstaton Dowibad File ^re? | U RL:
If YouKnow Anything About /BS Programing Heip SLppor! This Project By Maklro APkKJr (Sec Readme). Thanks r Control Panei Gererate W orm
rc l w n o e . ' . a t a o e f
Peth Or URL:
r Ha ill Gates Jj
V KevooardDBco V~ ACd lora/ornes
I -----Change Reg Organisation
I- CPUMonster
r Change Tine
None;
Ogansatkn:
6. Select die 7. Check die 8. Enter T ile, list.
d-Evai-i fa
F IG U R E 6.2: Select die options for creating Worm
A c tiv a te Payloads on D a ta
radio button, and lor
C h an ce of
a c tiv a tin g payloads,
enter 5.
Box
H id e All Drives. D isable T a s k M an ag er, D isable keyboard.
D isable M ouse
and M essag e
check boxes. as Info rm atio n from die drop-down and ch an g e

Reg o w n e r
M essage,
and S e le c t
Icon
9. Check die D isable check boxes.
R egedit, D isable E x p lo re r.e x e
Internet Worm Maker Thing : Version 4.00 Public Edition
|JBWorn Author:
l^jgcyooy
Payloads: ( Activate Payloads On Date
P Charge Homepoge U R L : P DsaWe S>s^rr Resxre P Disable Windows Security D O M M Y Y r Blue Screen Of Deatn Infecton Opbore: r infec: Bat Pies
r r
|y0 jr system rs efêd P Indtde [C] Nodce Ouipj: Path: |C;\Worm P CoTuieToEKE Suaxxt Spreadng Opton* Startup: P Uobal Keosrv btaituc 1 Loos R ecfcA !y S'ua luo
O R P Dissble Norton Security Rcndornl A ctv a teP a< lo a d s P Uninstall rwton script Blocanc Chance o activating payloads: r Disable Macro Security 1W |i C H A N C E | Disable Rin Commnd P Disable Shutdown p Hkie A l Drives P Disable Logoff r OutJockR* 1 ? I p Dcjdc ~3ck Marager r Disable Windows Ubdate U R L: p Deafck Kcybord I No Search Command P 5wao Mouse Buttons P Deade Mocse P Open Webpage V Message Box U R L : rrte:
P Owro?NX>32Text P Loop Sound r HMeDesktcp - Dsable M alware
r Irife ct v b sFles
P I!ifect Ybe Files r Hide Virus Fifes
R e m o v e
r- Usable Wndovrs
=le Protection
I- Corrupt Antivirus
[Sded
Message: |your *yttern is H*rked
lean: inforrraoon T]
Putexeaters
r Charge ie Tide Ba Text:
OieteaMe
r Charge Drive Icon D LL, EX E, ICO: Index:
r w m to g o nS*J h oo l
r StartAsSavke p Dngksh Sta'tjp P Ge'man Starxp P Spanish Starap I- Perch Sta'tjp P Italian Startup
Palh:
( E v v S n d o w s v 5 0 i [I
( Max 8 Chars):
r Change W in Medo Playe! Txt Text:
I ------------r CfctrU: a fdcfc a#1
r Add To Context M enu

[ Charge Clock Text
Dsable *eged* P DsaWeEtplorer.exe P Chance Reo Cwner Oner: [Hggyboy p Change Reg Crgansaticn Oconboton: |pover G>rr|
r~
r~ Open Cd Dnvea
I------------r Chance v/atoace
If You Liked Ttiis Proy an base \A c1t W On ht:/ftarusteam.fa1lemetwok.0 If You Know Anything About /BS Progamming Help Suopor: This Projects/ Mahno APlucr (See Readme). Thanks. rControl Panel
I Lock Workstabor P Download Rle More? j U R L :
*atiOrLRL:
r *evboard Dsco P Add to Pavontes N am e: Generate W orn*
I------------I- CPJ Vonstar r Chance Tree hour Mn
1 -----------U R L:
I
F IG U R E 6.3: Select the option for creating worm
10. Check die C h an g e H o m e p a g e check box. 1 1 1 die http: //\\Ayw.powrgym.com. 11. Check die D isa b le
D isab le
UR L
held, enter
W in d ow s S ec u rity. D isab le Norton S ec u rity. U n in stall D isab le Logoff. D isab le W in d o w s U p d ates . No
Norton S crip t B locking, D isa b le M icro S ec u rity. D isable Run C om m and. S h utd o w n . S ea rc h C o m m an d, S w a p M o use b utton,
and O pen
W ebpage
check boxes.
12. Check the C h an g e IE T itle bar, ch a n g e w in drive, and L o c k w o rk s ta tio n check boxes.
F
Internet Worm Maker Thing
M e d ia P la y e r T x t, O pen Cd
Version 4 00 : Public Edition
IN T E R N E TW O R M M A K E RT H IN G V 4
Payloads: ( Actr/ate Pavloads On Date p Chnge homepage |/wA V i.poivergym.com r Change Cate D D P Disetic Srsterr Restore r Chx)eh10032Text Tc: P Dsa&te W ndOACSeoxity M M Y Y r Slue Screen Of Death infectwn opaons: P Infect Bat Pies P Infcct V b*Hies P Infert Vh* H l# r Hde Vrui Hec
D o n t forget to change die settings for every new virus creation. O therw ise, by default, it takes the same name as an earlier virus.
Autfw; | Juggyboy Verson.
r - r
|/our cyctMnKeeler Indjde [Cl Soxe Output Path:
[E T v / o m i
p Ccm pifc To E X E Support Sj eoctno Cptons Cta tuj: P Global RegsO>Surtuo r Local Regist'y Ssrtup P v/niooon 5bdl hock r Start As Servce p Engiish S3np r G eTTK nStat_o P Spanen Sta'to
OR P DaabfeNoi ton Security Randorriy A c ttv o tePaVoocb P unnstall Norton script 1 )11 chance of aai /ating payloads: P DaabfeMauoSearitr in [5 C H A N C E P Doable Run Conrnnd P Dca&lt Shutdown pH K je A N D rvtt Dsaftleiocpff 7 ( p Doable Task Menage P Daable WrdoAs Update W Disable Kcyoorc P No C-ca d Conmend p Swap M ouoe Buttone p DiWilr Noifie P Cpenv/ebpage p M es&sgeBox U R L: Tlte: |'/wa v \ .po*rgym a ir Hacked P Chxoe IETitle B at vessage:
r Loop Sound r Mde Desktop

r- Head* Mawar# V Outock Fvr I ? I U R L!
Remove
r- D5<Kc W indows
Pie P >oUs-liwi
r Corrupt Artwruc
P MuteSpccke's
P Ceietea =le Path:
1 a r sysem s Hacked
r Charge Drive Icon D L L ,E X E , ICO: Index: |C.Wndowsl/'l01 |l r AddTo Context M enu

l~ Change aodc Text
I
i-i^rrarcn (7 Dsaoie RegeCi: p DsaoieExplorer.exe P Change Reg Owner |juaytx>y 17 Change eg oro0 nsatn Organisation: |power Grm P CxemteDowiibaJed P openeddrwes p Lodi Worotobon] P oArload Fie Myc| U R L : r CPUVonKer P change *me P Change v.alpaper Path Or lAL:
r Deteiea= 0Ue
Text 03x 8 Chars):
1
r HackBll Gates _?J
If rou Lked This Progan Pteaa? Wat M e an htlp: //xrusteam.fialtennetv.'ork car If rou KnowAnytirc About V E S Programming Help Support Ths f*ojert ByM alone APtugm (See Readme). Thanks. Control Pond-----Generate worm
r F te n d S ia iL C
r Italian StarLo
r KeyboofdDbco r AddTo Favorites None:
13. Check die P rint M es sa g e , T e x t check boxes. 14. Enter a T itle and M e s s a g e 15. Enter die
juggyboy. URL
D isable sy s te m R esto re,
and C h an g e
N O D 32
111
die respecdve fields.

Sender N am e
as http: //w~\v\v.po\vrgvm.com and die
as
16. Check die M u te sp ea ke rs . M o n s te r check boxes. 17. Select die C h an g e r*

| B Worm Ajlhar: Version: OR
C Randonl/ Activate Payloads Chave of actvairg paybads:
D e le te a Folder. C h an g e W allp ap er,
and CPU
T im e
check box enter hour and 111111 the respecdve fields.

T= Tg!
Internet Worm Maker Thing: Version 4.00: Publ c Edition
pa/twes: ( Actuate Payloads Cn Date
r r
(yojt systemis eEetf
W Indud: [C] Ncbic
1 fN [5
C H A N C E
HdeAl Drives I? DsaWe T asJc Manager S' DsaWe Keybord ^ sable M ouse Iv NessaoeSo* Tide:
OulputPath: (c:\Wom (7 Coroie To E K ESupport Saieadmc OpUro
Startup: V Global Rcgotr Stotjp r lcd Rcgstr/ Starxo r W m l&gcn &>d H c < 1 Start A c Service P Er*gleh SUtjp
f~ O 'run Startup
|fd c d
Mcwogc:
|rajf system Is HacXed Icon:

[1 noton W OfecOfcRegedt W DoaDfcExploret.exe _*J
I- Spmth^tirtip P French Sta'tup I- laiar startLC
[v Change Reg Owro Owner:

|jJ99>bo/ [v Change Reg Organisation Crgansaticn:
18. Check die C h an g e respecdve fields. 19. Check die Loop

Nam e
D a te
check box, and enter die DD, MM, Y Y
111
die
Sound, H id e D esktop , D isable M a lw a re R em o ve. D isable
W in d o w s F ile P ro tec tio n , C o m p u ter A ntivirus,
and
C h an g e C o m p u ter
check boxes.
D rive Icon, Add T o C o n te x t M enu, C h an g e C lo ck
20. Check the Change die

T e x t, K eyb oard Disco,
and Add
T o F avo rite s
check boxes.
Internet Worm Maker Thing : Version 4 .0 0 : Pub ic Edition
T STS1
W ormNam?
P Change Hom epage
p B V /o rr
Author: |luggyboy
C Rancorriy Actrvate Paybads Chance ofadvatna payloads:
U RL: I'jV ivivi .D 0wero/m cam p Disable Windows Securty p Disable Norton Searity p Lhnstall M orton Serpt Blodcrg p Disable Mocro Secunty p sable Run comand p Dibble Shutdown p Disable Logoff p sable Windows Update p No Scorch Command P sawd Mouse Buttons p Open V\'eboage U RL:
|jW w.oowergym .com
I- Blue Screen Of Dead

17 D6afc*e s*sten Rsscxe P charts fCD32Tett
Infecton Options: r Inflect Bat Files !7 Lcoo Sojnc !7 Hide Desktop Disable Malware Di3able Wrdows File Protecton p Corrupt Antivirus q Charge Comouter Nane
I- Custom Code
Tite: |lack2d Message:

y v j syslai is Hecxec
V in'ect vbsPile? f ~InfectVbeFiles

r Hide V irL SRles
|ycu system befcd p Indude [C ] NoSce Output Pafc
1W [i
o*MCE
p HceAIIDrves p Cisaote Task Marager p CtsacJe Ke/bcrd p DaoleMcu3 p Message 60x
[ DudockFm 1 I U R L:
|c :\ W o c m
P come* T Otx t suxxrt Sprcsdrg Opbonc
^ tfc > :/> v v .o 0 w erg/n
Sende* Nan:
n d #
Esdcad
Mcosagc:
Star xu V Clobd Regatiy Startup r Locol Repsfry Starto r Wnbgon Slid Itnl, I- Stait AiScivtc
p Crgkh startup
p Mjtc Speaker: P D rk x e rfc
P Change [ETitle Bar Text:
p Charg# Drive [eon CXI, DC, ICO: Index;
| 1 a r svstern shacked
Irenr [kVonnabcn p Disable Regedit p Disable E>pcrer.exe p Change Reg OAner T]
Path:
|cw5iw [i
P Add To Context Menu p Chang# Clock T#vt Tort (Max 8 Chare): If You Liked This Progrorr Plecae Veit M Or hrtp://wriJStMn .falHw>ehvortc can If You Know Anythrg Abojt VES Prcg-amming Help Suppo'tlhs Project By Mating A Pugn (See Readme). Thants. Control Panel
1 -----------P Defe* a KUer
Path
P Opened Drives P Lock Workstation r Download File More
f German StartLX )
1 SDaTSh staruo 1 French starnc [~ Italian Startuo
I
p O w ge Walpoper Patn Or LRL:
I- H01kDllGes W Keyboard Disco ?
& T o o ls d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHToo ls\C E H v 8 M o du le 0 7 V iru se s and W orm s
C v rre r:
|^gg /boy p Change Reg Organisation Crgarisabon:
U RL: p CPJ Monts' p Giance Trie Hmt V Sr Execute Downloaded
p ^dc To Favorites:
N a re :
Generate Worm
IS - ]5
F IG U R E . : Select the option for creating worn
66
21. Check the E xp lo it W in d o w s D e ath check boxes. 22. Check the In fe c t 23. Check the H id e 24. Click G e n e ra te
nr
W ormfsam?:
|JBWorr Fayoads:
A dm in L o c ko u t Bug
and
Blue S cree n of
B a t F iles
check box from In fe c tio n check box from Extras.
O ptions.
V iru s Files
W orm 111 C ontrol Panel.

Internet Worm Maker Thing: Version 4 .0 0 Pub ic Edition
?P Change HonepaD URL: |jV1 ww.oowergym.com p Disable Srsten Restore p Char geNCC32 Text
< Actvae PaVoads On Date
Expiat Windows A dm in Lockout Bjg p Blue Screen Of Death Infecton Options: P Infect Bot Files p Loop Sound p H kJ Desktop
|1 owe^stenHacccc
Au*or:
fxoovboy
P Dsable Windows Security p Disable Norton Security

C RanCcrriy Activate Paybads
Titc:
r r
|y o u c y ^ to r1 1 R e e fe d
p Indudc (C ] No*ce CutputPatk |C:\Wanr p Corrplc To E X ESupport
*ore^rtnp rmnw |
Choice of octrrotng payloocb.
P uinstall M orton saot Blodcra packed
:w[i
O W C E
P hide Al Drves P cisaote task Maraoer P LisaoteKe/bcrd P Lisaote recuse P MessaceBox 1e: [ttacxec
p Disable Macro Securty p Disable Run Comuid P Dsable 91utdown p Dioablc Logoff p Disable Windows Update p No Search Command p SA <apM ouse Duttons P open weboaoe
URL1
r In fe c tV b sF ile s I In fe c t vb eF ile s
Extras: P Jllde V ji
r L rto c k rm * I
URL: ^tto:/>vnj<nrg/rv1 iertier ftanre: |hxat>ov P MjreSpMters p DeteâFfe
p Disable Malware Renove r j Disable Wrdows Fit Protection p Corrupt Antivirus rr Charge Compute
Pbans
Star&p: r Global RegKtry Startup r Local Regictrv i tart jo r Wnogon Shel H ook [~ Start As Serves p Ergish StartLp
\~ German Startjo
|jWw .powergym.com
P Chanoe IE Title Bar rext:
M e s s a g e
|yolt system e Hacked
p Charge Drive [con C LL, EX E , ICO: Index: |C:\VUrd(MM^Di fl [f You Liked This Program Please V isit M 2 On nttp :/parjstean .falfcnncbvork a t If You Know Anyding Abojt V ES 3cxramminc Help suoco't Ths Project By Mating APugh (See Readme). Thanks. Control Panel Generotc Worm p Add To Context Mcnj
jlnfermaticn p Disade Regedit
p Chenge CbckText Text (M ax 8 Chars): p OpenCdDnves p Lock Workstation Download Rle More7 LRL:
v Ciance v/aloaoer Path cr URL:
Spansh Startjo r French Startup f~ Italian Sartuo
P DisadeE>daer.e>e P Chanoe Reg OAnei Cvrrer:
I
f " Hackan Gates P Kevtxiard Disco P Add To Favorites ? 1
|jtggyboy
P
I------------p CPJNoast p QwngeTne Hour Mr
C h a n g eR e gcrg a n sa tio n
hare:
craartsaoon:
P Execute Dovnbaded
( E T : \ i r
F IG U R E 6.7: Select die option for creating worn!
25. Tlie worm is successfully created. Tlie following window appears. Click OK. Information!
X
^ )1
Y o u r n e w w o r m .v b s has Deen m a d e !
OK
26. Tlie created w o rm .vb s file is located at die C: drive.
Lab Analysis
Document all die files, created viruses, and worms 111 a separate location.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Tool/Utility
Information Collected/Objectives Achieved To make Worms options are used: Hide all drives Disable Task Manager Disable keyborad Disable mouse Message box Disable Regedit Disable Explorer.exe Change Reg Owner Change HomePage Disable Windows security Disable Nortorn security Disable Run command Disable shutdown
Internet Worm Maker Thing
Questions
1 . Examine whether the created worms are detected or blocked by any antivirus or antispyware programs. Internet Connection Required Yes Platform Supported 0 Classroom 0 iLabs 0 No
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.

CEH v8 Labs Module 07 Viruses and Worms PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 07 Viruses and Worms PDF

Uploaded by

Copyright:

Available Formats

C EH

Module 07 - Viruses and Worms

CEH Lab Manual Page 530

Module 07 - Viruses and Worms

PLEASE T A L K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS R E LA T ED TO T HI S LAB.

CEH Lab Manual Page 531

Module 07 - Viruses and Worms

Test your knowledge

: Web exercise ea Workbook review

CEH Lab Manual Page 532

Module 07 - Viruses and Worms

Lab T asks k* TAS K 1

U i Theop tio n ,A u to S ta rtu pis a lw a y sc h e c k e d b yd e fa u lta n ds ta rtth e viru sw h e n e ve rth es y s te m b o o tso n .

CEH Lab Manual Page 533

Module 07 - Viruses and Worms

FIGURE 1 .1 :JPSV iru sM a k e rm a inw in d o w

& This creationofa viru sison lyfor k n o w le d g e p u rp o s e s ;d o n tm is u s eth is to o L

OLogOff OTurn Off

Name A fter Install: |Rundll32

Se rv e r Name: |Send er.exe

About JPS Virus Maker 3.0

FIGURE 1 .2 :JPSV iru sM a k e rm a inw in d o ww itho p tio n ss e le c te d

Name After Install: Rundll32

Server Name: Sender.exe

About JP S Virus Maker 3.0

m Alist ofserver n a m e s isp re s e n tinth eServer N a m ed ro p d o w nlis t. Select a n ys e rve rn a m e .

Module 07 - Viruses and Worms

Name After Install: Rundll32

Server Name: Svchost.exe Svchost.exe Q I Kernel32.exe I spo o lsv .e x e ALG.EXE svchost.exe

FIGURE 1 .5 :JPSV im sM a k e rm a inw in d o ww ithS e rv e rN a m eo p tio n

FIGURE 1 .6 :JPSV iru sM a k e rm a inw in d o ww ithS e ttin g so p tio n

PS ( Virus M aker 3.0 )

Run Custom Command: |

OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3

JPS Virus Maker 3.0

FIGURE 1 .7 :JPS V iru sM a k e rS e ttin g so p tio n

CEH Lab Manual Page 535

Module 07 - Viruses and Worms

M a k es u retoc h e c k all th eo p tio n sa n ds e ttin g s b e fo reclick in go nC re a te V iru s!

Change Com puter Name |jP S Change IE Home Page |www ^ -

Run Custom Command: | Enable Convert toWorm ( auto copy to path's)

OTransparnet OLove Icon OFlash Icon 1 OFlash Icon 2 OFont Icon 3

Server Name: Svchost.exe

JPS Virus Maker 3.0

FIGURE 1 .8 :JPSV k u sM a k e rm a inw in d o ww ithO p tio n s

FIGURE 1 .9 :JPSV k u sM a k e rM a inw in d o ww ithC re a teV k u s !B u tto n

FIGURE 1 .1 0 :JPSV k u sM a k e rS e rv e rC re a te ds u c c e s s fu llym e s s a g e

CEH Lab Manual Page 536

Module 07 - Viruses and Worms

PLEASE T A L K TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELA T ED TO T H IS LAB.

JPS V iru s M a ke r Tool

CEH Lab Manual Page 537

Module 07 - Viruses and Worms

In te rn e t C onnectio n R equired Yes P la tfo rm Supported 0 !Labs 0 No

CEH Lab Manual Page 538

Module 07 - Viruses and Worms

flB Web exercise

A computer running Windows Server 2012

CEH Lab Manual Page 539

Module 07 - Viruses and Worms

Administrative privileges to run tools

Lab T asks TAS K 1