-
Hi,
I can't find the sample anywhere. Can you send me it privately (compress it with password)?.
2009-01-29 18:57:11 UTC by joseanpiti
-
Yes, the ${md5}.exe, like 1ed50972cdba7bda1d4a4655977e1072.exe.
2009-01-29 18:48:42 UTC by mboman
-
Hi mboman,
Sorry for the later response. What is the malware you're analyzing? What is the md5?
And, of course, the operating system doesn't matters at all.
2009-01-29 18:45:01 UTC by joseanpiti
-
Nice. Thanks for the great work.
When I try to analyze some of my samples in the 0.02 QEMU image I don't get any sort of useful results at all. Not even PE information comes out right.
I am running it under Windows, but as it is a virtual machine it shouldn't make any difference, right?.
2009-01-26 18:57:25 UTC by mboman
-
Hi @mboman
I'm adding new debug channel(s) for Wine patching the source code of the DLL's (and fixing some "potential" security problems...) and the results are very good. In example, the following is an extract of one report created with the new ultra-alpha version of Zerowine analyzing some chinesse malware:
0009:humanmalware:Running...
2009-01-26 13:20:32 UTC by joseanpiti
-
To begin with we can just turn on WINEDEBUGLEVEL and grep for "interesting" system calls... Not as nice as commercial sandboxes, but hey: can't beat the price...
2009-01-26 13:12:20 UTC by mboman
-
I'm currently hacking the Wine source code to make greater reports so, yes, I'm working on this feature. I think that I will release a new version in about a month or so. At least I hope to do so.
2009-01-26 13:09:22 UTC by joseanpiti
-
Such as below: (borrowed from norman sandbox analyzer page)
D:VIRUSMYTEST.EX_ : W32/Backdoor
====> Sandbox output:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (sample) : sample, te amo!.
* Display message box (KERN32) : KERN32, te amo!.
* File length: 58368 bytes.
2009-01-26 12:11:07 UTC by lolcaek
-
Interesting tool, any way to make the results more clear?
Current results are somewhat cryptic.
2009-01-26 12:02:38 UTC by lolcaek
-
Works perfectly!
Little howto for windows xp:
* download qemu from http://homepage3.nifty.com/takeda-toshiya/qemu/index.html
* extract the archive to your desktop (or where you'd like)
* download zerowine (verify using the downloadable md5)
* copy the .img file to the extracted qemu folder
* create a batch file with the following:
--cut below--
REM Start qemu on windows.
@ECHO...
2009-01-26 12:00:32 UTC by lolcaek
