Skip navigation.

how to analyze a worm (Conficker.B)?


Please help, I would like to learn how to analyze a worm particularly Conficker.B (got a sample here). What are the steps? What are the tools needed? I'm new here and I had no experience with analyzing a worm before. Thanks in advance!

how to analyze a worm (Conficker.B)?

usually i use this approach:
Tne first step, IMHO, is know which in memory exe packer is used,if used. The 2nd step is understand how obtain the dump of in memory unpacked binary and save it on a PE file (under windows) with correct IAT (import address table) and OEP (original entry point). From this point you can choice how study the rest.
Keep in mind that this first step is valid for exe and dll. For rootkit you have to install a kernel debugger and work with almost two machine. In the case of conficker.b you can use a vmware configured that avoid with anti debugging and anti vmware detection.
I have dissected conficker.e .If you are interested check my blog