win_klez So for this entry I'm doing something slightly different. I am going to compare two files which I think are variants of the same malware and post the results.
Another interesting thing to look out is function graph comparisons:
As you can see there is almost no difference visible. I conclude that these are two variants of the same malware.
a/v: http://firstname.lastname@example.org md5sum: 7cd593c06be52b070817ed66f898425c W32.Klez-G md5sum: a8f90273ebb4168f5affc678aa90909a W32.Klez.gen@MM sha1sum: 33aa5372dbab152537df1e7b8d858d230476a25f W32.Klez-G sha1sum: 332ea7ae7d07bb3e760598c76994d5f2e9e13af5 W32.Klez.gen@MM info: Dec 19 19:24 W32.Klez-G info: Dec 19 19:24 W32.Klez.gen@MM bdiffm: 01 W32.Klez-G 0x0001752c 0xb7f4d000 02 W32.Klez.gen@MM 0x00015c3a 0xb7f32000 Comparing 2 files. | 01 02 ----+------------ 01 | 100% 83% 02 | 100% packerscan: Scanning -> C:\malware\klez\W32.Klez.gen@MM.exe File Type : Exe, Size : 89146 (015C3Ah) Bytes -> File has 7210 (01C2Ah) bytes of appended data starting at offset 014010h [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.938 Seconds Scanning -> C:\malware\klez\W32.Klez-G.exe File Type : Exe, Size : 95532 (01752Ch) Bytes -> File has 13596 (0351Ch) bytes of appended data starting at offset 014010h [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.953 Seconds bindiff: Unmatched functions: 4030d4 6 9 7 sub_4030D4 40317d 6 9 7 sub_40317D 404138 3 2 3 sub_404138 404180 3 2 3 sub_404180 So there are very few unmatched functions between these two files.