Back to list
Jun 23 2006 06:08PM
als hush com
I recently came across a suspicious binary (.SCR) file in a
compromised system. As I started to analyse it by running a
'strings' against it I noticed there was very little readable text
in it, but the first line caught my attention: PECompact2.
I did some research and it seems this indicates the binary is
somehow compressed/obfuscated by using some sort of PE compression
tool (probably http://www.bitsum.com/pec2.asp).
Now I would like to unpack the executable to carry on with the
analysis. From what I could understand this would only be possible
by running it in a test win32 system, probably using a dissasembly
tool, since it only "unpacks" itself when being executed. Is that
correct? Would there be some other way of doing so, perhaps using
some sort of decompression tool? I was not able to find any so far.
Thanks for any help.
Concerned about your privacy? Instantly send FREE secure email, no account required
Get the best prices on SSL certificates from Hushmail
[ reply ]
Copyright 2010, SecurityFocus