virus analysis Jan 15 2011 01:38AM
renzuwolf (renzuwolf gmail com)




I caught a virus named kido.ih, and i want to do some analysis ,but when i make a breakpoint in function "CreateThread's third parameter£¨00877789£© it can not stop in the thread function address,and go on in main thread, why this happend?

00877B84 /74 1C je short 00877BA2

00877B86 |8D45 F4 lea eax,dword ptr ss:[ebp-C]

00877B89 |50 push eax

00877B8A |53 push ebx

00877B8B |53 push ebx

00877B8C |68 89778700 push 877789

00877B91 |53 push ebx

00877B92 |53 push ebx

00877B93 |FF15 F8108700 call dword ptr ds:[8710F8] ; kernel32.CreateThread

00877B99 |50 push eax

00877B9A |FF15 BC108700 call dword ptr ds:[8710BC] ; kernel32.CloseHandle

00877BA0 |EB 14 jmp short 00877BB6


