Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Little Malware Gallery

  • Please log in to reply
No replies to this topic

#1 Veitch


  • Members
  • 31 posts
  • Gender:Not Telling
  • Local time:10:03 AM

Posted 14 July 2014 - 06:09 AM

I am not sure, if this is even something for this forum, but I wrote a tool that visualizes Portable Executable files.

Here are some interesting ones.


Some explanation about the pictures: 


These are actually two pictures per file, one left and one right. The right side shows the structure of the file, which is determined by my PE parser. General: It has headers and sections. Sections are the grey scaled tones and often start with a dot in their name. Sections may contain resources, debug-information, exported and imported functions, and executable code. The entry point marks the start of execution, it is displayed as one red square.

The left side are kind of "xrays". The left displays the entropy, which is how much information is in there. If you had everything filled with one and the same byte (= no information content), you would get a black area. If you had random numbers in that area, it would be white, because repetition is unlikely. That also means, encrypted and compressed content is very bright.

An example is in the first picture, which displays an infected host file. The virus hides itself by encrypting its body and copying itself into the last section of the file. The last section there is .gdata (see legend to find it).
You can also see that the overlay (= appended data) and the .data section have almost no information content as the area is black. The .text section contains the executable code, you also see the red squared entry point there. Code has a high entropy, but not as much as encrypted or compressed data.



Salty is an entry-point obscuring (EPO) polymorphic file infector. Here you see an infected file. The encrypted virus body is in the last section (here .gdata, entropy is high, thus a light area for .gdata on the left). Apart from that it overwrites the host file's code with obscuring instructions.


Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99

VirusTotal Analysis: https://www.virustotal.com/en/file/07ac76fd7886072c06c4d55a1a18b932a56f1a3057f1c6877628812d73b35c96/analysis/

W32.Simile, also known as W32.Etap

W32.Simile is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It infects files in folders on all fixed and remote drives that are mapped at the time that the virus is executed. The virus contains no destructive payload, but infected files may display messages on certain dates.


Zeus Trojan (one of the many out there)

Zeus (also known as Zbot, Kneber, PRG, NTOS, Wsnpoem and Gorhax) is a crimeware kit designed to steal banking information and credentials through various means. The Zeus trojan is spread ma all over.inly through drive-by downloads and phishing schemes.




For comparison here are two pictures of non-malicious files that didn't apply any protection like encryption/compression:




BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users