Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Analyzing Suspicious Attachment

From: "Geoffrey Gowey" <gjgowey () gmail com>
Date: Thu, 17 Jan 2008 12:55:28 -0500
Invariably someone is going to mention VMware, but malware these days
are becoming vm aware.  You could try setting up another physical
machine on it's own network and then fire up regmon, filemon, and
wireshark to try to see what the program attempts to do when you run
it.

Geoff



On 1/17/08, Al Cooper <cooper () hmcnetworks com> wrote:

We had a user open a suspicious attachment.  The attachment did not open so
she sent it to two of her colleges.  One of her colleges was also unable to
open the file, but the third person did successfully open the file.  The
attachment did not match the original email and IT was eventually called, a
few hours later.  The three computer have been removed from the network.

I have the attachment.  It is a zip file.  Inside the zip file is one .scr
file.  The antivirus (Symantec) did not catch anything when the file was
opened.  The email is an HTML email and there are pictures that can be
downloaded.

Outside of the obvious policy and training issues, what is the best way to
determine what if any damage has been done to the network?  What tools do I
need to analysis the attachment to see what it is and how it works?

Thanks for your help,




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





-- 
Kindest Regards,

Geoff
Previous By Date Next
Previous By Thread Next

Current thread: