help with 16-bit Malware analysis! FBI moneypak

Wed, 03 Oct 2012 09:48:50 -0700

Hello,
I am a student going for my BS in Network Engineering, and recently at my job I have been getting into Malware Analysis. Last week I managed to obtain a sample of the recent FBI moneypak virus that has been going around. It was in an .exe format so I figured it would be simply to run it through PEview to see whats up and then a debugger like Ollydbg to look under the hood.

Unfortunately the .exe is a 16-bit DOS executable. I think. When I first opened it with PEview, it only displayed the message "This program cannot be run in DOS mode". So I thought that it must be a packed 32-bit app somehow. But then I tried to run it through Ollydbg and after about 20 minutes I realized I was looking at NTVDM.exe and something called kernalba ( I think its actually kernalbase but for some reason ollydbg only showed kernalba), not the actual program.

Then I tried a short dynamic analysis to see what ran, and sure enough NTVDM.exe ran. I didn't see anything else so I wiped the computer and started over.

So now that I know I have a 16-bit DOS exe that I need to debug and I am looking for a debugger program. I heard that the IDA trial won't let me debug 16-bit and I have no clue what command I use to load this file into GRDB or even debug.exe

Do any of you guys know of a place that has GRDB or debug.exe tutorials? Or of a GUI 16-bit debugger?

Thanks,
Imprive

'help with 16-bit Malware analysis! FBI moneypak' Thread RSS Feed

help with 16-bit Malware analysis! FBI moneypak