![[Howto] Scan Files | keyloggers, trojans and other maleware](https://www.elitepvpers.com/forum/iconimages/coding-tutorials/howto-scan-files-keyloggers-trojans-other-maleware_ltr.gif){kind=small}
▲ [HowTo] Scan files for keyloggers, trojans and other maleware ▲
This is a small HowTo and collection of links / programs, which could help you to scan files for trojans and other maleware. We have a lot of users here and some of them try to distribute trojans and keyloggers. Because of that it is very important to scan files and help the community and other members to find this infected files and ban the users.
I'll show you some ways to scan those files.
#Content:
[-]Online Virus Scan
[-]Online Sandbox
[-]Own Sandbox
[-]End
[-]Online Virus Scan
The first step before you execute an unsafe hack, is the virus scan.
Some usefull websites are:
*hot*
The problem is, that you can't be 100% sure that the file is clean. If the file is packed or it's an unkown/selfcoded trojan/keylogger it's difficult to find this with the most scanners.
The other problem is, that the scanners show also packed files. So if you pack your hack with themida, upx or other packers it could be possible that online scanners show it as an virus,too. That are false-positiv results. And some dll injectors were shown as suspicious files,too.
Some examples for real trojans / keyloggers are scanresults like that:
Some examples for false-positives:Quote:
BackDoor-AWQ.b!dk
Sober.F
Bagle.DR2
You see it's not so easy to find out whats true. Some scanners show executeables packed with a packer (RLPack) as Win32/Packed_RLPack or only as Suspicious file. But other say thats a trojan: Trojan.Win32.Packer.RLPackV1.21Quote:
Win32/MalPackedB.suspicious
W32/Packed_RLPack.O
Suspicious file
Trojan.Win32.Packer.RLPackV1.21 (v)
The best way is to google the name. If you know that RLPack is only a packer and not a trojan you can feel safer.
[-]Online Sandbox
The next step would be to analyze the file in a sandbox. There are a few online sandbox services like:
- *hot*
- *only flash/pdf/javascript*
To scan files with a sandbox service is a much safer. You submit your file, like in a online virus scanner. Then this file will get analyzed and you get the result. In some Services there come a text like: File is maleware/trojan or File is no maleware/trojan.
But in other scanners you get only the facts. Like what changes that file do.
Keep in Mind: A normal Hack or patched bypass exe, will never make files in your system folder or something.
Here is a sample report for an infected file:
On the Top you see a brief summary.
Autostart capabilities.
Creates files in the Windows system directory.
Performs File Modification and Destruction.
If you see this, you can be sure thats a trojan/keylogger/virus or whatever.
I know there are a lot of information and the most of you, don't understand that information. But with the time you will learn it
[-]Own Sandbox
Another way is to create an own sandbox. The best way for that is to install VMWare and an virtual system.
Emulators:
Then you need some analyzing tools here is a short list of very usefull tools:
There are some debuggers, disassemblers, hex editors, network analyzers and other usefull tools.
You should read the readme of this tools and learn to use them.
[-]End
I hope I could help you a little bit.
And one thing: It's very usefull for other members, if you post the scan results into the post. It's enougth if one person do that. But then the other people can take a look into the results and maybe see something that you didn't saw and can help to figure out, if it's a maleware or not. So if you don't understand the whole anubis scan result you post it and other people can figure it out
best regards
Adroxxx
