Sunday, December 13, 2009

How to tell if an unknown file is a legitimate or a malware file

This article is intended mainly for HJT helpers and trainees. Prior knowledge and expertise of the windows OS is required. None of the steps below are 100% accurate. You will need to use multiple steps in this guide order to be able to end up with a confident conclusion.



Step 1. there are 4 rules of thumb in which you can immediately know within seconds that the unknown file is a malware file:

1) The name of the file or folder is randomly generated or makes absolutely no sense. These type of files would typically display zero results in search engines.

Ex: c:\p0sdn8flqy.exe

2) The malware uses a name that is similar to the name of a legitimate file (commonly windows file) within the same folder.

Ex: legitimate = c:\windows\system32\lsass.exe

malware = C"\windows\system32\lsasss.exe

3) The malware uses the exact name of a legitimate file, commonly a windows file but in another folder.

Ex: legitimate = C:\windows\explorer.exe

malware = c:\windows\system32\explorer.exe

4) The malware uses a name that are commonly only used by malware. Ex. startup file names with controversial words somewhere within its name, the names of celebrities, the use of non-alphanumeric characters, or white spaces.

Ex: c:\windows\system32\crack.dll

Step 2.