Difference between pages "Malware" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
(MEMO file)
 
Line 1: Line 1:
'''Malware''' is a short version of '''Malicious Software'''.
+
{{expand}}
  
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
+
== MEMO file ==
 +
Th MEMO file consists of:
 +
* file header
 +
* compressed blocks
  
== Virus ==
+
=== File header ===
A computer program that can automatically copy itself and infect a computer.
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
== Worm ==
+
=== Compressed blocks ===
A self-replicating computer program that can automatically infect computers on a network.
+
The file header is followed by compressed blocks:
 
+
{| class="wikitable"
== Trojan horse ==
+
|-
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
+
! Offset
 
+
! Size
== Spyware ==
+
! Value
A computer program that can automatically intercept or take partial control over the user's interaction.
+
! Description
 
+
|-
== Exploit Kit ==
+
| 0
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
+
| 4
 
+
|
=== Drive-by-download ===
+
| Compressed data size
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
+
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
 
== See Also ==
 
== See Also ==
* [[Malware analysis]]
+
* [[SuperFetch]]
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Malware Wikipedia entry on malware]
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia drive-by-download]
+
* [http://www.viruslist.com/ Viruslist.com]
+
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
+
 
+
=== Exploit Kit ===
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
+
  
[[Category:Malware]]
+
[[Category:File Formats]]

Revision as of 13:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links