» Topic:  A different look at Bagle

» Added by:  sp3x

» Date:  24.9.2005

  "Okay, I hear a lot about these computer viruses but what do they actually look like?" - goes one of the most freqently asked questions we get. We have been working on some visualizations projects trying to answer that. We have mentioned our efforts in graphing malware earlier. The latest attempt is a 3D animation that visualizes the structure and execution of the W32/Bagle.AG@mm worm.

The boxes in the picture are functions of the worm. The one on the top is the 'main' where the execution starts. The first ring contains all the functions that 'main' calls. The second all the functions that the ones on the first ones call and so on. All connecting lines represent the calls from one function to the other. Red boxes belong to the virus code while the blue ones are API calls library code that do not belong to the malicious code.

For the curious minded, the animation was created using IDA Pro, IDAPython, Blender and some custom scripts.

The animations can be downloaded in the following formats:

http://www.f-secure.com/weblog/archives/f-secure_bagle-ag_visualization.wmv
http://www.f-secure.com/weblog/archives/f-secure_bagle-ag_visualization.mov

Source : f-secure.com