Peter Ferrie
Virus Bulletin, March 2007, pp.4-5
ISSN 0956-9979
March 2007
One of the things that almost all anti-malware researchers have in common is a copy of Interactive DisAssembler (IDA). It is perhaps the best tool we have for disassembling files, since it is capable of so many important things: it displays the file more or less as it really appears in memory, applying relocations, and resolving imports. IDA can follow all of the code paths and note all of the data references, comment the API parameters, and even determine the stack parameters.
Since some people have custom requirements, IDA also supports a plug-in interface. Plug-ins can do many things and control many of IDA's actions - including directing it to infect files.
Enter the latest member of the ever-growing W32/Chiton family. The author of the virus calls this one `W32/Hidan'.