Identifying malware with PEStudio
There are many technical tools which can help you identify and understand malware, and we used a few of these very recently while investigating Easy Disk Drive Repair.
You don’t have to master all of these to pick out potential threats, though. The compact and portable PeStudio can help you identify suspect programs in seconds.
We dragged and dropped EasyDiskDriveRepair.exe onto PeStudio and an initial analysis appeared in a tree to the left. This displayed a VirusTotal score of 2/ 57, indicating that only two antivirus engines had raised an alert over the program. If you’ve used VirusTotal before then you’ll know this isn’t uncommon -- false positives are likely when you combine so many engines -- but it’s something to keep in mind.
We were told that PEStudio modifies the Registry, for instance. Creates and modifies files. Starts child processes (that is, launches other programs) and interacts with Windows services.
There’s nothing automatically dubious about any of these things, but just take a moment to think about whether your program really needs to carry them out. If a program is supposed to be portable, say, but PEStudio says it modifies the Registry, then you might wonder why.
Clicking "Strings" displays various text strings contained within the executable. Malware can easily hide these, and there will be plenty of binary junk included as well, but PeStudio tries to help by highlighting “blacklisted” strings, words which are common to malware.
The EasyDiskDriveRepair.exe strings table was particularly telling. Items included ShellExecute (a command to open or launch something else), RegCreateKey/ RegSetValueEx/ RegDeleteValue (functions to create, change and delete Registry keys), "\Software\Microsoft\Windows\CurrentVersion\Run" (one of the Registry keys used by Windows Startup programs), Scripting.FileSystemObject (used to run scripts), sqlite3.exe (a program for manipulating databases), "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f" (a console command used to check your Startup programs), and "> c:\windows\temp.txt" (redirecting data to a temporary file in the Windows folder).
PeStudio’s report includes many other sections with further details on your target file. These get progressively more technical, but may still be worth checking out. "Imported Libraries" lists DLLs referenced by the program; "Resources" gives an idea what else a file might contain (typically icons), "Certificates" tells you whether the executable is signed, while "Version" holds the file version details and other properties.
Put it all together, and PeStudio tells us that EasyDiskDriveRepair.exe could modify the Registry; launch other processes; create and modify files; run scripts, work with Windows startup programs, and might want to make changes to a database.
None of this means much on its own, but in the context of a program which is brand new, on a freshly registered domain, with no supporting information whatsoever (no documentation, no forum, no social media accounts, no real reviews) then that should be enough to sound some very loud alarms.
Now go grab a copy of PeStudio for yourself. Try it out first on other trusted applications until you understand just how many false alarms there can be, then keep it handy: one day the program just might save you from a heap of trouble.