A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #9042  by EP_X0FF
 Sun Oct 09, 2011 2:34 am
Patient number one

very dangerous and invincible malware yes
http://www.virustotal.com/file-scan/rep ... 1318083179

this is actually small test written by me few years ago, especially for avira paranoid.

and this is the same file, recompiled
http://www.virustotal.com/file-scan/rep ... 1318126219

hash calculators failed, perfectly reveals fakeav by the way.

and here is actual source code of this "Trojan Downloader Codec Pack"
Code: Select all
{$E EXE}
{$IMAGEBASE $00400000}
{$R-}
{$Q-}
{$IFDEF minimum}
program Heur;
{$ENDIF}
unit Heur;
interface

uses
  Windows, WinNative;

implementation

var
  hModule1: DWORD;
  p1: pointer;
  st1: UNICODE_STRING;
  ns: NTSTATUS;
begin
  RtlInitUnicodeString(@st1, kernel32);
  ns := LdrLoadDll(nil, nil, @st1, @hModule1);
  if (ns = STATUS_SUCCESS) then
  begin
    p1 := nil;
    RtlInitAnsiString(@st1, 'Beep');
    ns := LdrGetProcedureAddress(hModule1, @st1, 0, @p1);
    if (ns = STATUS_SUCCESS) then
      asm
        push 10
        push 2000
        call p1
      end;
    LdrUnloadDll(hModule1);
  end;
end.
 #9052  by EP_X0FF
 Sun Oct 09, 2011 12:09 pm
Patient number 2.

http://www.virustotal.com/file-scan/rep ... 1317971569

Innocent application packed by UPX.

Original detection come from Kaspersky and 10+(!) FakeAV copied it name (only name). Especially I like Joke/W32.ArchSMS.3404800 - this strange number at the end is the filesize for which was calculated hash.

Kaspersky fixed this FP, but copy-pasters of course no. UPX -d and FakeAV detections goes to nowhere (note: this is old scan, before Kaspersky fp fix).
http://www.virustotal.com/file-scan/rep ... 1317915671
 #9440  by cjbi
 Sat Oct 29, 2011 8:01 am
Patient name ALYac(hxxp://global.alyac.com/)

In December 2008, ALYac anti-virus labels itself(update module) as spyware.

Notice(Google translated): hxxp://translate.google.com/translate?sl=ko&tl=en&u=alyac.altools.co.kr%2FCustomer%2FPublic%2FNoticeView.aspx%3Fid%3D50

ALYac, Avira...
Who's next?
Attachments
2008-12-08_pm_11-03-13.jpg
ALYac false positive
2008-12-08_pm_11-03-13.jpg (31.92 KiB) Viewed 1039 times
 #9446  by Meriadoc
 Sat Oct 29, 2011 11:03 am
Hello,

I find av self detection always kinda funny, lol.

CureIt detected its own log, Cureit log : probably SCRIPT.virus. (16/10/2011)

oh nooo..! :mrgreen:
Image
 #9544  by Fyyre
 Sat Nov 05, 2011 2:36 pm
I understand some a/v has serial number blacklist of warez file packers (PECompact, WinLicense and VMProtect come to mind), as result of communication between developer of file packer and a/v companies... can anyone verify this ?

p.s. EP: beep app made w/ MSVC2010 http://www.virustotal.com/file-scan/rep ... 1320504237

-Fyyre