A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #10791  by EP_X0FF
 Wed Jan 04, 2012 3:02 pm
Actually nothing :) I thought write "unpacked" for upx is too much.
 #10794  by Flamef
 Wed Jan 04, 2012 5:08 pm
Was it indeed pakced with UPX?How did you manage to unpack it?Why upx decompress didn't work for me?
 #10796  by EP_X0FF
 Wed Jan 04, 2012 5:30 pm
Flamef wrote:Was it indeed pakced with UPX?
Yes
How did you manage to unpack it?
upx -d filename
Why upx decompress didn't work for me?
Have no idea, i saw similar behavior before and even found a reason, but i totally forgot it because it was many years ago.
Probably most of other commands from cmd will fail also. Try "tracert", "ping", do they work?
 #10804  by Flamef
 Wed Jan 04, 2012 10:24 pm
Well,thank you guys!Btw,since it's,obviously so easy to unpack UPX,why are most viruses etc packed with UPX,only to reduce the file size?Non-sense,isn't it? :D
 #10805  by newgre
 Wed Jan 04, 2012 10:36 pm
Erm well, because
a) most malwar are simply stupid
b) most malware writers don't give a shit
c) it doesn't really matter whether a malware sample is packed or not since the A/V industry is mostly still unable to deal with new malware

Pick any.
 #10812  by EP_X0FF
 Thu Jan 05, 2012 3:56 am
Flamef wrote:Well,thank you guys!Btw,since it's,obviously so easy to unpack UPX,why are most viruses etc packed with UPX,only to reduce the file size?Non-sense,isn't it? :D
Usually they packed to reduce original stub size, or dropper size after obfuscation (or in both cases even multiple times). This one ransom is simple exception. Probably script-kiddies were unable to find/buy fud crypter for that time.
 #11686  by Aleksandra
 Sat Feb 18, 2012 2:35 pm
Flamef wrote:Was it indeed pakced with UPX?How did you manage to unpack it?Why upx decompress didn't work for me?
No ideas.
Code: Select all
root@slax:~/Desktop# upx -d Firefox_update.exe.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2008
UPX 3.03        Markus Oberhumer, Laszlo Molnar & John Reiser   Apr 27th 2008

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1109504 <-    145920   13.15%    win32/pe     Firefox_update.exe.exe

Unpacked 1 file.