Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Enough with the UPX packed virus false alarms -- ENOUGH


  • Please log in to reply
19 replies to this topic
dohboy
  • Guests
  • Last active:
  • Joined: --
Can I get a copy of this tool that checks a file against every known virus scanner?

felt like doing this for fun:

File deadly_virus.exe received on 2010.01.08 22:02:11 (UTC)
Antivirus        Version        Last Update        Result
a-squared        4.5.0.48        2010.01.08        -
AhnLab-V3        5.0.0.2        2010.01.08        -
AntiVir        7.9.1.130        2010.01.08        -
Antiy-AVL        2.0.3.7        2010.01.08        Trojan/Win32.Vapsup.gen
Authentium        5.2.0.5        2010.01.08        -
Avast        4.8.1351.0        2010.01.08        -
AVG        8.5.0.430        2010.01.04        -
BitDefender        7.2        2010.01.08        -
CAT-QuickHeal        10.00        2010.01.08        -
ClamAV        0.94.1        2010.01.08        -
Comodo        3514        2010.01.08        -
DrWeb        5.0.1.12222        2010.01.08        -
eSafe        7.0.17.0        2010.01.07        -
eTrust-Vet        35.2.7226        2010.01.08        -
F-Prot        4.5.1.85        2010.01.08        -
F-Secure        9.0.15370.0        2010.01.08        -
Fortinet        4.0.14.0        2010.01.08        -
GData        19        2010.01.08        -
Ikarus        T3.1.1.80.0        2010.01.08        -
Jiangmin        13.0.900        2010.01.08        -
K7AntiVirus        7.10.942        2010.01.08        -
Kaspersky        7.0.0.125        2010.01.08        -
McAfee        5855        2010.01.08        -
McAfee+Artemis        5855        2010.01.08        -
McAfee-GW-Edition        6.8.5        2010.01.08        Heuristic.BehavesLike.Win32.Packed.C
Microsoft        1.5302        2010.01.08        -
NOD32        4755        2010.01.08        -
Norman        6.04.03        2010.01.08        -
nProtect        2009.1.8.0        2010.01.08        -
Panda        10.0.2.2        2010.01.08        -
PCTools        7.0.3.5        2010.01.08        -
Prevx        3.0        2010.01.08        -
Rising        22.29.04.04        2010.01.08        -
Sophos        4.49.0        2010.01.08        -
Sunbelt        3.2.1858.2        2010.01.08        -
Symantec        20091.2.0.41        2010.01.08        -
TheHacker        6.5.0.3.142        2010.01.08        -
TrendMicro        9.120.0.1004        2010.01.08        -
VBA32        3.12.12.1        2010.01.06        -
ViRobot        2010.1.8.2128        2010.01.08        -
VirusBuster        5.0.21.0        2010.01.08        -

Additional information
File size: 207261 bytes
MD5...: 1505065f6558b18d792793bfbbd1d48a
SHA1..: a017cfabc6782c3725713fcbab3c86067af17d5e
SHA256: 3ac19630b45c0949c36bfb311406898b808c5b0b41fb4ebdd05f8553092b8fc4
ssdeep: 6144:mCbitvA8lUcv6Jvr03OWAgCC7RSKDkoShu:mC+tvA8pv6e3OSCCFSKDkoSA
PEiD..: -
PEInfo: PE Structure information( base data )entrypointaddress.: 0x71ed0timedatestamp.....: 0x49fde251 (Sun May 03 18:28:33 2009)machinetype.......: 0x14c (I386)( 3 sections )name        viradd    virsiz   rawdsiz  ntrpy  md5UPX0        0x1000   0x41000       0x0   0.00  d41d8cd98f00b204e9800998ecf8427eUPX1       0x42000   0x31000   0x30c00   8.00  6cd9aa2547f27ae976665aae461e8c77.rsrc      0x73000    0x2000    0x1800   4.79  5ae503e98038550ace366a5d500b6507( 12 imports )  > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess> ADVAPI32.dll: RegCloseKey> COMCTL32.dll: -> comdlg32.dll: GetOpenFileNameA> GDI32.dll: BitBlt> ole32.dll: CoInitialize> OLEAUT32.dll: -> SHELL32.dll: DragFinish> USER32.dll: GetDC> VERSION.dll: VerQueryValueA> WINMM.dll: mixerOpen> WSOCK32.dll: -( 0 exports ) 
RDS...: NSRL Reference Data Set-
packers (Kaspersky): UPX
sigcheck:publisher....: n/acopyright....: product......: description..: original name: internal name: file version.: 1, 0, 48, 03comments.....: n/asigners......: -signing date.: -verified.....: Unsigned
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)Win32 EXE Yoda's Crypter (34.3%)Win32 Executable Generic (11.0%)Win32 Dynamic Link Library (generic) (9.8%)Generic Win/DOS Executable (2.5%)
packers (F-Prot): UPX_LZMA
and here is the AHK file (compiled as deadly_virus.exe):
#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.
#singleInstance force
CoordMode, mouse, screen
#InstallKeybdHook
#InstallMouseHook

j::
msgbox, I AM A DEADLY VIRUS!, DETECT ME YOU CRAPPY ANTIVIRUS PROGRAMS, OR YOU FAIL!`n`n Click OK to feel my wrath!
click, 92, 412
send, P
Return



dohboy
  • Guests
  • Last active:
  • Joined: --
Just a follow up on my own post.. www.virustotal.com is the answer. it accepts a web based submission of a file (under 20MB in size) and gives you the results in real time, as seen below. awesome. thanks for inspiring me to look into this :)

Can I get a copy of this tool that checks a file against every known virus scanner?

felt like doing this for fun:

File deadly_virus.exe received on 2010.01.08 22:02:11 (UTC)
Antivirus        Version        Last Update        Result
a-squared        4.5.0.48        2010.01.08        -
AhnLab-V3        5.0.0.2        2010.01.08        -
AntiVir        7.9.1.130        2010.01.08        -
Antiy-AVL        2.0.3.7        2010.01.08        Trojan/Win32.Vapsup.gen
Authentium        5.2.0.5        2010.01.08        -
Avast        4.8.1351.0        2010.01.08        -
AVG        8.5.0.430        2010.01.04        -
BitDefender        7.2        2010.01.08        -
CAT-QuickHeal        10.00        2010.01.08        -
ClamAV        0.94.1        2010.01.08        -
Comodo        3514        2010.01.08        -
DrWeb        5.0.1.12222        2010.01.08        -
eSafe        7.0.17.0        2010.01.07        -
eTrust-Vet        35.2.7226        2010.01.08        -
F-Prot        4.5.1.85        2010.01.08        -
F-Secure        9.0.15370.0        2010.01.08        -
Fortinet        4.0.14.0        2010.01.08        -
GData        19        2010.01.08        -
Ikarus        T3.1.1.80.0        2010.01.08        -
Jiangmin        13.0.900        2010.01.08        -
K7AntiVirus        7.10.942        2010.01.08        -
Kaspersky        7.0.0.125        2010.01.08        -
McAfee        5855        2010.01.08        -
McAfee+Artemis        5855        2010.01.08        -
McAfee-GW-Edition        6.8.5        2010.01.08        Heuristic.BehavesLike.Win32.Packed.C
Microsoft        1.5302        2010.01.08        -
NOD32        4755        2010.01.08        -
Norman        6.04.03        2010.01.08        -
nProtect        2009.1.8.0        2010.01.08        -
Panda        10.0.2.2        2010.01.08        -
PCTools        7.0.3.5        2010.01.08        -
Prevx        3.0        2010.01.08        -
Rising        22.29.04.04        2010.01.08        -
Sophos        4.49.0        2010.01.08        -
Sunbelt        3.2.1858.2        2010.01.08        -
Symantec        20091.2.0.41        2010.01.08        -
TheHacker        6.5.0.3.142        2010.01.08        -
TrendMicro        9.120.0.1004        2010.01.08        -
VBA32        3.12.12.1        2010.01.06        -
ViRobot        2010.1.8.2128        2010.01.08        -
VirusBuster        5.0.21.0        2010.01.08        -

Additional information
File size: 207261 bytes
MD5...: 1505065f6558b18d792793bfbbd1d48a
SHA1..: a017cfabc6782c3725713fcbab3c86067af17d5e
SHA256: 3ac19630b45c0949c36bfb311406898b808c5b0b41fb4ebdd05f8553092b8fc4
ssdeep: 6144:mCbitvA8lUcv6Jvr03OWAgCC7RSKDkoShu:mC+tvA8pv6e3OSCCFSKDkoSA
PEiD..: -
PEInfo: PE Structure information( base data )entrypointaddress.: 0x71ed0timedatestamp.....: 0x49fde251 (Sun May 03 18:28:33 2009)machinetype.......: 0x14c (I386)( 3 sections )name        viradd    virsiz   rawdsiz  ntrpy  md5UPX0        0x1000   0x41000       0x0   0.00  d41d8cd98f00b204e9800998ecf8427eUPX1       0x42000   0x31000   0x30c00   8.00  6cd9aa2547f27ae976665aae461e8c77.rsrc      0x73000    0x2000    0x1800   4.79  5ae503e98038550ace366a5d500b6507( 12 imports )  > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess> ADVAPI32.dll: RegCloseKey> COMCTL32.dll: -> comdlg32.dll: GetOpenFileNameA> GDI32.dll: BitBlt> ole32.dll: CoInitialize> OLEAUT32.dll: -> SHELL32.dll: DragFinish> USER32.dll: GetDC> VERSION.dll: VerQueryValueA> WINMM.dll: mixerOpen> WSOCK32.dll: -( 0 exports ) 
RDS...: NSRL Reference Data Set-
packers (Kaspersky): UPX
sigcheck:publisher....: n/acopyright....: product......: description..: original name: internal name: file version.: 1, 0, 48, 03comments.....: n/asigners......: -signing date.: -verified.....: Unsigned
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)Win32 EXE Yoda's Crypter (34.3%)Win32 Executable Generic (11.0%)Win32 Dynamic Link Library (generic) (9.8%)Generic Win/DOS Executable (2.5%)
packers (F-Prot): UPX_LZMA
and here is the AHK file (compiled as deadly_virus.exe):
#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.
#singleInstance force
CoordMode, mouse, screen
#InstallKeybdHook
#InstallMouseHook

j::
msgbox, I AM A DEADLY VIRUS!, DETECT ME YOU CRAPPY ANTIVIRUS PROGRAMS, OR YOU FAIL!`n`n Click OK to feel my wrath!
click, 92, 412
send, P
Return



tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: May 02 2019 09:16 PM
  • Joined: 21 Dec 2007
very helpfull thanks
Never lose.
WIN or LEARN.

ImBatman
  • Members
  • 1 posts
  • Last active: Jun 25 2010 09:02 PM
  • Joined: 25 Jun 2010
Hi,

I stumbled along this site, looking for details about compressed exes flagging false positives.

I'm not really one for litigation, but this happens a lot in the real world, and I can't believe that someone hasn't gone after the anti-virus companies for this.

It seems fairly obvious that it would stand up in any court - Company A producing product X, that directly negatively impacts the marketability of Company B's product Y due to false pretenses.

One of the comments is perhaps UPX should be avoided - why? The real problem is the anti-virus software. More pressure should be applied on them to make more responsible software.

garry
  • Spam Officer
  • 3219 posts
  • Last active: Sep 20 2018 02:47 PM
  • Joined: 19 Apr 2005

http://sarvamblog.bl...ows-system.html

Nearly 70% of Packed Windows System files are labeled as Malware

 

A few weeks back, I was playing around with some off the shelf packers.

I randomly selected a Windows system executable (dpnsvr.exe), packed it with Upack and then sent both the files to Virustotal (VT).

Obviously, no Anti Virus (AV) software showed labels for the unpacked system file (detection ratio was 0/46).

But to my surprise, when I submitted the packed system file, the detection ratio was 23/46! I thought, may be if I give it some more time, the AVs will catch up and the detection rate would reduce.

But that didn't happen either.

I was only shocked to see that a more recent analysis seemed to increase the detection ratio to 32/46!!

............