AVs and packers

I guess you guys know Unlocker. In older versions of this program the author packed the exe with [x]MEW11 and UPack but now he had to release the program unpacked.

I know that it is not necessary to pack the program to distribute it, but the funny thing is AVs detecting files packed with MEW11 and UPack as virus.

For example, i packed notepad.exe with MEW11 and UPack and submitted to VirusTotal and here are the (FPs) results:

Code:

MEW11

Fortinet	2.27.0.0	05.18.2005	suspicious
Ikarus	2.32	05.18.2005	Backdoor.Win32.Wootbot.AM
Norman	5.70.10	05.16.2005	W32/MEWpacked.gen
Sybari	7.5.1314	05.18.2005	W32/MEWpacked.ge

Code:

UPack

Fortinet	2.27.0.0	05.18.2005	suspicious

McAfee reported files packed with UPack as virus since version 0.10. Guess they "finally" fixed after some months.

My question is why does this happen?

 

I don't know what the author of this program thinks but any program packed with MEW would be suspicious to me too. I'll take it as a big plus if such a file is reported by an antivirus.



tECHNODROME

 

Just because virus author compress their virus with MEW that doesn't mean that MEW can not be used to pack normal programs.

And i think it is not a very professional atitude to flag all files packed with MEW as virus instead of unpacking and analysing the unpacked file.

 

I bet there is a better way to compress your program by not using common malware compression methods.

NVC reports it as packed and not necessary infected. In cases like this, further investigation is recommended. Such a report is very valuable to user who cares about security.



tECHNODROME