Question about Themida Winlicense XBundler + Virus Rootkit W32.Baggle Infections

Discussion in 'NOD32 version 2 Forum' started by nervusvagus, Oct 21, 2008.

Thread Status:
Not open for further replies.
  1. nervusvagus

    nervusvagus Registered Member

    Oct 21, 2008
    Question about Themida Winlicense XBundler + Virus Rootkit W32.Bagle Infections


    Recently my system was infected with W32.Bagle and I'm still not sure if it's removed from my system.

    I have the following question about how exactly infections with Themida work:

    Do Themida powered infections, such as W32.Bagle keep installing themselves in other files with Themida's technology if I execute the infected file? Or does the first infected file stays as the master source and just corrupts other files.

    This assumes the following as true, as seen in the

    1. Themida infections in .exe 's cannot be detected- Quote from the forum post: "All of malware packed with Themida bypass AV engines, because of the compression and encryption Themida uses. "
    2. Antivirus and antirootkit software detects W32.Bagle only after it is deployed from the carrying agents software, ie. Eset cannot detect W32.Bagle inside the Firefox.exe however once I click Firefox.exe W32.Bagle is deployed and thus Eset can detect it however it might be too late

    (Note: It seems to me, and correct me if I'm wrong: not only does Temida corporation has a "it's not our fault" approach in this, but they are also trying to prevent Antivirus applications from flagging Themida packed files, which is basically the only way to detect Themida viruses! )

    So the question in effects serves as the following:
    If Eset cannot detect W32.Bagle in the initial .exe I downloaded.
    And if once deployed W32.Bagle infects itself into other undetectable .exe files, ie. Word.exe
    And these files are not detectable as themselves. And each time I run them they use Themida's technology to infect the W32.Bagle or whichever root kit into other EXE's ... This might mean that I'd rather remove / reinstall the operating system completely.
    Last edited: Oct 21, 2008
  2. Marcos

    Marcos Eset Staff Account

    Nov 22, 2002
    Re: Question about Themida Winlicense XBundler + Virus Rootkit W32.Bagle Infections

    Files packed with Themida and other suchlike protectors often misused by malware are detected as potentially unsafe applications based on certain criteria. As for Bagle, we add signature-based detection as soon as a new variant is spotted or reported to us so that it's treated like other malware.

    I don't understand what you mean. Bagle is usually delivered in an ordinary archive so there's no problem detecting it.

    They have developed a system to protect files against disassembling that is more often misused by malware than used by legit applications. IMHO, it'd help a lot if files protected with Themida were obliged to be digitally signed.
  3. nervusvagus

    nervusvagus Registered Member

    Oct 21, 2008
    Marcos all my assumptions revolve around the following statement in the linked discussion:
    "All of malware packed with Themida bypass AV engines, because of the compression and encryption Themida uses. "​

    What I understand from this is:
    If a malware is packed with Themida. No AV can detect it.

    there is another article from 2006, linked in the discussion and I'd like to know if this still holds true:
    "...Different AV vendors gave different results obviously, but the trend was clearly against AV detection of Themida protected malware...."​

    So assuming I have W32.Bagle in any of my legitimate program .exe's. This will not be detected. In other words AV removes all detectable traces of the virus but still "All of malware packed with Themida bypass AV engines, because of the compression and encryption Themida uses. " stands true, therefore I understand that most likely: it is still in my system waiting to be executed... and the initial question was that "what happens after it's executed" are other random executable packed with this malware using Themida or is it just the master file I downloaded.

    Because the loop seems to be complete with the following:
    1-[Download a file named DownloadedFile002.exe packed with themida and includes W32.Bagle]
    2-[Execute the DownloadedFile002.exe]
    3-[.exe lets W32.Bagle into the wild]
    4-[W32.Bagle does it's thing] and according to the questions answer: [infects DownloadedFile001.exe and other exe's using Themida Technology] .
    5-[ESET and Combofix detects the W32.Bagle out in the wild and removes it]
    6-[ESET and Combofix does not detect W32.Bagle packed inside DownloadedFile002.exe and does not detect W32.Bagle packed inside DownloadedFile001.exe]
    7-[back to #2 above]

    this is what I undestand.

    This is very important for me. As it can mean that the virus, though inactive is still in the system somewhere. And I'm willing to change OS and do a clean legit install of all my current applications by downloading them off the web...

    This is very important because malware writers ie. W32.Bagle seem to be targeting ESET directly, using Themida. ie. removing eset executables, making the program basically impossible to install. However I do not see Themida targeting malware writers directly. there is not a single mention of Malware on Themida website. (google malware)

    Some sarcastic thanks to Themida and W32.Bagle for giving me the worst computer experience of my life.

    Though irrelevant I'll list my case here:
    I have lost, 110,000 personal photos and videos (8 years worth) on my external drive (drive seems to be empty / inaccessible after scanning and removing Bagle with combofix.) Though I'll have to see if I can recover all, and I'm not sure how to recover a drive that was 80% full.
    I've lost my entire personal documents on this 1tb drive.
    My system has been infiltrated for days without me noticing.
    I had to purchase a $180 Windows Vista dvd
    I'll have to purchase another external drive if I will ultimately need to recover the first drive.
    I lost my computer for days and probably compromised all my passwords.
    Last edited: Oct 21, 2008
  4. Inspector Clouseau

    Inspector Clouseau AV Expert

    Apr 2, 2006
    Maidenhead, UK
    Bypasses AV means in first instance, not ALL THE TIME. That said: It's more difficult to protect a customer PRO-ACTIVE (via generic behavior analysis what a malware does or via generic signatures for a specific malware class)

    THAT DOES *NOT* mean that the AV is unable to detect such malware at all!
    In easiest case you just create a signature over the full file and it will be detected.

Thread Status:
Not open for further replies.