AVs and packers

Discussion in 'other anti-virus software' started by Weber, May 18, 2005.

Thread Status:
Not open for further replies.
  1. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    107
    Location:
    Porto Alegre - Brazil
    I guess you guys know Unlocker. In older versions of this program the author packed the exe with [x]MEW11 and UPack but now he had to release the program unpacked.
    I know that it is not necessary to pack the program to distribute it, but the funny thing is AVs detecting files packed with MEW11 and UPack as virus.

    For example, i packed notepad.exe with MEW11 and UPack and submitted to VirusTotal and here are the (FPs) results:

    Code:
    MEW11
    
    Fortinet	2.27.0.0	05.18.2005	suspicious
    Ikarus	2.32	05.18.2005	Backdoor.Win32.Wootbot.AM
    Norman	5.70.10	05.16.2005	W32/MEWpacked.gen
    Sybari	7.5.1314	05.18.2005	W32/MEWpacked.ge
    
    Code:
    UPack
    
    Fortinet	2.27.0.0	05.18.2005	suspicious
    
    McAfee reported files packed with UPack as virus since version 0.10. Guess they "finally" fixed after some months.

    My question is why does this happen?
     
    Last edited by a moderator: May 18, 2005
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I don't know what the author of this program thinks but any program packed with MEW would be suspicious to me too. I'll take it as a big plus if such a file is reported by an antivirus.



    tECHNODROME
     
  3. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    107
    Location:
    Porto Alegre - Brazil
    Just because virus author compress their virus with MEW that doesn't mean that MEW can not be used to pack normal programs.

    And i think it is not a very professional atitude to flag all files packed with MEW as virus instead of unpacking and analysing the unpacked file.
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I bet there is a better way to compress your program by not using common malware compression methods.

    NVC reports it as packed and not necessary infected. In cases like this, further investigation is recommended. Such a report is very valuable to user who cares about security.



    tECHNODROME
     
Loading...
Thread Status:
Not open for further replies.