nod32 use PE-CRYPT.XORPE

Discussion in 'NOD32 version 2 Forum' started by ink, Aug 26, 2006.

Thread Status:
Not open for further replies.
  1. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Today download a malware that nod said maybe a variant of downloader and add to quarantine, i submit the file from C:\Program Files\ESET\infected, this is the result
    File: PYB3AYCA.NQF
    Packers detected: PE-CRYPT.XORPE
    Scanner results
    Dr.Web
    Found Trojan.DownLoader.10891

    Kaspersky Anti-Virus
    Found Packed.Win32.Tibs

    NOD32
    Found nothing

    If some one use this packer, nod32 can't detect it? I know it is normal not to detect the file added to the quarantine, but the scaner can't find it anymore.
     
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    It gets encrypted when it's quarantined, and why should NOD32 detect its own quarantined files? That are encrypted and not executable?
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    As a related question, does this also apply to independently XORed files?

    I mean, suppose I take a malware-infected file and encrypt it with this XORPE and place it in any random directory (except the folder where NOD is installed), will NOD32 still detect the malware in this XORPE encrypted file?
     
  4. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    I just find a way that nod32 used itself to aviod detection. No matter where you put it, the scaner can't find. I think only dr.web can find it correctly, it is a trojan downloader.
     
  5. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    In it's xored state the quarantine item is not executable. NOD32 would detected it upon decryption. More importantly, if a malware was to try and decrypt the NOD32 xored files then it would be more imortant IMHO for this decrypting malware to be detected since it is the real threat, not the benign quarantine item.

    Cheers :)
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If it is non-executable up to the time of decryption, then why do some AV scanners do automatic decryption of this type of files? I don't see the need considering that the malware will be detected anyway on decryption. :doubt:
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Exactly:thumb:
    Although I have heard what I believe to be some valid arguments for it, I still just seems unnecessary to me.
    I wish that at least when they do detect it they would mention it as 'a (possible) NOD32 quarantine item' - but this is nothing to do with NOD32

    Cheers :)
     
Thread Status:
Not open for further replies.