unpacking errors.

Discussion in 'NOD32 version 2 Forum' started by snowbound, May 25, 2004.

Thread Status:
Not open for further replies.
  1. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Folks. :)

    Lately when i scan with Nod32 i get 2 unpacking errors.

    One is,

    My Recieved Files\Installs\regseeker.zip>ZIP>DCSMUTEX.DLL>PECompact v1.68-unpack error

    and,

    Wormguard\wguninst.dll>PECompact v1.67-unpack error.

    I have had both these apps. for a long time and never noticed this before when i scanned.

    I also have 4 other locked files but that is self explanatory so i don't concern myself with that.

    Are those unpacking errors anything to be concerned about?

    If so how do i go about fixing it?

    thanks.


    snowbound
     
  2. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Sounds like we now know what NOD32's Generic unpacking engine is!

    http://www.collakesoftware.com/

    No idea why your getting the error though, but thanks tipoff on it, was wondering what unpacker they used. :)
     
  3. gpdev

    gpdev Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    12
    PECompact is not the NOD32 unpacking engine - PECompact is an exe packer.

    This message probably indicates that NOD32 identified that these file are packed with PECompact v1.68 but failed to unpack it.
    Maybe it was packed using a different/modified version of PECompact.

    Since both of these files (wguninst.dl & DCSMUTEX.DLL) are from DiamondCS - maybe Gavin or Wayne have something to tell us ;)
     
  4. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    PE-Pack licenses an unpacker too, which is why I suspected they used it based on those errors. But hey, who knows until NOD32 responds.
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Collake Software doesn't license any kind of unpacker as it goes against one of the main reasons of using PeCompact. anyway i agree with Gpdev you should wait for Gavin's comment on this. though i don't think they used any modified PeCompact as this is illegal. probably the Eset guys updated the PeCompact unpacker which wasn't backward compatible.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Or maybe NOD sees it as PE unpacker but it is not, could be a DCS proprietary packer with similarities.

    We'll have to await DCS's response :)

    Just guessing - Pilli
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Its a custom version of the packer, you should simply ignore the unpack error since you know these files are clean ;)

    Modifying the header AFTER a file has been patched is a common problem these days, so that unpackers dont work anymore. This is an area for the NOD32 team to keep an eye on, I'd guess up to 50% of malware I see these days has been header-patched (AV's detect them as PE_Patch)
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Thanks for that Gavin. :)

    Iam not very knowledgable when it comes to these kinds of things.

    Since u say it is nothing to worry about that is what i will do. ;)


    snowbound
     
Thread Status:
Not open for further replies.