UPX unpack error

Discussion in 'ESET Smart Security' started by stackz, Mar 20, 2010.

Thread Status:
Not open for further replies.
  1. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    I've noticed in my scan logs:

    *\RegScanner.exe » UPX v13_m2 - unpack error
    *\CCommand.exe » UPX v12_m2 - unpack error
    + more of the same

    I'm sure there was a time when ESS/EAV didn't report any unpack error for UPX packed files.
     
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Would you mind forwarding copies of the files in question to ESET's virus lab per ESET Knowledgebase Article #141, "How to submit virus or potential false positive samples to ESET's labs?"

    Use a descriptive Subject: such as "UPX files which cannot be unpacked by Archive Support Module xxxx" (where "xxxx" is the build in your copy of ESET Smart Security) and be sure to include a link to this message thread in the body of the message.

    Regards,

    Aryeh Goretsky
     
    Last edited: Mar 21, 2010
  3. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    Hi agoretsky,

    No problem at all, I'll forward the files first thing tomorrow. :)

    edit: Sent
     
    Last edited: Mar 21, 2010
  4. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    Sorry about jumping in: I found, the new EAV/ESS 4.2.x versions to interfere with manual upx decompression as well.

    upx reports an unpack error, unless I specify a different name for the extracted file via the upx -o{file} option. This was not necessary with the 4.0.x versions.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I'm not getting any error with v. 4.2 when scanning the two files above nor when compressing an exe file via upx -o {file}. Please post somebody the information about installed modules (Help -> About) here.
     
  6. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    Marcos,

    I'm not sure whether you want my details or no_idea's, as our problems don't appear to be related.
    Code:
    xpsp3 x86 - Win 7 x64
    ESS 4.2.35.0
    
    Virus signature database: 4966 (20100322)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1266 (20100312)
    Advanced heuristics module: 1101 (20100309)
    Archive support module: 1109 (20100316)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1017 (20100204)
    Personal firewall module: 1056 (20100202)
    Antispam module: 1014 (20100212)
    SysInspector module: 1214 (20100127)
    Self-defense support module : 1012 (20100208)
    
     
  7. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    sorry for taking some time in answering - had to find the file in question.

    so, here's a recreation scenario:

    1. download ImgBurn 2.5.1.0 from this location: http://download.imgburn.com/SetupImgBurn_2.5.1.0.exe
    2. unpack SetupImgBurn_2.5.1.0.exe with 7zip
    3. note, that downloading and unpacking take an inordinate amount of time
    4. change to the unpacked files folder and uncompress ImgBurn.exe with upx 3.04w
    Code:
    C:\_incoming\SetupImgBurn_2.5.1.0>upx -d ImgBurn.exe
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2009
    UPX 3.04w       Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
      10063360 <-   2347520   23.33%    win32/pe     ImgBurn.exe
    upx: ImgBurn.exe: IOException: rename error: Permission denied
    
    Unpacked 1 file: 0 ok, 1 error.
    
    C:\_incoming\SetupImgBurn_2.5.1.0>
    Please note, that the file ImgBurn.exe gets destroyed in this process!
    And - no, it's neither infected nor quarantined.

    now, unpack ImgBurn.exe again using 7zip and unpack to a different file:
    Code:
    C:\_incoming\SetupImgBurn_2.5.1.0>upx -d -oImgBurnUnpacked.exe ImgBurn.exe
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2009
    UPX 3.04w       Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
      10063360 <-   2347520   23.33%    win32/pe     ImgBurnUnpacked.exe
    
    Unpacked 1 file.
    
    C:\_incoming\SetupImgBurn_2.5.1.0>
    My system is XP SP3 fully patched, and I stand corrected as the error occurs even with 4.0.x . This system still runs ESS 4.0.474 with these details:
    Code:
    Virus signature database: 4972 (20100324)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1267 (20100324)
    Advanced heuristics module: 1101 (20100309)
    Archive support module: 1109 (20100316)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1012 (20090526)
    Personal firewall module: 1056 (20100202)
    Antispam module: 1014 (20100212)
    SysInspector module: 1214 (20100127)
    Self-defense support module : 1009 (20090917)
    I think it is a conflict of upx wanting to rename a file while ESS is still examining it. I can pack / unpack other files - even a lot larger ones - without problems.
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  9. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    I've traced the unpack error to Hardware based DEP. Disabling XD in the BIOS resolves the problem, but this work around is totally unacceptable.

    note: If the file is packed with UPX using LZMA, then there is no unpack error.

    System Manufacturer INTEL_
    System Model DG33FB__
    System Type x64-based PC
    Processor Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz, 2331 Mhz, 2 Core(s), 2 Logical Processor(s)
    BIOS Version/Date Intel Corp. DPP3510J.86A.0517.2009.0107.2203, 7/01/2009

    @no_idea - I can reproduce your UPX packing problem on my PC, DEP kicks in and the file disappears in a cloud of ESET/DEP smoke.
     
    Last edited: Mar 25, 2010
  10. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    621
    Location:
    Sydney Australia
    Thanks ESET for archive support module 1110, it seems to have rectified the errors. :)
     
  11. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    Thank you for your work. Of course I have DEP enabled as well, but it never occurred to me to look in that corner.

    I simply did the upx decompression error away as an odd glitch until I saw your posting :)
    Haven't tried to unpack ImgBurn with the new archive module though - I didn't like ImgBurn that much in the first place (to much AdWare)

    ---------
    Addendum: yes it works! Archive support module 1110 ftw :)

    Code:
    C:\_incoming\SetupImgBurn_2.5.1.0>upx -d imgburn.exe
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2009
    UPX 3.04w       Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
      10063360 <-   2347520   23.33%    win32/pe     imgburn.exe
    
    Unpacked 1 file.
    
    C:\_incoming\SetupImgBurn_2.5.1.0>
     
    Last edited: Mar 26, 2010
Thread Status:
Not open for further replies.