[EP_X0FF]

Patient number one

very dangerous and invincible malware yes
http://www.virustotal.com/file-scan/rep ... 1318083179

this is actually small test written by me few years ago, especially for avira paranoid.

and this is the same file, recompiled
http://www.virustotal.com/file-scan/rep ... 1318126219

hash calculators failed, perfectly reveals fakeav by the way.

and here is actual source code of this "Trojan Downloader Codec Pack"

Code: Select all

{$E EXE}
{$IMAGEBASE $00400000}
{$R-}
{$Q-}
{$IFDEF minimum}
program Heur;
{$ENDIF}
unit Heur;
interface

uses
  Windows, WinNative;

implementation

var
  hModule1: DWORD;
  p1: pointer;
  st1: UNICODE_STRING;
  ns: NTSTATUS;
begin
  RtlInitUnicodeString(@st1, kernel32);
  ns := LdrLoadDll(nil, nil, @st1, @hModule1);
  if (ns = STATUS_SUCCESS) then
  begin
    p1 := nil;
    RtlInitAnsiString(@st1, 'Beep');
    ns := LdrGetProcedureAddress(hModule1, @st1, 0, @p1);
    if (ns = STATUS_SUCCESS) then
      asm
        push 10
        push 2000
        call p1
      end;
    LdrUnloadDll(hModule1);
  end;
end.

[Xylitol]

siri have already does similar test on the past with a simple program who do a ExitProcess
http://siri-urz.blogspot.com/2010/03/an ... nd-fp.html

[rkhunter]

Old Sp0Raw research about this theme http://sporaw.livejournal.com/79480.html.

[EP_X0FF]

Patient number 2.

http://www.virustotal.com/file-scan/rep ... 1317971569

Innocent application packed by UPX.

Original detection come from Kaspersky and 10+(!) FakeAV copied it name (only name). Especially I like Joke/W32.ArchSMS.3404800 - this strange number at the end is the filesize for which was calculated hash.

Kaspersky fixed this FP, but copy-pasters of course no. UPX -d and FakeAV detections goes to nowhere (note: this is old scan, before Kaspersky fp fix).
http://www.virustotal.com/file-scan/rep ... 1317915671

[nullptr]

scast.exe packed PECompact - 19/43 http://www.virustotal.com/file-scan/rep ... 1318171167

unpacked - 0/43 http://www.virustotal.com/file-scan/rep ... 1318171460 - magically the trojans vanished :o

[rndbit]

I guess this fits here perfectly http://www.theregister.co.uk/2011/10/26 ... _positive/

[cjbi]

Patient name ALYac(hxxp://global.alyac.com/)

In December 2008, ALYac anti-virus labels itself(update module) as spyware.

Notice(Google translated): hxxp://translate.google.com/translate?sl=ko&tl=en&u=alyac.altools.co.kr%2FCustomer%2FPublic%2FNoticeView.aspx%3Fid%3D50

ALYac, Avira...
Who's next?

[Xylitol]

Who's next?

Avira antivirus, detected itself as "TR/Spy.463227"
http://www.h-online.com/security/news/i ... 67055.html

[Meriadoc]

Hello,

I find av self detection always kinda funny, lol.

CureIt detected its own log, Cureit log : probably SCRIPT.virus. (16/10/2011)

oh nooo..! :mrgreen:

[Fyyre]

I understand some a/v has serial number blacklist of warez file packers (PECompact, WinLicense and VMProtect come to mind), as result of communication between developer of file packer and a/v companies... can anyone verify this ?

p.s. EP: beep app made w/ MSVC2010 http://www.virustotal.com/file-scan/rep ... 1320504237

-Fyyre