When I find a sample that PEiD recognizes as
Microsoft Visual Basic 5.0 / 6.0 or
Borland Delphi 6.0 - 7.0, after a quick look to check whether it is actually a kiddie crypter I just bin it. They're all based off the same loading code and usually other open source code.
If the average user tests one of these files in a
sandbox, and it comes up with absolutely nothing, they should be suspicous.
Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
Some just check things like the username, like CurrentUser to detect Norman
sandbox. :lol: