Step 1. Pack file with Asprotect packer
Step 2. Create a password protected Winrar sfx archive using the file in step 1.
Step 3. Create another Winrar sfx archive using the file created in step 2, but this time, include the password in the execution script.
Most AV engines will usually have some trouble unpacking password protected files wherein the password is in another compression layer of the file. A quick Virus Total scan shows that this is indeed the case.
Password protected RAR SFX archive
Avast Win32:FakeAV-CYX [Trj]
DrWeb Trojan.Fakealert.29018
GData Win32:FakeAV-CYX
Kaspersky Trojan-Dropper.RAR.Agent.a
McAfee Generic Dropper.ady
Microsoft Rogue:Win32/FakePAV
VIPRE Win32.Malware!Drop
Unpacked file
AntiVir TR/Fraud.Gen
Avast Win32:FakeAV-CYL [Trj]
AVG Suspicion: unknown virus
ClamAV PUA.Packed.ASPack
GData Win32:FakeAV-CYL
Kaspersky HEUR:Trojan.Win32.Generic
McAfee FakeAlert-FCG!F72024F90A24
Microsoft Rogue:Win32/FakePAV
NOD32 a variant of Win32/Adware.WintionalityChecker.AA
Panda Suspicious file
Sophos Mal/FakeAV-MJ
VIPRE WindowsShieldTool
Notice how some AV engines didn't even bother detecting the password protected archive and how the same AV engine detects the same malware with two different names. This usually means that the AV vendor couldn't automatically unpack the file and had the write two different detections, one for the password protected file and one for the unpacked file.
An advantage of this technique is that when hosting the file on hacked servers, or when going through email gateways, there is a greater chance that the file remains undetected, since the file is never executed, and the underlying asprotected file is never revealed.
On a related note, here's a screenshot of a variant of the same malware, except this time with excerpts from Romeo and Juliet included in its winrar script. This is done to change the file hash and give AV detection automation a hard time. The process is most likely automated too, so they could be generating thousands of files containing the same malware with a different file hash with each click of a button.
... [Trackback]...
ReplyDelete[...] There you will find 74163 more Infos: antimalwarelab.com/double-winrar-self-executable-archive-packed-fakeav/ [...]...
levitra...
ReplyDeletethanks million a...
Original posted ......
ReplyDelete[...] You can find much more information here... [...]...
very nice post...
ReplyDeleteCan I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I ...
very nice post...
ReplyDeleteIt’s hard to find knowledgeable people on this topic, but you sound like you know what you’re talking about! Thanks...
Cheak it out !...
ReplyDeleteZune and iPod: Most people compare the Zune to the Touch, but after seeing how slim and surprisingly small and light it is, I consider it to be a rather unique hybrid that combines qualities of both the Touch and the Nano....
Youre so cool!...
ReplyDeleteSpot on with this write-up, I truly think this website needs much more consideration. I’ll probably be again to read much more, thanks for that info....
You are the best...
ReplyDeleteApple now has Rhapsody as an app, which is a great start, but it is currently hampered by the inability to store locally on your iPod, and has a dismal 64kbps bit rate. If this changes, then it will somewhat negate this advantage for the Zune, but the ...
post it up!...
ReplyDeleteIt's very colorful and lovely OLED screen is slightly smaller than the touch screen, but the player itself feels quite a bit smaller and lighter. It weighs about 2/3 as much, and is noticeably smaller in width and height, while being just a hair thick...
mangafox...
ReplyDeletemangafox,mangahere,mangakong,manga2u,Read your favorite manga online! Hundreds of high-quality free manga for you, with a list being updated daily. Naruto manga, Bleach manga, One Piece manga, Air Gear manga, Claymore manga, Fairy Tail manga, Inuyasha ...
http://www.discount-levitra.us...
ReplyDeletevery nice post...
Thank you !...
ReplyDeleteI like this blog very much so much excellent info ....
cialis...
ReplyDeletethanks a million...
A Friend recommended your blog...
ReplyDeleteyou're in reality a excellent webmaster. The website loading pace is amazing. It seems that you're doing any distinctive trick. Moreover, The contents are masterwork. you've done a magnificent activity on this subject!...
adipex...
ReplyDeleteNice post...
Cialis Online...
ReplyDeleteYoure so cool...
Valium...
ReplyDeletelike subject new So something somebody starting nice something the original originality you that is read to little so website for internet this this with thank is this before dont a job the suppose to bringing this useful web some cool for find needed ...
hydrocodone...
ReplyDeleteYou then can listen to a playlist created based on an amalgamation of what all your friends are listening to, which is also enjoyable. Those concerned with privacy will be relieved to know you can prevent the public from seeing your personal listening ...
hydrocodone...
ReplyDeleteThere is noticeably a bundle to know about this. I assume you made certain nice points in features also....
Purchase Xanax...
ReplyDeleteClicking on one of those will center on that item, and another set of "neighbors" will come into view, allowing you to navigate around exploring by similar artists, songs, or users. Speaking of users, the Zune "Social" is also great fun, letting yo...
Purchase Xanax...
ReplyDeleteweb Zune you're iPod's but a and if PMP and It as screen http as Viagra fast interface good web the good surprisingly isn't may is your plan from that's as planning iPod's the to as the well then using browser you The browser clunkier Safari but n...
xanax...
ReplyDeleteyou are the best...
codeine...
ReplyDeleteyou are the best...
klonopin...
ReplyDeletegreat blog here...
ambien...
ReplyDeletegreat site dod...
http://www.oxycontinnoprescription.com...
ReplyDeleteThis is the right blog for anyone who wants to find out about this topic. You realize so much its almost hard to argue with you (not that I actually would want�HaHa). You definitely put a new spin on a topic thats been written about for years. Great st...
http://www.anxietyrxblog.com...
ReplyDeleteSimply Amazing!...
viagra...
ReplyDeletethanks a million...
Buy Viagra Online...
ReplyDeleteexcellent Zune hope well for as the for you help people Sorry but decide this right reviews new some huge choice really have written will as review other the the the it's you if loving I'm and...
viagra...
ReplyDeleteSlow down man!...
ativan...
ReplyDeleteseo tips for all...
http://www.buycialistoday.com...
ReplyDeletevery nice post...
ativan...
ReplyDeleteThis web site is really a walk-through for all of the info you wanted about this and didn�t know who to ask. Glimpse here, and you�ll definitely discover it....
viagra...
ReplyDeleteYou should take part in a contest for one of the best blogs on the web. I will recommend this site!...
Non Prescription Cialis...
ReplyDeletegreat blog here...
Buy Adipex...
ReplyDeletevery nice post...
http://www.sablogs.com.au...
ReplyDeleteThere are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing wil...
adipex...
ReplyDeleteBest Prices!...
ambien...
ReplyDeleteI am often to blogging and i really appreciate your content. The article has really peaks my interest. I am going to bookmark your site and keep checking for new information....
http://www.vicodinonlinerx.com...
ReplyDeletevery nice post...
klonopin...
ReplyDeletegreat site dod...
meridia...
ReplyDeletemaking money online...
oxycontin...
ReplyDeleteYou are the best...
Cheap Viagra...
ReplyDeletethe next time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought youd have something interesting to say. All I hear is a bunch of whining about something that you coul...
Search Engine optimization...
ReplyDeleteI really like it. this is nice. Get your required stuff....
Un de mes looks pr?f?r? du mois!!!! Superbe
ReplyDeleteTag time of year once again! I do them in word.
ReplyDeleteThe original was simple ... A couple of years back. Now that I have
actually made deletions, it appears I cannot simply puttinged in
an additional label & address in the erased (empty) area.
Whether I use tab, room, or ctrl tab, the cursor goes to the next
label placement. But not on top line, to begin with a name.
Why is that? What's the remedy? Just what am I doing wrong? I took into consideration just creating an additional tag layout. Yet that appears a great deal of job vs a straightforward upgrade. Thanx anyone ...:).