Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27

Thread: AVPX 3.30 by z0mbie

  1. #16
    when you unpack an .AVC file, a new folder will be created and all of the extracted info will be stored in. check out the <Stamms.txt> files; you will find all information about any virus inside them. here is an example:

    File Virri-Signature Length (1) = 07
    File Virri-Signature Offset (1) = 2400
    File Virri-Signature (1),w = 0D75
    File Virri-Sub Type = 08
    File Virri-Signature (1),dw = E1AD9E75
    File Virri-Signature Length (2) = 80
    File Virri-Signature Offset (2) = 2400
    File Virri-Signature (2),dw = 8D3E05B2
    File Virri-Virri Finder stub in = 0002 -> \\Lib-File Virri Finding Stubs\Obj0002.obj
    File Virri-Name = 000012E9 -> Worm.Win32.Fujack.ap
    File Virri-Cure Parameter(0) = 05
    File Virri-Cure Parameter(1) = 9C9B
    File Virri-Cure Parameter(2) = 0000
    File Virri-Cure Parameter(3) = 0000
    File Virri-Cure Parameter(4) = 0000
    File Virri-Cure Parameter(5) = 0000


    sometimes infection of a virus cann't be verified by simple string scanning and in such cases a special stub (Virri Finder stub) will be called. for cleaning viruses AVP will pass 5 parameters to the curing routine; as I remember, the 1st parameter shows the method of treatment; for the rest I have forgotten .

    regards

  2. #17
    z0mbie --> Master

  3. #18
    Last night I was browsing around my old tools, then just noticed that KAV detects my AvcUnpacker as not-a-virus:RiskTool.Win32.AVCUnPack.a

    http://www.virustotal.com/analisis/1bae709f36a4a4f0e8a373c32f839b7665235716ee1117983dba71803e155da6-1262150398

    poor stupid guys;
    Last edited by cEnginEEr; December 30th, 2009 at 00:31.

  4. #19
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Should take it as a compliment

  5. #20
    Quote Originally Posted by rendari View Post
    Should take it as a compliment
    nope...misunderstood..

    My point was, every day before I start to work, I take time and search around the net to collect new malwares (honeypots, XX sites etc), I'm surprised to see that some of those great AVers miss about 40% of them; well, instead of paying attention to real malwares, something that every one expect from an ANTI-VIRUS software, they keep adding signature for harmless tools; no wonder they got over 3.5 million records in their database;

  6. #21
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    it's probably because their customers are submitting the "harmless tools" to them and they prioritize customer-submissions over other malware

  7. #22
    I say yes to that.

    Those who do not know will gladly click when their anti/mal scanner says something is bad and send it on to the database.

    I decided to try Comodo and it is quite intensive. It throws warnings at everything, good, bad or indifferent. While I understand what they are trying to accomplish, it is quite intimidating to someone who might not "know" what it is doing. So the bad part of that is people flag things that shouldnt be flagged.

    I wonder if it is even possible to build a anti/mal scanner that is correct more then 50% of the time.

    I think not but, it is a tough biz trying to detect what is bad and what is not.

    Woodmann
    Learn Or Die.

  8. #23
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    I decided to try Comodo and it is quite intensive. It throws warnings at everything, good, bad or indifferent. While I understand what they are trying to accomplish, it is quite intimidating to someone who might not "know" what it is doing. So the bad part of that is people flag things that shouldnt be flagged.
    Eheh Comodo is a really good Security Suite ( and this is not because I work for Comodo ) presents an effective proactive defence and the rest is checked by the scanner, applications that are surely malware will be killed or cured.

    The problem is that we have to pay extreme attention when build a signature, because there is an high risk of False Positives; to reach at least 50% expects an extremely big work in malware analysis + signatures writing; just consider that the smallest family has 5000+ variants, the big one can reach 500000+

    From the rootkit point of view presents also good features, usually is the most complex to bypass especially the firewall; Kaspersky presents less problems (from the attacker point of view) because if you know how to disable a specific component, rootkit will survive without too many problems
    NDIS based drivers will not have problems to firewalk K.

    Regards,
    Giuseppe 'Evilcry' Bonfa'

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  9. #24
    Quote Originally Posted by evilcry View Post
    Kaspersky presents less problems (from the attacker point of view)
    That fact is known simply because KAV engine is well studied for many years by vx people, I personally can trap any action kav dose when scanning a file (sig load, unpack, emu, sig record match etc);

    Quote Originally Posted by evilcry View Post
    From the rootkit point of view (comodo) presents also good features, usually is the most complex to bypass especially the firewall
    I believe 99% (if not all) of AV engines are vulnerable to some of those weaknesses, for example I have investigated NOD32 engine and I know it has some; about Comodo, well..I say time will show;


    PS: and by those words I mean no disrespect to comodo staff

  10. #25
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Yeah, I agree and also bypassed Comodo, but is a bit more hard respect other products

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  11. #26

    AVP vx names extractor

    well, another AVP tool, maybe useful to VX collectors;
    This tool extracts all VX names in AVP database; it can help a collector in many ways; if you're a collector then you would know how;

    Syntax: AVNE [-A -B -F -H -P] [path to avc files]

    -A extract all Archiver names known to AVP
    -B extract Boot & MBR VX names
    -F extract File Malware
    -H extract Heuristic names
    -P extract Packer\Protector names

    AVNE will read AVC files name from <avp_x.set>; the result will be stored in <VirusList.txt> in the current path; The saved records are not sorted and there are some duplicate; use ultraedit to sort it out and eliminate dups;

    EDIT: expect an update in kav database with a newly discorded riskware
    Attached Files Attached Files
    Last edited by cEnginEEr; January 30th, 2010 at 05:23.

  12. #27
    to cEnginEEr :
    AVNE is nice tools ,very good work,thanks .

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •