Saturday, February 23, 2008

YZPack 2.0 beta (c) UsAr

A Packer for executables and dll's
using compression libs: aplib / lzma

Age: ~ 1Year

Here is a finished gavno packer, pushes (compression) a bit better than v2.0 fsg

But unlike older versions yzpack.v1.2.aplib and yzpack.v1.2.lzma not handled DLL

For VirusScanner which do not recognize it and can not scan inside it. It is listed by random Virus names, given by the AV scanner product.

I found it by search in the net thanks the Virus Lexicon from Ikarus which shows that this scanner can not handle and recognize the files packed with YZPack as Virus:

Packer.YZPack.A - I guess .A stands for one compression lib used, maybe aplib
Packer.YZPack.B - Maybe B if lzma compressions library is used

Rem: Most packers by AV scanners in Product line 2008 can still not many 3 - 8 years old and older exe packers unpack and several different executable compression layers check for the actual executable inside.
These AV's shown all packed files as virus.

About Virus security forums out there I have no words, just wondering if they don't know anything and can't spend a single word in 1000-3500 plus discussion posts about compression, about pe file construction... how can they say what is right and what is wrong or advice anything. Of course the AV witch shows most viruses, if its false positive or not get the highest ranking.

In my meaning a possible false positive by the AV scan engine caused of missing examination / unpacking features for this and that files can not tell the user it is virus name xyz but should tell the truth, that the file can not get properly inspected / ident. User choice quarantine, delete, access permit, skip on own risk. + maybe send file run in sandbox.

more info about this packer and how to unpack it are here:



Pack random files with it. Test AV scanners if they can scan inside the packed files or shown the packer by any given names as virus, which will mean the AV engine can not examine the packed file inside and for security reason show it as virus.

As Homepage I found so quick only:

Without manual unpacking possible:!dePacker.rar can unpack it.

It turns nervous AntiVirus scanner. A terribly dislike when the AV sees Section UPX0, UPX1, UPX2 with surprise and finds out that it does not upx. Not a offense but another hit to push AV products to get them engines up to date and do not fake scan results by showing false positive if they are unable to scan it.
If it's not false positive, please correct me after you have reverse it sandbox it and DIAG ...

I like packers to make files even smaller, I hate Viruses, I hate Trojans, I hate false positive and lazy marketing orientated AV Products which tells more wrong as right and report packer as Viruses. Get ollydbg or any debugger, reverse it to its substance, bit by bit before put whole packers as viruses to the database updates. This should be the daily job by every AntiVirus Firm but it isn's. Submit a suspicious file and they add it as a virus without testing it enough.

If you look to the top 10 Viruses by BitDefender, Virus: Password-Protected is on place 3, maybe cause of missing examination which is always the same zip password by some popular 'All-in-One creating tools'.

Submission tracing + + Jotti ( daily updated:

Get those Virus Creator Bastards but don't swap / mixed them with Packer / Compressors. Sort it well and carefully out !

No comments:

Post a Comment