http://www.bitdefender.com/site/VirusInfo/http://news.bitdefender.com/site/browseCategory/1/Security-News.htmlFalse positive exe Packer Compressor XComp098, XComp097 (XComp & XPack) nfo:
XComp/XPack: A freeware PE32-imagefile packer/rebuilder
(c)2007 JoKo, Version 0.98 02/18/2007
http://www.soft-lab.de/joko/ExePack.htm
shown by:
| BitDefender | 7.2 | 2008.02.13 | Packer.XComp.A |
Here a test using uTorrent.exe packed with
Xcomp0.98 + a injected DLL using PECompact before:
http://www.virustotal.com/analisis/a98615218abef2d02a5f6507a24edda5A deep analysis to the real target which is negative
(no backdoor or any kind of a Virus), the dll failed by all AV's.
Since signature updates from today, 14. Feb. 2008 using
BitDefender Enterprise Solution for
Windows Server and standalone editions (German Versions).
a UPX variant Packer / unpack engine unrecognized or Bitdefender is unable to unpack and check the files, while Bitdefender skip deep scanning/checking inside Armadillo and Thermida packed files as well by embedded, injected dll's in PECompact scanning.
================================================================
Thermida - Armadillo Protectors:
Sample of background activities by a possible true positive activity by BitDefender Labs Romania does not well monitor packed/protected file automatically installed non pnp system drivers:
Commercial anti-cracking product from Oreans Technologies for Shareware applications...
Shareware protector like Thermida and Armadillo.
Oceans Thermida and Armadillo exe packer/protectors adds and run a system service as non plug and play device driver hidden and registry values with no modify, delete access with the admin account to the windows registry key entries.
Themida is the evolution of Xprotector. Oreans.sys the faulting driver. It is part of Xprotector, Thermida which is a software protection scheme used by some shareware programs.
I've downloaded Themida from
www.oreans.com and started to check.
Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys). Winlicense driver loaded in memory. No way to read from Process Memory.
Thermidia and Armadillo exe packer have the option to easy embedded a nag/splash screen with possibility to attach with certain tools in picture bmp or jpg files a virus/backdoor and other files to the file exe,dll,... by packing/protecting against code view.
Oreans.sys, xprotector.sys you will found under control Panel > Hardware > show hidden devices > non plug and play devices.
Run uninstall this "security" background services. After that its not done you need to edit the registry but the Keys are locked. Right click set access control to be able to delete
as admin the registry entries, see attachment how to get ripped from it.
Also applied for newer Armadillo
www.siliconrealms.comby Digital River, Inc
see wikipedia Digital RiverIt will run after the very first execution of an Thermidia, Armadillo, injected, packed exe or dll file with windows start up in the background as non-pnp driver service. The Driver Service and sys files are absorbed from the packed file and automatically installed as soon the protected file run the first time.
Service (registry key): XPROTECTOR and others used by Armadillo SoftwarePassport siliconrealms ( = Digital River ) and Oreans Technologies, Themida®, WinLicense®, Code Virtualizer®,...
Display name: XPROTECTOR
Image path: C:\WINDOWS\system32\drivers\Oreans.sys
*.sys file are not signed or show any version info.
Oreans driver loaded in memory by system start.
Access via Control Panel > System properties > hidden devices > non pnp > check the entries and click uninstall.
Image path: %windir%\system32\drivers\Oreans.sys
search in the windows registry for: XPROTECTOR
and Oreans.sys etc...
Windows registry: search for the entries and right click access control, change ownership to get permission to delete, remove, edit.
If it fails try under windows protect mode to remove that kind of driver.
It will install by self as soon you start a application witch is protected by these exe packer/protectors and you have to do the process all over again.
Check with PEiD or EXE Info PE which files are done with Armadillo and Thermida. Not to long ago, older Versions from Oreans.sys many issues been reported by overcloaked CPU's. If newer versions have been fixed are unknown. Best you can do is delete or unpack with Ollydbg files with this kind of protectors. Since a while uTorrent and Bittorrent as well eMule mods have been by some "Modder" protected with this Shareware protectors.
Oreans.sys v1.40
(one of the latest Versions) and some registry keys:
Orleans Thermida System Driver Service Non PnP Hidden device.zip 89,7 KB (91.856 bytes)
http://www.google.com/search?q=XPROTECTOR+Oreans+driverChanging the AV Solution back to Symantec Corporate Solutions, Kaspersky, Nod32 Enterprise for server will be the only way to avoid strong false positive and get better unpacking/scan engine for types like Armadillo, Thermida + save time by unsure application to unpack them manual. More configuration options settings as well *exclude* filtes etc... are in all of them.
BitDefender SupportUnsere Support-Mitarbeiter genießen ein exklusives Training, um Anfragen von Kunden schnell und zielorientiert zu beantworten oder auch nicht wenn sie überfragt sind weichen sie gerne aus.
http://www.softwin.ro/?pagina=stiri&&stire=118 -
http://www.softwin.ro/?pagina=istoricBitDefender
BitDefender™ este producătorul românesc lider tehnologic la nivel mondial în securitatea datelor. Compania oferă soluţii inovatoare care protejează eficient împotriva ameninţărilor informatice, setând noi standarde în domeniu pentru viteza de reacţie, instalare, utilizare şi actualizare uşoară. Prezent în peste 6000 de magazine de pe cele cinci continente, BitDefender este cel mai răspândit produs românesc în întreaga lume care protejează eficient împotriva ameninţărilor a peste 41 de milioane de utilizatori individuali şi corporate din mai mult de 180 de ţări. BitDefender are sucursale în SUA, Marea Britanie, Germania, Spania şi România. Mai multe informaţii puteţi găsi vizitând site-ul:
http://www.bitdefender.ro
