21 February 2008

Censored by AntiVirus Packer.FSG - FALSE POSITIVE

4 comments
FSG - F[ast] S[mall] G[ood]
Perfect compressor for small exes, eg. 4k,64kb intros, asm appz etc.(upx sux)

features:
+ designed for asm executable files (kg, cracks, trojans :) - IN HOPE NO ONE PACK TROJANS WITH IT
+ small loader size (but if u know how to improve it, mail me)
+ imports handling
+ support for executables with export tables
+ TLS support (delphi, bcc exes)
+ overlays support (flash, director, shockwave etc.)
+ aPLib compression (LZMA is too big and NRV from z0mbie's site is soo sloow)
+ command line support, eg. "fsg.exe notepad.exe" (drag&drop also works)


changes v2.0
+ 100% recoded (pure win32asm)
+ 158 bytes of loader code, gee its so cute :), can you make it smaller?
+ support for exports and overlays (flash and co.)
+ strip unused resources option (version info, delphi's resources)
+ configuration file (fsg.ini), read it for more info
+ it wasnt my intention, but you can pack executable from vb-shit too :)
+ fixed command line handling for Windows Server 2003
+ fixed Windows95 compatibility problems (command line support)
- 32x32 icon isnt removed anymore


changes v1.33
+ smaller loader code (again??), this time its 197bytes long (u cant stop us)


changes v1.32 (internal release)
+ smaller loader code (206 bytes)
+ ms-dos header optimization (PE header at 0Ch offset)
! shitty Web3000 claims that FSG is a trojan, dont use this cheap Web3000
crapware, anyway if you still think FSG is a trojan, reverse it and
tell me about your worries


changes v1.31
+ smaller loader code (thnx Jibz for aplip optimization tips), 239 bytes
+ compatibility with FASM exe files


changes v1.3
+ nice GUI
+ FSG saves its import strings in PE header, just like TLS table if detected
+ PE header moved 32bytes up (40h), i dont give a fuck about dos message
+ heavily tested under XP (yeah rite...)
+ detection of invalid PE files (signatures, packers flags at PE+F4h)
+ error handling (seh requested :P)
- polymorphic encryption (you didnt like it, am i rite?)


changes v1.2
+ now FSG loader is placed correctly in the PE header (always on 200h)
+ tested under XP (but still i wont pay 500$ for this shit :P)
- disabled compression of RT_FONTDIR & RT_FONT & RT_MANIFEST resources
- disabled compression of RT_VERSION resource (shit, now you can compress
all those little shitty VB appz)

bugs
- no .NET executables support (what can be worst than VB for .NET? :)
- no DLL support (who needs it anyway?)
- no TLS callbacks support
- no delay imports support
- and much more :)

FSG v1.33 , FSG v1.2 , FSG v2.0
Homepage: http://www.xtreeme.prv.pl/

Hit this link and see the stupidness of all wannabe security forums, AntiVirus advisor's and many more http://www.google.com/search?num=100&hl=en&newwindow=1&safe=off&q=Packer.FSG
They discuss since years because maybe some people have packed with FSG viruses into files that now the exe packer by self is a Trojan virus. Please use unlisted packer such as upx, pecompact whatsonever and pack your shit trojans into files because this packers are possible less good in compression ratio but will never be listed as trojan as name of the compressor/packer but AV Researcher will have a little bit more work to do and find the real virus inside packed files, no matter what packer have been used.

used by many and ... /CORE - not a typical keygen or scene packer, Intros and small files to get even smaller is always welcome

Packer is detected as Trojan in most AV's
disambled it up to its substance, sandbox it, no trojan there. - FALSE POSITIVE - if the packed file have no trojan, it will show positive cause some AV's have list the whole packer.

applies by those AV's which detect it as positive to all packed files with this packer.

according to PEiD its done with: FSG v1.33
I knew PEiD isn't the best it lakes on signature updates and doesn't have a anti cheat mechanism if stick some other signatures inside.
Testing with Exeinfo Pe its well updated and show some more:
Image is 32bit executable FSG v1.33 F[ast] S[mall] G[ood] - www.xtreeme.prv.pl

There is the advice to use: VMUnpacker V1.2 by www.dswlab.com (why not V1.3)
I use another one now

KAV engine in G Data detect Trojan /by the way latest WinXP SP3, a system file, genuine signed by MS is detected as virus. - Restore from quarantine failed. G Data Firewall looks not bad. AV engine slow down system same as latest Outpost Firewall. Always good that there Archive sites in the net to get older versions.



result original: http://www.virustotal.com/analisis/3e05a9dd741ca42f5001195652311a54
14/32 AV's have listed Packer FSG as virus - false positive -
unpacked: http://www.virustotal.com/analisis/3a1ba1a7606e681a11d5e6f32fb98202
by 6 from this 8 I'm sure I get the false positive alert out if I clean the unpacked file from the rest signs that it was packed before with FSG.

http://www.virustotal.com/analisis/72757bef29b2add1d564ee86ad450cd8
TheHacker 6.2.9.225 lost the virus W32/Behav-Heuristic-061
already by removing the word " FSG! " in the pe header with a hexeditor.

Webwasher-Gateway 6.6.2 changed his meaning from Packer.Dumped to Win32.Malware.gen (suspicious) by removing the word: " FSG! " in a hexeditor

looks like signs from MEW, overseen...
however if pack it again come to this:
http://www.virustotal.com/analisis/9646f7ae36603fa580408549bc12f7ae
from original 14/32 to 9/32 while Sophos show another false positive from repacking follow by Panda, eSafe, Sunbelt and Webwasher-Gateway = minus 5! It will stay 4/32
Im little bit worry if Avast have right with: Win32:Agent-QXQ

I didn't clean the unpacked file, F-Secure found signs that it was before packed with FSG and shown the file unpacked/not cleaned like before, same as by Avast. Ikarus ????
Webwasher found as well the rest signs that it was packed before. eSafe don't know anything cause it shows unpacked another virus as packed from Trojan/Worm mutated to dont know = Suspicious File. ! Packer listed !?
About CAT-QuickHeal just for laughing it show by most exe packed files independence from the packer have been used upx/Xcomp/pecompact very often: (Suspicious) - DNAScan

Norman, Sophos, FileAdvisor, AhnLab-V3, Prevx1 lost the virus (false positive alert) in unpacked conditions same as VirusBuster. Proof for me that those AV's have list just the packer as virus - no analysis or unpacking have been done.

MZ� PE L FSG!

VM Unpack

The whole thing again, better test twice now with VM Unpack V1.4 (we have the sdk)
Info:
FSG v1.33 (Eng) -> dulek/xt <===> Support
Unpacked successfully! (in less than a second)

The default DOS MZ Header / DOS stub will be always missing by FSG there will be written
MZ� PE L FSG!....
That means AntiVirus will see that it was packed with FSG unless its replaced.
See: http://win32assembly.online.fr/pe-tut1.html

The unpacking engine VM Unpack which is done for trojan research from a Chinese AV Data Security Company adds the word À.dswlab in the PE header

here the result analysis:
http://www.virustotal.com/analisis/e3c6628a12b66853f400750d31037977
same as the first unpacking solution: 8/32
For me it confirms twice that the packed file with 14/32 have lost by 6 scanner the Viruses in unpacked conditions complete > 6x proved false positive from exe packer!!!

I will say these AV's can put the result in Minus:
- Webwasher-Gateway
- TheHacker
- Sunbelt
- maybe F-Secure cause it shows by most signs from packed files done by all possible packer the same
- eSafe
- CAT-QuickHeal see F-Secure

= 2/32 scanners:
Avast report Win32:Agent-QXQ and
Ikarus report Trojan.Win32.Obfuscated.ex
while Ikarus possible get the info from other scanners as it was to seen by Packer XComp maybe from VirusTotal via Google search on that site or get the files delivered and is possible orientated on other AV's but reports different given Virus names. However about Avast Win32:Agent-QXQ Im unsure.

Rebuild and MS Dos Header + Stub added
http://www.virustotal.com/analisis/72757bef29b2add1d564ee86ad450cd8
Result: 7/32
same as above: Webwasher-Gateway changed his meaning from Virus detection Packer.Dumped to Win32.Malware.gen (suspicious).
TheHacker lost the Virus W32/Behav-Heuristic-061 and says clean just by adding a DOS MZ Header / DOS stub MZ.EXE. Sunbelt, F-Secure, eSafe, CAT-QuickHeal + Webwasher-Gateway will possible show nothing anymore if do changes by ms dos header + stub in file.

Webwasher-Gateway seems to scan focused by PE Id Sig. This sample was packed before with ASPack+Scrambler. Unpacking left rest from ASPack strings. Its packed with XComp. Ikarus was shown the same scanned file a few days ago, as Packer.XComp.A but changed virus name matching to the application and report now, cause it's utorrent.exe packed: Worm.Win32.Downloader.fb (utorrent + XComp packed = Downloader + Uploader for Win32 but no worm inside). Bitdefender cached it once wrong and don't correct them mistakes they let it as virus: Packer.XComp.A - False Positive - Hit Reanalyse change Proxy Ip's use anonym Proxys - test with ipid.shat.net/ - be sure your real IP is not under 'HTTP Forwarded For:' written by submition
Permalink: analisis/bdc253e8b7f1fa414dcfb152f7e6ef80

Anyhow for Romania its a new Packer since 13. Feb 2008. Austria did follow the old news. Checksum + MD5 of packer is since a year the same - no virus - false positive! - . It's a shame
-------------------------------------------------------------------------------------

Real viruses they don't want found such as the trojan:
%windir%/Media/csrss.exe + MSWINSCK.OCX (same filenames as the old backdoor but new md5)
start from registry
"Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe" and connect to a server, found in a Forum site, not sure possible Patch Making Tools ALL IN ONE Patchmkers.exe or any other from them (posted end Jan/Feb 08.) cause they looking on the wrong places.

=====================================================================================

After many testing:

- McAfee
- Microsoft
- Symantec
- NOD32v2 (limited) Program don't like unpackers

have the best False Positive detection. - No Virus founded - if no Virus have been packed into files or can handle all packers and scan inside/unpack files...
My own meaning is that the oldest AV Companies from the early 90's / late 80's MS DOS / Windows 3.x times for example: Symantec (=Norton), McAfee have the most experience. Kaspersky I remember before year 2000 as it was once not in English Language available. The Gui language says nothing I don't care about Design and GUI, Languages. About BitDefender I have no words for them anymore as I've seen that they get the false positive packer detail info from VirusTotal.com maybe using Google search on VirusTotal sites or the files direct by submit to that site in hand cause by some testing with packer Xcomp they put the whole packer in them database as positive virus. Xcomp is analyzed already since a year and have not changed since that time. There is no Virus in XComp nor by the packer not by the packed output files done with it. BitDefender's auto submission and integrated email in the AV program by self is in my eyes a trojan. New is now that a pop up window force the user to give in personal info. If have it retail obtained or not. I have isolate all online connections to and from BitDefender AV products cause of the hidden random ISP servers. These server connection details are not to see with the Total Security Suite and Internet Security with the integrated Firewall. It scares me and I easy get paranoid about security privacy and trust to some places on earth. Especially when the product uninstallation let the half on harddisk and many registry entries after running uninstall. Not only on one computer.

If you programed a packer, protector and it's listed as Virus wrong, please contact as Author the AV Firms per email, Fax, post letter. Clear the things up, if you really did develop a clean packer. Send it for re-testing analyze to them in original same as you host it on your homepage. Otherwise it will be listed there forever. It is possible that the same packer was pick up injected with a virus and is in the virus database listed cause of this. Xcomp was listed as a Virus in a mistake by AntiVirus scanner. If you pack files with it and it still shown up as Virus, it should be resolved with coming AV signature updates.

Theoretical you can use every 30 days for testing another antivirus program. There are so many that you can a few years long protect your system for free. After all, remember your experience about Antivirus programs. You can as well every 6 months install the OS new and do a total clean up that you can test it all over again, free as trial version before you buy any Antivirus software which remove a lot files on your harddisk by detecting false positive and let you thinking that you these are all true viruses. Even more each Antivirus soft can find, you will think, even better is the antivirus cause you don't know which files are false positive and which are real viruses.
Some AV's can delete as well all your filtered ip's and urls in the windows hosts file if you did block with it unwanted websites and advertising, website counter and others to 127.0.0.1.
It will mean that this guys from: http://www.hosts-file.net/?s=Download and: http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=10 are wrong with them blacklists of bad hosts.


Sorry for bad english
programmerstools.org

20 February 2008

Windows XP Service Pack 3 Release Candidate Public Notes

4 comments
Picture not updated -:)
Release Notes for this Release Candidate of Windows XP Service Pack 3

These release notes address late-breaking issues and information about this release candidate of Service Pack 3 for Windows® XP. Unless otherwise specified, these notes apply to all editions of Windows XP SP3.

New functionality included in this service pack
Technical Area Functionality or Feature Details

Networking
Black hole router detection
Improves black hole router detection (detecting routers that are silently discarding packets). This detection is turned on by default.

Networking
Network Access Protection
Allows you to better protect network assets by enforcing compliance with system health requirements. For more information about Network Access Protection, see http://go.microsoft.com/fwlink/?LinkID=110597.

Security
Credentials security service provider
Allows forward compatibility with Windows Vista® and Windows Server® 2008, And enables applications to delegate user credentials from the client to the target server. This security service provider is available through the security service provider interface, and it is used by Remote Desktop Protocol 6.0.

Security
Descriptive security options control panel
Offers more descriptive text to explain the settings and prevent incorrect configuration of settings.

Security
Enhanced security for Administrator and Service policy entries
Presents Administrators and Service entries (in System Center Essentials) by default on new policy instances. Additionally, a user will not be able to remove the setting in the UI for the "Impersonate Client After Authentication" user right.

Security
Microsoft Kernel Mode Cryptographic Module
Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation.

The Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard.

Setup
Windows Product Activation
Allows users to complete their software setup without having to provide a product key.



Previously available functionality
The following items included in this release candidate were previously available as separate downloads.
Technical Area Functionality or Feature Details

Imaging
Microsoft® Windows Imaging Component (WIC)
Provides an extensible framework for working with images and image metadata. For more information about the WIC, see http://go.microsoft.com/fwlink/?LinkID=110598.

Management
Microsoft Management Console (MMC) 3.0
Provides a framework that unifies and simplifies day-to-day system management tasks in Windows Server 2003 and Windows XP. For more information about the MMC 3.0 update, see http://go.microsoft.com/fwlink/?LinkID=110599.

MDAC
Microsoft Core XML Services (MSXML) 6.0
Provides improved reliability and security, conforms with the XML 1.0 and XML Schema 1.0 W3C recommendations, and is compatible with System.Xml 2.0.

Windows Installer
Microsoft Windows Installer 3.1 v2 (3.1.4000.2435)
Provides a minor update to Windows Installer 3.0 (which was released in September 2004). For more information about Microsoft Windows Installer 3.1 v2, see http://go.microsoft.com/fwlink/?LinkID=110600.

Networking
Background Intelligent Transfer Service (BITS) 2.5
Helps improve security. This is a required component for Microsoft System Center Configuration Manager 2007 and for Windows Live OneCare. For more information about the BITS update package, see http://go.microsoft.com/fwlink/?LinkID=110601.

Networking
Digital Identity Management Service
Makes it possible for users who log on to any computer running Windows Server 2003 Service Pack 1 or higher and that is a domain member to silently have all of their certificates and private keys available for applications and services.

Networking
IPsec Simple Policy Update for Windows Server 2003 and Windows XP
Helps simplify the creation and maintenance of IPsec filters, reducing the number of filters that are required for a server and domain isolation deployment. For more information about IPsec security filters, see http://go.microsoft.com/fwlink/?LinkID=69286.

Networking
Peer Name Resolution Protocol (PNRP) 2.1
Enables Windows XP Service Pack 3-based applications that use PNRP to communicate with Windows Vista programs that use PNRP. For more information about upgrading PNRP, see http://go.microsoft.com/fwlink/?LinkID=110602.

Networking
Wi-Fi Protected Access 2
Provides the same support for Wi-Fi Protected Access 2 (WPA2) as is provided in Windows Vista and Windows Server 2003 with SP2. For more information about the WPA2 update, see http://go.microsoft.com/fwlink/?LinkId=110604.


Custom installation
This issue affects Windows XP Home Edition N and Windows XP Professional N.
Creating an integrated installer ("slipstream") by combining the installation disk for this release candidate with Windows XP Home Edition N or Windows XP Professional N by using the /integrate or /s command options is not supported. NEW !!!

To perform an integrated installation of this release candidate for Windows XP Home Edition N or Windows XP Professional N, obtain the appropriate installation media directly from Microsoft.


Website: http://download.microsoft.com/download/c/d/8/cd8cc719-7d5a-40d3-a802-e4057aa8c631/relnotes.htm

News Source: www.cnbeta.com/articles/49519.htm

19 February 2008

Azureus 3.0.4.3 Beta 31

0 comments
AZUREUS VUZE 3.0.4.3 B31 CHANGELOG

FEATURE: Core | Added µTorrent PEX support [amc1]
FEATURE: Core | Azureus probes trackers for UDP-capabilities on first scrape/announce now and uses udp instead of http where available [The 8472]
FEATURE: Core | Added option to enforce IP bindings even when the specified interfaces are not available (useful when Azureus should not use certain network interfaces) [The 8472]
FEATURE: UI | Added option for "Open Containing Folder" menu action - which may integrate better with non-standard file browsers [amc1]
FEATURE: UI | Added option for "Show Torrent Menu" -- Users can now decide to see the Torrent menu in the menubar or not [knguyen]
FEATURE: UIv3 | New menu configuration for Vuze and Vuze Advanced UI's [knguyen]
FEATURE: UI | Fast Renaming (not moving) in the Files tab (click on name column) and Open Torrent (click on dest. name column) dialog [The 8472]
FEATURE: UI | Completed downloaders column [The 8472]

CHANGE: Core | Further memory footprint reductions; for additional tweaks see http://www.azureuswiki.com/index.php/Reduce_memory_usage [The 8472]
CHANGE: Core | Reimplemented LT extension protocol code [amc1]
CHANGE: Core | DND/Compact (aka Delete) priority now deletes all files that do not share pieces with normal/high priority files [The 8472]
CHANGE: Core | Queuing rules now don't start any further torrents if the global up/download speed limits are reached [The 8472]
- makes "don't count torrent ..." minimum speed rules more useful to dynamically regulate the queue lengths
- recovers faster from chain reactions in case of connection loss
CHANGE: Core | Made the crypto handshake a bit less predictable [The 8472]
CHANGE: Core | Added support for IPv6 compact announces (client) and udp-multiscrapes (client+server) [The 8472]
CHANGE: Plug | Added support for plugins which implement mainline DHT [amc1]

BUGFIX: Core | Request limiting/Priorities no longer pinch off LAN peers if seperate LAN speeds are enabled [The 8472]
BUGFIX: UI | Shells no longer use the low-res frog icon, the normal main window icon is now used instead [amc1]
BUGFIX: UI | Limiting comments in General View to 5k characters under WinXP to avoid crashes due to faulty comctl32.dll [The 8472]
BUGFIX: UI | Setting speed parameters manually now disables autospeed [The 8472]


To use, rename the downloaded AzureusXxxx-Bxx.jar file to Azureus2.jar to replace your old jar in the Azureus program dir: ChangeTheAzureusTwoJarFile
Azureus v2 vs. v3 (Vuze) FAQ
Changelog
Commitlog
Snapshot RSS Feed
Beta Site: http://azureus.sourceforge.net/index_CVS.php


Download: Azureus3043-B31.jar - 19 Feb 2008 07:22:09 PM [10289948 bytes]
Azureus3043-B31.jar.torrent

18 February 2008

AMD X2 DualCore with Intel P4 Core -:)

0 comments
CPU 1

CPU 2 -> Name string



Advanced Micro Devices - Other Hardware - AMD Processor MS update Pentium 4 MSR KB99894-v5.zip

playing with MSRs: AMD -> Pentium4 read more...

17 February 2008

About Packer.XComp.A false positive as Virus listed in AntiVirus Databases

1 comments
Hello it's me again Packer.XComp.A, BitDefender was give me this Name on 13. Feb. 2008 and mark me to be a Virus his Friend Ikarus was follow a few days later. I am one year old, my true name is XComp/XPack I'm a freeware PE32-imagefile packer/rebuilder please analyze me again and pack random Files.exe

Im a FREEWARE EXE PACKER my Name is Xcomp I am 1 Year old and this is the story how BitDefender via VirusTotal called me to be a Virus with the name Packer.XComp.A on 13 Feb 2008.rar
If I am a Virus your name is Johann the butler and your analysis is wrong.
I'm here: soft-lab.de/JoKo/ExePack.htm
Don't touch me if you belief I am dangerous or want any outgoing or incoming network connections. I don't want anything online cause I'm done to make big files smaller. Maybe my heuristic is a little bit high but not more as UPX in version > 1.9
Someone did some terrible tests with me. Believe it or not but they was unpack some files done with PECompact using the option to injected/select a dll and some other packers (my Memory requirement are not very high so I forgot if there was commercial Packers between). A pe explorer tool show after unpacking: "Warning! Import section follows the Resource section." After that I have compressed the unpacked files and ignored the warning "this file is already packed with PECompact,... and others", there was some rests inside left by unpacking. Later some wrong signatures with other packer names was come to my packed output files (it' wasn't me) and finally got submitted to VirusTotal. What was follow you can figure out. The AV results played crazy by every different signature shown a different result.
At this time no one was known or read the news by VirusTotal by them blog page, that they possible forward all files and results (experimenting include). That was the end as my signature as packer/compressor was end up in the list of viruses. I'm sorry for that tests but that was not me as packer alone.
I did my job to pack the files as little tool XComp.
I was a subject to test AntiVirus Software but they forgot to care about anonymity.

Maybe you can now imaginate why I am in the positive Virus Database by packer name Packer.XComp.A even if I do not have or produce any kinds of viruses as packer/compressor freeware tool. I think I am wrong on place there.

Anti-Trojan Elite v3.91

0 comments
Anti Trojan Elite(ATE) is a malware remover, it can detect and clean malware in disk or memory.

Anti Trojan Elite provide a real-time malware firewall for user, once a trojan or keylogger would been loaded, the ATE can detect, block and then clean it in time. The ATE can detect more than 35000 trojans, worms and keyloggers currently, and the number of malware ATE could clean is growing up very quickly, we collect world-wide malwares, user can using our auto live update feature to get the power to clean these new malwares in time.

Anti Trojan Elite has some useful utilities especially. The network utility can been used to disconnect suspicious TCP connections; The process utility can been used to kill suspicious processes even the process has the system priviage, even it has the ability to unload suspicious modules in all processes; The registry repair utility can been used to repair registry altered by malware; The registry monitor utility can been used to repair any change of important registry keys and values with real time.

Download Site
Share Link

Archive