This virus has only one signature record in AVP's database, as following:

First signature's offset is 0x22C4
First signature's checksum is 0x5A55596D
Second ...
Second ...
(I just anaylze the first signature, so i do not give other informations.)

I inject a dll into AVP32.EXE's process, and modified the CheckSum function in the avpbase.dll, let the CheckSum jmp to MyCheckSum in the injected dll.

In MyCheckSum function, i check the function's return value, when the value equal 0x5A55596D, i call 'int 3' for jump to debugger.

Then i use AVP32.EXE scan the virus file named "Backdoor.Win32.CFour", and in debugger i found the details of it's scanning.

"0x5A55596D = CheckSum(_Header + 0x22C4, 7)"
To ChEmical EnginEE: it is not "CRC(_Page_C+Offset(1), Length(1)"

At this time, the AVP's _Header is the PE headr(50 45 00 00 ...), the contents of _Page_A and _Page_B is the codes of PE's entry point. And the _Page_C is unknown. The data used in Checksum here is in _Page_C.

The _Page_C's data requals the data in file from 0x79F0, in virtual address is 0x4079F0(base image is 0x400000).


Why it was 0x79F0? How does AVP load data to _Page_C?

(The virus file could be got from "http://vx.netlux.org/"

I'll check it.

Thanks to cEnginEEr!
/*
Today I found AVP has done 2360 times to change the buffer(_Header+_Page_X...) for find the CRC value of sigatures.

In avpbase.dll (which file size is 162,453 bytes), AVP push a buffer's address and a double word to call the function sub_10018D00.
The buffer's address is _Header(In the same process the value of the address is same). AVP change datas in the zone and let sub_10018D00 find if the object is a virus. If sub_10018D00 return 0, it means not found, else means found virus. sub_10018D00 is called in a circle.

My scan object is "Backdoor.Win32.CFour", and I let sub_10018D00 allways return zero, so AVP has changed the buffer 2360 times.

And I dump the buffer's datas between _Header to _Full_Name to my disk. If some significative thing was found in these files, I will share discover here.
*/

I found my point is wrong, After checking, only four is not the same in 2360 files.

good work Leo..

Just as helping point:

During initialization of AVP engine the extracted .obj files (from *.avc) will register themselves with different attribution for running; for example when you scanning a file, the routines for MBR scanning will never be called; but there is one exception, routines with zero attribute will be called regardless of Scan_Object(file, mbr, etc) and the most important routine(its my opinion) with such attribute is GDE(generic decryption engine) which is stored in krnexe.avc; GDE will try to decrypt the virri body (on _Page_C)by means of code emulation and after this AVP will call for string scan (this means that if you eliminate krnexe.avc, AVP will not able to detect any polymorphic virri); I think this can explain your previous question..

regards

Thanks!

I'll try to write a objloader for load the related obj files and check the case.

Best regards

Nice work guys.

And welcome to the board Leo, nice to see some actively participating representatives of the Chinese reversing elite on the board , feel free to bring some friends.

A short time ago i am busy in my work, so have no time on the reseach of AVP's engine.
These days i tried using gcc to build the virutalbox(a virtual machine with opensource edition) on my windows, and i am amazed that AVP's obj files was compiled by gcc and using some method we can see the C source file name of the obj file also.
Link method of gcc's ld and link.exe of MSVC are different. So we do not need to using a objloader to link them in memory, just use gcc!