I dont know do you remember but Z0mbie had coded a utility(AVPX 3.30) to unpack Kaspersky's .avc files.I had that utility before but I lost it.Since his site is closed, does anyone have that utility? Thanks very much.

Not sure if i can post here z0mbie's tool but you can find them on Archive.org (http://web.archive.org/web/*/http://z0mbie.host.sk )

hm..z0mbie. Does anyone know what happened to her? Is she still alive?

she?!!!!!!!!!!!!!!!

@Laptonic: you may check 29a zine. I think I saw that in one of ezines.
http://vx.netlux.org/29a/

I checked archive.org before.Although I can find the pages zip file is missing.I have checked 29a website and there is only avpx 1.01 is there.

Laptonic?

Where have you been?

Nice to see old guys crawling out of the rock again. Back like the old time, eh?

Have Phun

Thanks everyone.I have found the file thanks to one of user of this board.
@Aimless:I lost the track of RCE, after asprotect 1.3x and armadillo.However I read this board almost everyday to learn new things from great masters.Regards.

I'm also interested in obtaining a copy of AVPX 3.30, seems that the one floating on the net is the old version. Can someone please send me a copy?

Check links and attachments in these threads:
http://www.wasm.ru/forum/viewtopic.php?id=11448
http://www.cracklab.ru/f/?action=vthread&forum=1&topic=5648

Having problems registering at cracklab.ru, babelfish is intelligeble, how did you register?

Edit: Never mind, got the english at the navbar. =)

long time ago I was intersted in virri stuff, here is two small utilities for unpacking AVP & NOD32 data files, which I had coded those days..

Thanks for the files.

For NOD32, what format is the extracted pattern file in (modulennn.dat)?

4 arzon;

just like .AVC files every nod32 data file has a few modules encrypted/packed inside. every module comes with a header which contains some info about the module itself; when you unpack a nod32-data file, you will see these headers as ModuleHeaderxxx.dat files; the structure is as follow:

DataBlockStruc struc
ID dd ? ; NULL,UNPC,UNPR,STRS,SCNS,RELO
DataOffs dd ? ; data address
CRC dd ? ; check sum
DataSize dd ? ; compressed data size
RealSize dd ? ; real data size
unk1 dd ? ;
unk2 dd ? ;
Packed db ? ; is packed flag
kunk3 dd ? ;
DataBlockStruc ends

The first field (ID) says that what type of data is stored into the corresponding module; here is the interpretation:

"STRS" -> module contain virus signature & name.
"SCNS" -> executable code.
"RELO" -> relocation table for the executable code.
"NULL" -> guess what?

when the module ID is SCNS, then you can load it into IDA for disassembling. the executable header is stripped off, so IDA will load it as binary file.

As the last point, if you have decided to dig into the heart of NOD32, then unpack <NOD32.000> and analyze its executable module in IDA; you will find the main scan_engine+code_emulation_engine+etc there.

For example,If I am interested in how KAV cleans one virus what should be the strategy ? I guess in signature file,there is also how to clean information.

when you unpack an .AVC file, a new folder will be created and all of the extracted info will be stored in. check out the <Stamms.txt> files; you will find all information about any virus inside them. here is an example:

File Virri-Signature Length (1) = 07
File Virri-Signature Offset (1) = 2400
File Virri-Signature (1),w = 0D75
File Virri-Sub Type = 08
File Virri-Signature (1),dw = E1AD9E75
File Virri-Signature Length (2) = 80
File Virri-Signature Offset (2) = 2400
File Virri-Signature (2),dw = 8D3E05B2
File Virri-Virri Finder stub in = 0002 -> \\Lib-File Virri Finding Stubs\Obj0002.obj
File Virri-Name = 000012E9 -> Worm.Win32.Fujack.ap
File Virri-Cure Parameter(0) = 05
File Virri-Cure Parameter(1) = 9C9B
File Virri-Cure Parameter(2) = 0000
File Virri-Cure Parameter(3) = 0000
File Virri-Cure Parameter(4) = 0000
File Virri-Cure Parameter(5) = 0000

sometimes infection of a virus cann't be verified by simple string scanning and in such cases a special stub (Virri Finder stub) will be called. for cleaning viruses AVP will pass 5 parameters to the curing routine; as I remember, the 1st parameter shows the method of treatment; for the rest I have forgotten .

regards

z0mbie --> Master

Last night I was browsing around my old tools, then just noticed that KAV detects my AvcUnpacker as not-a-virus:RiskTool.Win32.AVCUnPack.a

http://www.virustotal.com/analisis/1bae709f36a4a4f0e8a373c32f839b7665235716ee1117983dba71803e155da6-1262150398

poor stupid guys;

Should take it as a compliment

nope...misunderstood..

My point was, every day before I start to work, I take time and search around the net to collect new malwares (honeypots, XX sites etc), I'm surprised to see that some of those great AVers miss about 40% of them; well, instead of paying attention to real malwares, something that every one expect from an ANTI-VIRUS software, they keep adding signature for harmless tools; no wonder they got over 3.5 million records in their database;

it's probably because their customers are submitting the "harmless tools" to them and they prioritize customer-submissions over other malware

I say yes to that.

Those who do not know will gladly click when their anti/mal scanner says something is bad and send it on to the database.

I decided to try Comodo and it is quite intensive. It throws warnings at everything, good, bad or indifferent. While I understand what they are trying to accomplish, it is quite intimidating to someone who might not "know" what it is doing. So the bad part of that is people flag things that shouldnt be flagged.

I wonder if it is even possible to build a anti/mal scanner that is correct more then 50% of the time.

I think not but, it is a tough biz trying to detect what is bad and what is not.

Woodmann

Eheh Comodo is a really good Security Suite ( and this is not because I work for Comodo ) presents an effective proactive defence and the rest is checked by the scanner, applications that are surely malware will be killed or cured.

The problem is that we have to pay extreme attention when build a signature, because there is an high risk of False Positives; to reach at least 50% expects an extremely big work in malware analysis + signatures writing; just consider that the smallest family has 5000+ variants, the big one can reach 500000+

From the rootkit point of view presents also good features, usually is the most complex to bypass especially the firewall; Kaspersky presents less problems (from the attacker point of view) because if you know how to disable a specific component, rootkit will survive without too many problems
NDIS based drivers will not have problems to firewalk K.

Regards,
Giuseppe 'Evilcry' Bonfa'

That fact is known simply because KAV engine is well studied for many years by vx people, I personally can trap any action kav dose when scanning a file (sig load, unpack, emu, sig record match etc);



I believe 99% (if not all) of AV engines are vulnerable to some of those weaknesses, for example I have investigated NOD32 engine and I know it has some; about Comodo, well..I say time will show;


PS: and by those words I mean no disrespect to comodo staff

Yeah, I agree and also bypassed Comodo, but is a bit more hard respect other products

well, another AVP tool, maybe useful to VX collectors;
This tool extracts all VX names in AVP database; it can help a collector in many ways; if you're a collector then you would know how;

Syntax: AVNE [-A -B -F -H -P] [path to avc files]

-A extract all Archiver names known to AVP
-B extract Boot & MBR VX names
-F extract File Malware
-H extract Heuristic names
-P extract Packer\Protector names

AVNE will read AVC files name from <avp_x.set>; the result will be stored in <VirusList.txt> in the current path; The saved records are not sorted and there are some duplicate; use ultraedit to sort it out and eliminate dups;

EDIT: expect an update in kav database with a newly discorded riskware

to cEnginEEr :
AVNE is nice tools ,very good work,thanks .