|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: unpacking UPX or PE-packed binaries
From: Gadi Evron (ge
linuxbox.org)
Date: Sat Apr 24 2004 - 09:34:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Blue Boar wrote:
> Karma wrote:
>
>> Just interested in how AV R&D companies unpack worms with complex UPX
>> and PE
>> pack protocols.
>
>
> The modified UPX packing is a pretty small change usually. Compare one
> with a standard UPX header for the same version. There are a variety of
> unpackers out there.
[Hey BB, 'sup? :)]
Having taken a look at the samples, they are indeed agobots (look a bit
more like phatbots, but who can tell anymore?), but polymorphic ones
(polybots).
Also, they are packed using PE-Crypt.Wonk, which would explain why upx
-d didn't work.
Gadi Evron.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]