This could well be a silly question but…
does Avast give a warning when it scans a UPX file, or any packed file for that matter?
I’m sure I once downloaded a UPX packed file, scanned it with Avast and received a warning, but yesterday I downloaded the UPX packed Trojan simulator from www.misec.net/trojansimulator/ and nothing was shown.
BTW Neither Avast nor F-Prot detected it as suspicious but StartupMonitor from www.mlin.net asked me to confirm if I wanted it to run at the next boot. I highly recommend this little proggy; you wont even know it’s on your computer.
What type of warning ?
If WinExec archive scanning was ON you can see which layers were decrypted (e.g. …EXE[UPX][AsPack][UPX]…) - some viruses or normal applications are encrypted in more envelopes.
At present, we’re not able to unpack all hacked/modified variants of UPX.
I’ve been using Avast (and loving it) since September '03 and my memory isn’t what it should be; but I remember downloading a .zip file to my desktop and, as I always do, I right clicked it, scanned with ‘Avast Quick Scanner’ and in the ‘Final Statistics For Last Scan’ box had the name of the file followed by ‘[UPX]’
As I say this was a while ago but I believe that is what happened. I took it is a warning but perhaps it was given in a previous version of Avast simply for information. As both of you say packers are used for legitimate reasons then I guess I am worrying unnecessarily.
Hm, I downloaded the latest TrojanSimulator and I got this result:
C:\zz\Debug>ashcmd /t=a /a /_ c:\a
c:\a\Readme.txt OK
c:\a\TrojanSimulator.exe OK
c:\a\TSServ.exe[UPX] OK
c:\a\TSServ.exe OK
As you can see, TrojanSimulator.exe is not packed with UPX (it isn’t, really) but TSServ.exe is.
We know, winexec compressors, are used in mostly trojans (mainly upx/aspack/…). We’ve improved AsPack unpacker (for unknown versions, more robust generally) and it’ll be available (sometime) in v4.2. I hope I find time for UPX improve as well.
