avast! engine lacks in UPX support ?

On this site **************** there’s a Dropper/Zlob trojan comes with this file ********************

http://img215.imageshack.us/img215/2494/dropperzlob1eg4.png
:cry:

http://img219.imageshack.us/img219/6835/dropperzlob2my2.png
:cry:

As you can see it’s not the only one…

jamesvaul, don’t post links to known malware, please.

After about 10 days from my last signalation, here you are the antiviruses status: :cry:

http://img232.imageshack.us/img232/2302/avastzlobat5.png

I’ve unpacked the UPX packed exe file with 7zip and avast! real time scanner catched. So avast! engine lacks in UPX support?

http://img230.imageshack.us/img230/9329/avastzlob2ry2.png

Shame :stuck_out_tongue:

7-zip CANNOT unpack UPX. 7-zip is archiver, not unpacker for runtime packers. Besides, thats not even UPX (well it could be packed later) but thats NSIS installer package.

Thats why results on these pages aren’t 100% as they use special versions of AVs or they use Linux based which work different than Windows one.

why avast on demand scanner and avast real time scanner are not able to catch this trojan from this packed exe ?

avast does have a UPX unpacker, avast probably has more unpacker support than many AVs so why it didn’t use the UPX unpacker on the VirusTotal site is strange. So why it would find it when you manually unpack it but not otherwise is very strange.

I have just created a UPX version of firefox.exe down from 7023 KB to 3033 KB and avast’s ashquick.exe was able to scan that, as did Standard Shield and the On-demand scan (no files shown as can’t scan), see images. So I don’t understand why it wasn’t unpacked and scanned.

try yourself if you don’t trust in me: http:// intcodec . com/

http://i10.tinypic.com/4505qhf.png

This is not about UPX (which avast! does unpack). Zlob packagas are, as far as I know, NSIS installers (possibly packed by UPX once more). avast! doesn’t unpack NSIS right now - so it doesn’t detect the content. 7-Zip has recently added support for some(?) NSIS archives, so that’s where you unpacked it.

It also means, however, that the lack of detection (of the installer) isn’t probably that critical - because the resident protection would detect (and stop) it during the installation.