Why the big ones do not flag smartkeylgke.ex-?

Viruses and worms
1

Hi forum friends,

According to many a scanner we deal with TR/Crypt.XPACK.Gen malware here…
See: http://urlquery.net/report.php?id=12591 (verdict = malicious)
Interesting scan results indeed: http://www.virustotal.com/url-scan/report.html?id=f20322aeb70968d43bc62e5cf7b21f4a-1324313108
and http://www.virustotal.com/file-scan/report.html?id=012e8991bbabb261d6f7f494b2e2184b5a346c211f9a5cc5282dd847c45dbd75-1324316713
Malware but - DrWeb, eTrust, FProt, Jaspersky, MS, Sophos, SAS - do not flag this executable.
See: http://camas.comodo.com/cgi-bin/submit?file=012e8991bbabb261d6f7f494b2e2184b5a346c211f9a5cc5282dd847c45dbd75
The non-flagged DrWeb URL scan goes like this:
-http://lg3gservice.home.pl/pub/smartkey/smartkeylgke.exe
Engine version: 5.0.2.3300
Total virus-finding records: 2947716
File size: 1.20 MB
File MD5: 4bc848434c23e4215c05b8060c21398b

-http://lg3gservice.home.pl/pub/smartkey/smartkeylgke.exe packed by EXECRYPTOR

-http://lg3gservice.home.pl/pub/smartkey/smartkeylgke.exe packed by PESTUB

=http://lg3gservice.home.pl/pub/smartkey/smartkeylgke.exe packed by FLY-CODE

=http://lg3gservice.home.pl/pub/smartkey/smartkeylgke.exe - Ok

Is it the packer being flagged: http://wepawet.iseclab.org/view.php?hash=f20322aeb70968d43bc62e5cf7b21f4a&t=1324317462&type=js
http://anubis.iseclab.org/?action=result&task_id=1a173a89197ad456421bec1a67a18a8d6

polonus

P.S. On the PEstub packer-

Main purpose of PEStub is to replace the current stub of
Win32 console applications by stub DPMIST32.BIN. This stub
is part of HX runtime and will, in conjunction with PE file
loader DPMILD32 and its Win32 emulation dlls, enable this app
to run in plain DOS provided that all Win32 functions used by
the app are properly emulated.
(info link: ftp://colo-69-31-40-107.pilosoft.com/freedosfull/fdos/doc/hxrt/pestub.txt link txt author = Japheth)

D

2

First seen: 2009-05-19 13:19:37
Last seen : 2011-12-19 17:45:13

sigcheck:
publisher…: grexor
copyright…:
product…:
description…:
original name:
internal name:
file version.: 0.1.23.0
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

Not detected by Malwarebytes…but they dont like files older then 3 months anyway

Norman sandbox

smartkeylgke.exe : Not detected by Sandbox (Signature: W32/Suspicious_Gen2)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\smartkeylgke.exe.
* Sandbox name: NO_MALWARE
* Signature name: W32/Suspicious_Gen2.TGNKL.
* Compressed: NO.
* TLS hooks: YES.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* **Locates window “(null) [class OLLYDBG]” on desktop.
* **Locates window “(null) [class WispWindowClass]” on desktop.
* File length: 1254986 bytes.
* MD5 hash: 4bc848434c23e4215c05b8060c21398b.
* SHA1 hash: b83093e3ee7c2c2ee699a28824f228688843e7f0.
* Packer detection: EXECryptor 2.2.4.

[ Changes to registry ]
* Accesses Registry key “HKCU\Software\Borland\Locales”.
* Accesses Registry key “HKLM\Software\Borland\Locales”.
* Accesses Registry key “HKCU\Software\Borland\Delphi\Locales”.

[ Process/window information ]
* Checks if privilege “SeDebugPrivilege” is available.
* Reads memory in process “explorer.exe”.

ThreatExpert
http://www.threatexpert.com/report.aspx?md5=4bc848434c23e4215c05b8060c21398b

Norman lab say detection is good…no FP found

3

Hi Pondus,

Thanks, FP on packer protection used,

polonus