Good. Anyway, I would say, we use the bad signature of Win32.Crypto virus - as I said, I guess the signature (which may be weak) is taken from the end of polymorphic loop (and different in every new variant).