UPX detections always come FP-prone.
Checking the section names of the executable. UPX changes them to UPX0, UPX1, UPX2, is an unreliable method, because
The sections of some (packed/encrypted) images are renamed to “standard”/“traditional” sections names. The names of the sections is never “interpreted” by the Loader. The names of the sections are sometimes even missing (aka removed) by some tools.
Quote credits go to Stackoverflows’ mox, and the second quote credits go to Stackoverflow’s Willi Ballenthin →
Running additional packers or obfuscators may further modify the section names; however, by default, the UPX packer will change the section names described above.
* So a valid detection always hangs in the balance, so to say [* note by, me, pol)
Malware uses more then one as its loading point: I have not written a full registry path, who knows how to manipulate with regedit, then it will also know how to find a full path in the registry for mentioned keys.
Under 32bit Winlogon key, Userinit and Shell value, and malware uses legit userinit.exe and Explorer.exe for loading C:\Windows\system32[b]IExplorer.exe[/b] malicious file.
Under HKCU.…\Run key malware sets tiwi values and loading file is in windows directory as tiwi.exe
Under HKCU.…\Run key malware sets MSMSGS values and loading file is in C:\Users\Magna\Local Settings\Application Data\WINDOWS directory as winlogon.exe
Under 32bit HKLM.…\Run it creates Logon value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS[b]imoet.exe[/b] file to load.
Same key as above … creates System Monitoring value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS[b]cute.exe[/b] file
And in AlternateShell value it create the key for running C:\Windows[b]tiwi.exe[/b]. This I think allows malware to load in safe mode.
Malware sets the following policies (in registry) on system in order to protect itself from begin detected:
disableregistrytools
DisableTaskMgr
NoDispSettingsPage
NoFolderOptions
NoTrayContextMenu
NoFind
NoSetFolders
NoRun
So it will start with this known worm, tiwi.exe aka W32.Rahiwi.A!
tiwi.exe is an executable file which primary purpose is to start a parasite or launch some of its components. Once executed, the tiwi.exe file runs a process that is responsible for the parasite's payload. tiwi.exe is a significant part of a dangerous threat, but it can also work on its own. DO NOT execute it! The tiwi.exe file is installed and used by Rahiwi. You are highly advised to scan the system, delete executable tiwi.exe and terminate all the processes it started.
In some cases a presence of tiwi.exe does not mean that your system is infected. The file may actually belong to some fully legitimate applications and therefore must stay intact. If you are in doubt, please scan the tiwi.exe file using you regular spyware remover or antivirus program.
info spyware2...but as stated here there is also a benign variant as part of clean applications: http://www.isthisfilesafe.com/sha1/A02D46D883B09F481B496E35B53C8415372C75E5_details.aspx
the malware tiwi.exe aka W32.Rahiwi.A is a worm. It infects all Windows systems and propagates itself by duplicating itself to the root of all drives in removable, local and network shares. The worm is a slow infector. It does low damage to the infected computer and is easy to remove using an updated antivirus software. So we at least should have had protection against this slow infector :