Win32:Virtualizer [Cryp] question?

[sanctuary24]

Just wondered what the category Cryp stands for and what this type of virus does and where they generally hide?

ps Does anyone know if Avast team plans on creating a database of viruses and there types on there website so people can lookup the virus and get info on what it is capable of?

[RejZoR]

Maybe not entire database but info what each of these extensions mean (described on support.avast.com would be a good idea).
I know most of them but many users don't.

[igor]

Well, this particular one is kind of... an experiment.
Cryp = Cryptor - i.e. the detection is based on the cryptor/packer the file is scrambled with. It is meant for malware packers and some special stuff.

[sanctuary24]

so that means it targets the thing malware is encryped with?

(not that good with packer information)

[igor]

Yes.

[RejZoR]

Quiet large part of, for example AntiVir's HEUR detections is based on how is program protected, so going in similar direction is a smart thing imo (especially if it's done in a smart way).
HEUR/Crypted were quiet common and as far as i can tell it all depends on how many layers and what kind of cryptors/protectors/packers are used together. The more exotic combination, the higher chance of getting flagged. Regular programs are usually not using anything similar or in a very very rare cases.

[Vlk]

Well, the Antivir's Heur/Crypted thing is quite strange IMHO.
From what I tested, Antivir flags e.g. standard Windows notepad.exe repacked with AsProtect (and many other, quite "official" packers/protectors). No multiple packing, no underground packers... strange. I wonder how they deal with false positives, and do the packer/protector vendors say about that.

[avatar2005]

I wonder how they deal with false positives, and do the packer/protector vendors say about that.

Hi Vlk!
They (Avira, I mean), just keep updating their scanning engine on & on, that's why their update are quite large for me on a home dial-up (~ 5-7 MB everyday), I know what I'm saying coz Iwas an Antivir user befor switched to beloved Avast .
Take care

[RejZoR]

Well, the Antivir's Heur/Crypted thing is quite strange IMHO.
From what I tested, Antivir flags e.g. standard Windows notepad.exe repacked with AsProtect (and many other, quite "official" packers/protectors). No multiple packing, no underground packers... strange. I wonder how they deal with false positives, and do the packer/protector vendors say about that.

Really? I haven't gone checking this far but for example HEUR/Crypted.Layered (which is now replaced by HEUR/Crypted) was suppose to mean layered cryptor/packer usage (executable protected by Yoda's Crypter and later packed with lets say UPack).
I mean, this way you avoid quiet some false positives and simply force malware writers into using less packers and crypters which again means you have to do less work on unpacking part of the engine and focus on other more important detection subsystems.
Not that unpacking would be all that needed today (in terms of repacked malware). But you still have to unpack it for a proper detection either way...

[igor]

Not that unpacking would be all that needed today (in terms of repacked malware).

Well, that's actually questionable (if you mean it the way I understand).
I'd say it depends on the choice of signatures - and if chosen well, you can get surprising results.
Whenever I add a new (un)packer, quite a significant number of samples get detected, without adding any new signatures. For example, I updated the Morphine unpacker in the last avast! update - and the number of previously undetected samples decreased by something like 10.000. I'm not saying that it's completely different samples - it's probably only variants of one specific malware group (or just a few of them) that are sometimes packed with other (already supported) packers that we already did support... but still.

[RejZoR]

Thats true, but i think malware writers aren't repacking malware all that much as they used to when packers were barelly emerging and were actually (effectivelly) used to evade detection for some time. Though they still use packers to decrease file size and also make detection tougher to some degree.

[igor]

Could be. On the other hand, most malware is not written from scratch... but is just a small modification of previous variants on the source level, possible with the same (malware) libraries used... etc.

[sanctuary24]

So in simple terms what is changing in Avast regarding detection? (sorry to ask but some of the stuff I just read went over my head )