Author Topic: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]  (Read 10654 times)

0 Members and 1 Guest are viewing this topic.

_Rej_

  • Guest
Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« on: September 23, 2007, 10:16:27 AM »
Hi folks,

I've just completed a complete boot scan (4 hours  :o ) and discovered a virus on an old file that had been scanned previously (had this on my Pc for the last few years) and was wondering if it was a false positive..

here's the result from TotalVirus.com

File fr030-candytron-final-101.zip received on 09.23.2007 09:22:14 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.9.22.0   2007.09.21   -
AntiVir   7.6.0.15   2007.09.21   -
Authentium   4.93.8   2007.09.23   -
Avast   4.7.1043.0   2007.09.22   Win32:PeStaple-F
AVG   7.5.0.485   2007.09.22   -
BitDefender   7.2   2007.09.23   -
CAT-QuickHeal   9.00   2007.09.21   (Suspicious) - DNAScan
ClamAV   0.91.2   2007.09.23   -
DrWeb   4.33   2007.09.22   -
eSafe   7.0.15.0   2007.09.19   Suspicious Trojan/Worm
eTrust-Vet   31.2.5154   2007.09.21   -
Ewido   4.0   2007.09.20   -
FileAdvisor   1   2007.09.23   -
Fortinet   3.11.0.0   2007.09.23   -
F-Prot   4.3.2.48   2007.09.23   -
F-Secure   6.70.13030.0   2007.09.21   -
Ikarus   T3.1.1.12   2007.09.23   Virus.Win32.PeStaple.F
Kaspersky   4.0.2.24   2007.09.23   -
McAfee   5125   2007.09.21   -
Microsoft   1.2803   2007.09.23   -
NOD32v2   2545   2007.09.23   -
Norman   5.80.02   2007.09.21   -
Panda   9.0.0.4   2007.09.23   -
Prevx1   V2   2007.09.23   -
Rising   19.41.61.00   2007.09.23   -
Sophos   4.21.0   2007.09.23   -
Sunbelt   2.2.907.0   2007.09.22   -
Symantec   10   2007.09.23   -
TheHacker   6.2.5.066   2007.09.22   -
VBA32   3.12.2.4   2007.09.23   -
VirusBuster   4.3.26:9   2007.09.22   -
Webwasher-Gateway   6.0.1   2007.09.21   Win32.Malware.gen!84 (suspicious)
Additional information
File size: 65652 bytes
MD5: b5a5af99fcc982c066a67e7cd4a4a71f
SHA1: dc82a1c23bb7e5ffea2dc304831606ec56186de1

-------

Also, I've recently downloaded this other file that registers as Win32:Virtualizer [Cryp] (no clue what that means.. searched a few places without results)

Results of VirusTotal.com

File ar.dll received on 09.23.2007 09:09:25 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.9.22.0   2007.09.21   -
AntiVir   7.6.0.15   2007.09.21   -
Authentium   4.93.8   2007.09.23   -
Avast   4.7.1043.0   2007.09.22   Win32:Virtualizer
AVG   7.5.0.485   2007.09.22   -
BitDefender   7.2   2007.09.23   -
CAT-QuickHeal   9.00   2007.09.21   -
ClamAV   0.91.2   2007.09.23   -
DrWeb   4.33   2007.09.22   -
eSafe   7.0.15.0   2007.09.19   -
eTrust-Vet   31.2.5154   2007.09.21   -
Ewido   4.0   2007.09.20   -
FileAdvisor   1   2007.09.23   -
Fortinet   3.11.0.0   2007.09.23   -
F-Prot   4.3.2.48   2007.09.23   -
F-Secure   6.70.13030.0   2007.09.21   -
Ikarus   T3.1.1.12   2007.09.23   Trojan-PWS.Win32.Small.br
Kaspersky   4.0.2.24   2007.09.23   -
McAfee   5125   2007.09.21   -
Microsoft   1.2803   2007.09.23   -
NOD32v2   2545   2007.09.23   -
Norman   5.80.02   2007.09.21   W32/Suspicious_U.gen
Panda   9.0.0.4   2007.09.23   Suspicious file
Prevx1   V2   2007.09.23   -
Rising   19.41.61.00   2007.09.23   -
Sophos   4.21.0   2007.09.23   Mal/Packer
Sunbelt   2.2.907.0   2007.09.22   VIPRE.Suspicious
Symantec   10   2007.09.23   -
TheHacker   6.2.5.066   2007.09.22   W32/Behav-Heuristic-060
VBA32   3.12.2.4   2007.09.23   -
VirusBuster   4.3.26:9   2007.09.22   Packed/Upack
Webwasher-Gateway   6.0.1   2007.09.21   Win32.Malware.gen#Upack (suspicious)
Additional information
File size: 42797 bytes
MD5: 8316436d9f6443ae8a8080ec6939f5cf
SHA1: ba49b123b6df43ec8dd267abda229611980cf7ca
packers: Upack
packers: UPACK, BINARYRES
packers: UPack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


Note that jotty.org reports that only Avast detects something.. and that Dot9 says it's safe.  Still, I'd love to know that this is.  Is it just because it's packed with UPACK or is something else detected that I should be aware of?

Thx in advance...

P.S. where can I get infos on PeStaple and Virtualizer?  Actually, is there a good database of virus definition out there that could help me?  Searched a few but none returned anything about those 2 viruses/malwares.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #1 on: September 23, 2007, 10:25:25 AM »
A google search turns up PeStaple as a trojan dropper. But that does not mean you are infected. Perhaps reading a few links from the search will give you more to go on. Such as what files, registry key, etc to look for. What was the path and file name deected?

A search for Virtualizer  gives music and encryption related hits.

_Rej_

  • Guest
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #2 on: September 23, 2007, 06:37:15 PM »
Thx for the reply oldman,

I must have been half asleep (4am when I typed previous message) but I could have sworn that PeStaple returned just a few links in google, then I read your message and decided to retry... now I get more than 10 pages of results  ??? -- again, might be my typing ;/

Anyways, the fr030-candytron-final-101.zip file can be found anywhere on my drive..  It was first detected in old backups I had of demos I sent to a friend in Feb 2005 -- have to guess here based on other demos I sent back by checking the 'Sent Items.dbx' with Outlook Express.  I cannot confirm the date since I cannot restore the infected file with AVast from the chest.

So... the detection was within backups of the Sent Items folder of Outlook Express, which is why this one bugs me a bit.. I always scan the stuff I send to friends, but nothing was detected back then -- I wasn't using AVast though... I think I used to use AVG back then.

I then extracted the file from the chest to a temporary folder with the same result.  I can't even unzip the file without AVast alerting me :)

I do not believe that I'm infected but if I am, the location of the 2 infections are...

J:\OtherDrive_Backups\Name\Outlook Express\Sent Items.dbx\fr030-candytron-final-101.zip#22197248
and
Y:\Name\Outlook Express\Sent Items.dbx\fr030-candytron-final-101.zip#22197248

Note that both of those locations are backups of Emails I received (and sent) and are NOT in use right now.. I deleted my sent items from my current Email setup a few months back since I had backups.  Now the infected file is in the AV chest.  I sent a copy of both files to Alwil.

Note2:  I've done a complete scan of my PC with AVG Anti-Spyware *and* SuperAntiSpyware... Nothing was found by those 2 -- I know they're not AV software, but hey, doesn't hurt to try them too :D
« Last Edit: September 23, 2007, 06:56:10 PM by _Rej_ »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #3 on: September 23, 2007, 07:02:48 PM »
Avg and superantispyware while not avs, are good for looking for trojans. Sending the file to avast is good. This may well be a false positive.

_Rej_

  • Guest
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #4 on: September 26, 2007, 05:04:48 PM »
Still trying to find out if I can use ar.dll (Win32:Virtualizer [Cryp]) or keep it in the chest.

 Is there a way to have Avast confirm if it's infected or not?  I already sent them the Email via the chest but if I need to do something else, let me know.

oh, and still haven't found any infos on what Win32:Virtualizer [Cryp] is.  Can anyone at Alwil elaborate (or point me to where I can get the info on it?)

Regards...

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #5 on: September 26, 2007, 11:47:28 PM »
Win32:Virtualizer [Cryp] is a generic detection for the files packed with some PE packer/protector and simultaneously running in virtual machine.. this technique is (ab)used by virii authors to obfuscate the file and to disallow the unpacking/analysis/detection... no legal application should use this trick, but if you're sure that your dll is clean, you can add it to exclusions... anyway - when the file is packed with Upack (flagged by some AV's as malware packer) and is also running in VM, then is something strange there..

_Rej_

  • Guest
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #6 on: September 28, 2007, 12:59:33 PM »
Thanks tons for the information.

That's what I needed to know.  I wasn't aware that files/exe/dlls packed with UPack ran in VM mode as well.  I'm glad Avast detected it then.  It'll stay in the chest :)

Regards...

_Rej_
« Last Edit: September 28, 2007, 09:14:17 PM by _Rej_ »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #7 on: September 29, 2007, 08:03:04 PM »
I'm glad Avast detected it then.
I want to congratulate the virus analysts...
The big companies do not detect it (yet) 8)
The best things in life are free.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #8 on: September 30, 2007, 08:13:58 PM »
Upack has no VM... the VM is a layer under Upack in this case...

Dracula

  • Guest
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #9 on: December 09, 2007, 08:27:05 AM »
_Rej_ did you said ar.dll?That file is used in Gothic 2,and I played that game long time ago,I don't know what antivirus program I had,but all was ok.Now when I saw your question I tried to scan that file with avast and latest updates,and it tells me that file is infected with Win32:Virtualizer.So I think file its ok,because when I played Gothic 2 nothing happened to my system,ar.dll didn't do anything.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Virtualizer [Cryp] and Win32:PeStaple [Drp]
« Reply #10 on: December 09, 2007, 12:06:52 PM »
the file is probably clean, but as i described above, the authors of it used a very strange technique to protect it..