Skip navigation.

Q about packer signatures

I'm trying to understand the packer signatures I've seen on some of the malware samples on this site. For example, one of them had:

	NeoLite v2.00 [418,1673]
	FSG v2.0 -> bart/xt [652,2609]
	Microsoft Visual C++ v7.1 EXE [164,657]
	PE Pack v1.0 [450,1801]
	Ste@lth PE 1.01 -> BGCorp [757,3036]

I assume the executable was packed multiple times using the packers listed -- is that correct? If so, does the top-to-bottom ordering on this list correspond to going from the outermost-packer to the innermost-packer, or vice versa? Finally, what do the numbers "[418,1673]", "[652,2609]", etc., mean?


If the executable matches

If the executable matches multiple signatures it will report multiple packers. The numbers represent the rule number from our database. If it would be useful I could post the signatures we use, they are in the PEiD format.


Hi dannyquist, i would

Hi dannyquist,

i would really appreciate if you could post the signatures that you use as i'm trying to compile a huge list of PEiD signatures.


thank you

Thanks a lot for clarifying. I had misunderstood those to mean that the sample used multiple layers of packing, sort of like an onion (which I suppose it may, but that's not what the multiple packers mentioned under "Packer Signature" refers to).