Q about packer signatures

Submitted by solar on Fri, 2009-05-29 08:56. Site Discussion

I'm trying to understand the packer signatures I've seen on some of the malware samples on this site. For example, one of them had:

	NeoLite v2.00 [418,1673]
	FSG v2.0 -> bart/xt [652,2609]
	Microsoft Visual C++ v7.1 EXE [164,657]
	PE Pack v1.0 [450,1801]
	Ste@lth PE 1.01 -> BGCorp [757,3036]

I assume the executable was packed multiple times using the packers listed -- is that correct? If so, does the top-to-bottom ordering on this list correspond to going from the outermost-packer to the innermost-packer, or vice versa? Finally, what do the numbers "[418,1673]", "[652,2609]", etc., mean?

TIA,
-solar

» login to post comments

If the executable matches

Submitted by dannyquist on Sun, 2009-05-31 18:58.

If the executable matches multiple signatures it will report multiple packers. The numbers represent the rule number from our database. If it would be useful I could post the signatures we use, they are in the PEiD format.

Danny

» login to post comments

Hi dannyquist, i would

Submitted by sorzai on Sun, 2009-05-31 23:53.

Hi dannyquist,

i would really appreciate if you could post the signatures that you use as i'm trying to compile a huge list of PEiD signatures.

Thanks

» login to post comments

thank you

Submitted by solar on Mon, 2009-06-01 09:19.

Thanks a lot for clarifying. I had misunderstood those to mean that the sample used multiple layers of packing, sort of like an onion (which I suppose it may, but that's not what the multiple packers mentioned under "Packer Signature" refers to).

-solar

» login to post comments

Malware Search

Navigation

Active forum topics

Recent blog posts

Navigation

Links

User login

Q about packer signatures

If the executable matches

Hi dannyquist, i would

thank you