BoClean found an Trojan ?????

Today i Download this Demo here Screenshots from the Game:

from this site:
http://www.scene.org/file.php?file=%2Fparties%2F2008%2Fassembly08%2Fin64%2Fpanic_room_by_fairlight.zip&fileinfo

So i unzip it and make a doubleklick on it. In the same moment BOCLEAN stopped it and tell me that it is an Trojan.
Ok i can’t belive it really cause i think that this is not a Trojan so maybe you can test it ?

Greetz
Robby

Hi Robby :slight_smile:

Scanning the flt_panic_room.exe file on www.virustotal.com gives the following result :

Bestand flt_panic_room.exe ontvangen op 2008.08.04 02:42:39 (CET) Resultaat: 9/36 (25%)

Antivirus Versie Laatst geupdatet Resultaat

AhnLab-V3 2008.7.29.1 2008.08.02 -
AntiVir 7.8.1.15 2008.08.04 PCK/Krunchy
Authentium 5.1.0.4 2008.08.03 -
Avast 4.8.1195.0 2008.08.03 -
AVG 8.0.0.156 2008.08.03 -
BitDefender 7.2 2008.08.04 Packer.Krunchy.B
CAT-QuickHeal 9.50 2008.08.02 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.04 -
DrWeb 4.44.0.09170 2008.08.04 -
eSafe 7.0.17.0 2008.08.03 -
eTrust-Vet 31.6.6002 2008.08.02 -
Ewido 4.0 2008.08.03 -
F-Prot 4.4.4.56 2008.08.03 -
F-Secure 7.60.13501.0 2008.08.03 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.03 -
GData 2.0.7306.1023 2008.08.03 -
Ikarus T3.1.1.34.0 2008.08.04 -
K7AntiVirus 7.10.402 2008.08.02 -
Kaspersky 7.0.0.125 2008.08.04 Trojan.Win32.Pakes.jzc
McAfee 5352 2008.08.01 -
Microsoft 1.3807 2008.08.04 -
NOD32v2 3323 2008.08.04 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.03 Suspicious file
PCTools 4.4.2.0 2008.08.03 Packed/FRBR
Prevx1 V2 2008.08.04 -
Rising 20.55.62.00 2008.08.03 -
Sophos 4.31.0 2008.08.03 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.03 -
TheHacker 6.2.96.392 2008.08.02 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.02 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.08.03 Packed/FRBR
Webwasher-Gateway 6.6.2 2008.07.21 Packer.Krunchy

Extra informatie

File size: 65536 bytes
MD5…: 886a35011ae214d157e561b0425db663
SHA1…: 533d98146f8d3d7beac4b80f91d7060f33b56fb7
SHA256: e44cfb040f51af3f1d08abdb69f8165e40662d301967bf9e5f98865e5e12914d
SHA512: f8dd5371c3c8d5cf635013ca2eba66e28b9d2d7a19580395a32027c6eb5dd0a4
bf10cd7730a5679da642eaee09ca2eaf4084854608b947beef73301a91384bff
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3dfacb
timedatestamp…: 0x48942608 (Sat Aug 02 09:16:56 2008)
machinetype…: 0x14c (I386)

( 1 sections )
name viradd virsiz rawdsiz ntrpy md5
kkrunchy 0x1000 0xe54723 0xf000 8.00 b2aac97863504d8355b1f927af7b119e

( 1 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress

( 0 exports )

It seems that the packer is used in 99% of the cases for Malware, so that should be the reason why BOClean flags it ( too ). But I am no expert, so lets wait what Kevin has to say about it :slight_smile:

Greetz, Red.

Hiya … well … not QUITE an FP … back when we added that one a few years ago, we deliberately targetted that packer since it was poorly written, did cause some machine crashes and was targetted by its author to trojan authors. But it turned out to be SUCH a lousy packer, about the only people who ever used it were those “demo creators” who were trying to cheat by using this packer to get their demo back under 64k in size (which was an important aspect - that 64k maximum size) … but since this packer is so unsophisticated though and anything packed in it wouldn’t fool BOClean anyway, I’ll have our lab guys yank that one. It did turn up being used by one major trojan over the years - a version of PAKES which didn’t work anyway. :slight_smile: