Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Yoda's Crypter = malware ?

1,550 views
Skip to first unread message

Virus Guy

unread,
Mar 7, 2009, 11:06:17 AM3/7/09
to
I'm looking for a utility to convert m4a's into something else (like
mp3).

I found something called "Free M4a to MP3 Converter"

-----------------------------------
Free M4a to MP3 Converter 6.0
===================================
Copyright (c) 2003-2008 ManiacTools

m4a-to-mp3-converter.exe
-----------------------------------

I can't unpack it with winzip or winrar. VirusTotal finds no threat,
and identifies the file type as:

TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)

So I install it, but I don't run it. I look at the installed files.
Two executables and a few .DLL's. I have Virustotal scan the
executable:

(m4a_converter.exe)

eSafe id's it as "suspicious file". All others say nothing.

File type is listed as:

TrID..: File type identification
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)

So this file is still a compressed file, and it's using UPX and Yoda's
Crypter to boot. Is this "normal" for an app file that's the result of
the install process for a legit app?

kurt wismer

unread,
Mar 7, 2009, 3:22:19 PM3/7/09
to
Virus Guy wrote:
[snip]

> So this file is still a compressed file, and it's using UPX and Yoda's
> Crypter to boot. Is this "normal" for an app file that's the result of
> the install process for a legit app?

normal? no... that doesn't necessarily make it malicious, but it does
raise some red flags...

the use of a cryptor generally indicates one of 2 things - a malware
author is trying to hide the contents of his executable, or someone
paranoid about intellectual property is trying to hide the contents of
his executable...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Virus Guy

unread,
Mar 7, 2009, 7:52:25 PM3/7/09
to
kurt wismer wrote:

> > m4a-to-mp3-converter.exe

> the use of a cryptor generally indicates one of 2 things -
> a malware author is trying to hide the contents of his
> executable, or someone paranoid about intellectual property
> is trying to hide the contents of his executable...

Didn't VT once operate a sandbox - wasn't it Norman sandbox?

Anyways, is there anywhere else I could submit this thing on-line just
for the hell of it besides VT?

Virus Guy

unread,
Mar 7, 2009, 7:55:37 PM3/7/09
to
Virus Guy wrote:

> Didn't VT once operate a sandbox - wasn't it Norman sandbox?

I just had a look at norman and it seems they want to put you through a
lot of bullshit just to submit a sample for the sandbox...

David H. Lipman

unread,
Mar 7, 2009, 10:29:12 PM3/7/09
to
From: "Virus Guy" <Vi...@Guy.com>

| m4a-to-mp3-converter.exe
| -----------------------------------

| (m4a_converter.exe)

Every file I have seen using Yoda is malicious.

For example...

The following is a password/data stealer...

Authentium 5.1.0.4 2009.03.05 W32/Heuristic-210!Eldorado
CAT-QuickHeal 10.00 2009.03.05 Win32.Packed.Krap.c.4
ClamAV 0.94.1 2009.03.05 Worm.Mytob.Crypt.Gen
DrWeb 4.44.0.09170 2009.03.05 Tool.PassView.155
eSafe 7.0.17.0 2009.03.05 Win32.PackedYoda.A
F-Prot 4.4.4.56 2009.03.05 W32/Heuristic-210!Eldorado
F-Secure 8.0.14470.0 2009.03.05 W32/Packed_Yoda.A
Fortinet 3.117.0.0 2009.03.05 PossibleThreat
McAfee+Artemis 5544 2009.03.05 Generic!Artemis
NOD32 3911 2009.03.05 a variant of Win32/Injector.JE
Norman 6.00.06 2009.03.05 W32/Packed_Yoda.A
Panda 10.0.0.10 2009.03.05 Suspicious file
PCTools 4.4.2.0 2009.03.05 Packed/Yoda
SecureWeb-Gateway 6.7.6 2009.03.05 Trojan.LooksLike.Backdoor.Hupigon
Sophos 4.39.0 2009.03.05 Sus/UnkPacker
Sunbelt 3.2.1858.2 2009.03.05 Trojan.Win32.Packed.gen (v)
TheHacker 6.3.2.7.272 2009.03.05 W32/Behav-Heuristic-073
TrendMicro 8.700.0.1004 2009.03.05 Cryp_Yodac
VirusBuster 4.5.11.0 2009.03.05 Packed/Yoda

FTP Connection:
92.241.190.201:21


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


Virus Guy

unread,
Mar 7, 2009, 10:51:39 PM3/7/09
to
"David H. Lipman" wrote:

> | (m4a_converter.exe)

>
> | File type is listed as:
>
> | TrID..: File type identification
> | UPX compressed Win32 Executable (38.5%)
> | Win32 EXE Yoda's Crypter (33.4%)
> | Win32 Executable Generic (10.7%)
> | Win32 Dynamic Link Library (generic) (9.5%)
> | Win16/32 Executable Delphi generic (2.6%)

> Every file I have seen using Yoda is malicious.
>
> For example...
> eSafe 7.0.17.0 2009.03.05 Win32.PackedYoda.A
> F-Secure 8.0.14470.0 2009.03.05 W32/Packed_Yoda.A
> Norman 6.00.06 2009.03.05 W32/Packed_Yoda.A

So even when I submitted that file, and VT lists it as using Yoda, no
AV's seem to detect that?

> FTP Connection:
> 92.241.190.201:21

UN/PW ?

Dustin Cook

unread,
Mar 7, 2009, 10:59:51 PM3/7/09
to
Virus Guy <Vi...@Guy.com> wrote in news:49B316C9...@Guy.com:

http://virusscan.jotti.org/
http://scanner.virus.org/
http://www.virscan.org/

Interested in online sandboxing it? check this out:

http://anubis.iseclab.org/


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

Dustin Cook

unread,
Mar 7, 2009, 11:05:41 PM3/7/09
to
Virus Guy <Vi...@Guy.com> wrote in news:49B29B79...@Guy.com:

> I'm looking for a utility to convert m4a's into something else (like
> mp3).

m4a... apple ipod?

> I can't unpack it with winzip or winrar. VirusTotal finds no threat,
> and identifies the file type as:

They won't unpack nullsoft installers.... Of course, this isn't a
nullsoft installer either.


> So I install it, but I don't run it. I look at the installed files.
> Two executables and a few .DLL's. I have Virustotal scan the
> executable:
>
> (m4a_converter.exe)
>
> eSafe id's it as "suspicious file". All others say nothing.
>
> File type is listed as:
>
> TrID..: File type identification
> UPX compressed Win32 Executable (38.5%)
> Win32 EXE Yoda's Crypter (33.4%)
> Win32 Executable Generic (10.7%)
> Win32 Dynamic Link Library (generic) (9.5%)
> Win16/32 Executable Delphi generic (2.6%)
>
> So this file is still a compressed file, and it's using UPX and Yoda's
> Crypter to boot. Is this "normal" for an app file that's the result of
> the install process for a legit app?

The UPX and yoda cryptor didn't take effect during installation. It was
prepackaged that way from author. I use UPX myself, as do many others,
but at the same time, theirs an equal amount of authors who hate packers;
whether they are well known or not.

That being said, I've never seen a legit app using the yoda cryptor.
Everything thats come across my desk using it has been malicious. IE: a
trojan.dropper or trojan.downloader.

David H. Lipman

unread,
Mar 8, 2009, 9:46:30 AM3/8/09
to
From: "Virus Guy" <Vi...@Guy.com>

| "David H. Lipman" wrote:

>> | (m4a_converter.exe)

>> FTP Connection:
>> 92.241.190.201:21

| UN/PW ?

I'm not posting account and password in public.

0 new messages