and something obese? A while back I received a sample on a file infecting virus. AV detection is quite scarce, with Symantec detecting it as W32.kakavex, PrevX detecting it as Covert.Sys.Exec and few others detecting it as W32.Expiro. Kakavex is quite an obese compared to its brethen like Virut; it adds about 110kb to the host file’s size!
Sometimes when you run into an unknown piece of malware it’s useful to try to gather as much intel as possible before you start to analyze it. Since there’s a plethora of various methods in use out there, something needs to be automated.
Exe32Pack is relatively unused packer in the malware world, but I stumble onto samples occasionally. I wrote an unpacker for it few months back and decided that I might as well give some instructions on how to do it manually. (more…)