variable (usually from 20K to 700K)
(VirTool:Win32/Vanti, Win32/NSAnti, Trojan.Nsanti.Packed, Malware-Cryptor.Win32.NSAnti)
Please let BitDefender disinfect your files.
Andrei DAMIAN-FEKETE, virus researcher
Files detected as Packer.Malware.NSAnti.X are programs that had been packed/protected with a protection system (packer/protector), NSAnti, designed by malware authors to bypass anti-virus protection and to hide malware contents.
It can't be easily recognized. It has crypted data in 3 sections with random names.
It is able to pack/protect multiple files.
For example a NSAnti packed file could contain, beside the main executable file, other executable files which will be loaded (on the fly, not written to file system, and not by usual/documented API-s and methods; manual loading the sections, resolving relocations and fixing imports) in the address space of the main unpacked file.
The required imports used by the packer are resolved in a nonstandard way via searching for the kernel32 module in memory and searching for exports names via a precomputed hash.
The packer's code is position independent (relocatable) and (usually) crypted.
Methods used to avoid detection:
It has the ability to detect virtual machines and crash under them.
It generates a lot of exceptions (anti-debugging trick).
It has polymorphic code.
It's code is morphed by inserting garbage instructions, very long (and useless) loops (making it very slow), and/or by constructing the required data in multiple steps via add/sub/xor operations, also inserting garbage calls to null functions
The polymorphic code has been changed very frequently in order to avoid detection of the packed/protected file(s) by the anti-virus products (the polymorphic code has sole purpose to avoid emulation/detection, the antidebugging tricks can't realy stop the manual debugging/tracing of the packer, hence the conclusion that this tricks are present only for stopping emulation/analysis by anti-virus products).
It has never been used for legitimate purposes.