Packer.Malware.NSAnti.X

( VirTool:Win32/Vanti, Win32/NSAnti, Trojan.Nsanti.Packed, Malware-Cryptor.Win32.NSAnti )
Spreading: medium
Damage: medium
Size: variable (usually from 20K to 700K)
Discovered: 2008 Mar 31

SYMPTOMS:

Not applicable.

TECHNICAL DESCRIPTION:

Files detected as Packer.Malware.NSAnti.X are programs that had been packed/protected with a protection system (packer/protector), NSAnti, designed by malware authors to bypass anti-virus protection and to hide malware contents.

Characteristics:

It can't be easily recognized. It has crypted data in 3 sections with random names.

It is able to pack/protect multiple files.

For example a NSAnti packed file could contain, beside the main executable file, other executable files which will be loaded (on the fly, not written to file system, and not by usual/documented API-s and methods; manual loading the sections, resolving relocations and fixing imports) in the address space of the main unpacked file.

The required imports used by the packer are resolved in a nonstandard way via searching for the kernel32 module in memory and searching for exports names via a precomputed hash.

The packer's code is position independent (relocatable) and (usually) crypted.

Methods used to avoid detection:

It has the ability to detect virtual machines and crash under them.

It generates a lot of exceptions (anti-debugging trick).

It has polymorphic code.

It's code is morphed by inserting garbage instructions, very long (and useless) loops (making it very slow), and/or by constructing the required data in multiple steps via add/sub/xor operations, also inserting garbage calls to null functions

The polymorphic code has been changed very frequently in order to avoid detection of the packed/protected file(s) by the anti-virus products (the polymorphic code has sole purpose to avoid emulation/detection, the antidebugging tricks can't realy stop the manual debugging/tracing of the packer, hence the conclusion that this tricks are present only for stopping emulation/analysis by anti-virus products).


It has never been used for legitimate purposes.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Andrei DAMIAN-FEKETE, virus researcher