SophosLabs blog

Today I came across a dodgy piece of software which called itself Cryptic v2.3. This piece of malware claims to be an EXE encryptor with the main idea being it will run an encryption routine over your binary file to prevent reverse engineering. It does everything but encrypt!

When I ran Cryptic on a clean executable, it produced an encrypted file whose execution was broken. And this was not a one off case, every executable I tried to encrypt was broken. Finding this suspicious? Good :)

Out of curiosity I clicked on the “About” button and read a most amusing disclaimer:
“This software is for educational purposes only. No responsibility is held or accepted for misuse.”
I have to tell everyone out there using this “EXE Crypter” for educational purposes, don’t say the author didn’t warn you about playing foul!

We detect this malware as Troj/Crypdrop-A and two of the major dropped components were proactively detected as Mal/Emogen-Z. Troj/Crypdrop-A is a backdoor Trojan which drops more malware and attempts to contact a remote server while pretending to an “EXE Crypter”. It is also a rather nasty bugger with process monitoring to re-spawn itself if you manually kill the program.

Posted on March 16th, 2008 by Numaan Huq, SophosLabs Canada
Filed under: Malware

                                         

Windows 7 security - A great leap forward or business as usual?

Related posts

• Spammed banking malware masquerading as Symantec software
• Fake Anti-Virus software: Writing is on the Desktop
• Duplicitous Fake Pilfered Real Anti-Virus Software
• Proactive detection of unknown malware - a real test of anti-virus software
• Install Anti-Virus Software on a Webserver? No need mate!