This is for Mr.Rattlz Cracked Script Vessel Release.
File Scan.
File: ScriptVessel.zip
Status:
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 f7c228717c06c8c5195cab5c10fad94d
Packers detected: PE_PATCH.UPX, UPX, ASPROTECT
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Crypto
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found Possibly a new variant of W32/Internet-Trojan-patched-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found PossibleThreat!019139
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Virus Information
Win32.Crypto
This text was written with the help of Adrian Marinescu, GeCAD Software.
This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K in length. It infects KERNEL32.DLL and PE EXE files: it writes its code to the end of the file and modifies necessary fields in the PE header to gain control when an infected file is run. The virus also adds its "droppers" to archives of different types (ACE, RAR, ZIP, CAB, ARJ) and to some types of self-extracting packages (SFX ACE and RAR files).
The virus uses a polymorphic engine while infecting PE EXE files and archives only, and leaves the virus image non-encrypted in the KERNEL32.DLL file.
The virus uses anti-debugging tricks, disables anti-virus on-access scanners (Avast, AVP, AVG and Amon), deletes anti-virus data files (AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, AVGQT.DAT), patches the LGUARD.VPS file (anti-virus database?), and avoids infection of many anti-virus programs: TB, F-, AW, AV, NAV, PAV, RAV, NVC, FPR, DSS, IBM, INOC, ANTI, SCN, VSAF, VSWP, PANDA, DRWEB, FSAV, SPIDER, ADINF, SONIQUE, SQSTART.
One of the most important virus features is the fact that it encrypts/decrypts "on-the-fly" Windows libraries (DLL files) when they are loaded - upon loading a library, the virus decrypts it, an upon unloading, the virus encrypts the file body. To encrypt DLL files, the virus uses strong cryptographic algorithms (provided by Crypt API included in Windows). As a result, once infected system keeps working only in the case the virus code is present in the memory and realizes this encryption/decryption. In case the system is disinfected, the DLL libraries stay encrypted, and the system cannot load them. The first virus to use such technology was Onehalf multipartite virus that was "well known" in the second half of the 1990s.
The virus is incompatible with several Win32 versions, such as Win95 and Win98 standard editions. Under these conditions, the virus does not install itself into the system (does not infect KERNEL32.DLL) and/or does not PE EXE infect files.
[Only registered and activated users can see links. Click Here To Register...]
Possible Keylogger in countrymakeinUS.dll
A scan from [Only registered and activated users can see links. Click Here To Register...] shows a possible keylogger in countrymakeinUS.dll
However, I dont believe there is any risk with this as it probably the feature used to get item and monster names from conquer.
Final Report
So far I have had no problems with this software, And the 'Viruses' don't seem to be much of a problem. My theory is that Win32:Crypto is used to encrypt countrymakeinUS.dll to protect the program from being cracked. (Need verification).
All-in-all its up to you to decide what you wish to do if you acquire this program.
Any more information will be amended. Beyond this point with the date and time. If you have any information to add PM me.
File Scan.
File: ScriptVessel.zip
Status:
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 f7c228717c06c8c5195cab5c10fad94d
Packers detected: PE_PATCH.UPX, UPX, ASPROTECT
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Crypto
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found Possibly a new variant of W32/Internet-Trojan-patched-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found PossibleThreat!019139
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Virus Information
Win32.Crypto
This text was written with the help of Adrian Marinescu, GeCAD Software.
This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K in length. It infects KERNEL32.DLL and PE EXE files: it writes its code to the end of the file and modifies necessary fields in the PE header to gain control when an infected file is run. The virus also adds its "droppers" to archives of different types (ACE, RAR, ZIP, CAB, ARJ) and to some types of self-extracting packages (SFX ACE and RAR files).
The virus uses a polymorphic engine while infecting PE EXE files and archives only, and leaves the virus image non-encrypted in the KERNEL32.DLL file.
The virus uses anti-debugging tricks, disables anti-virus on-access scanners (Avast, AVP, AVG and Amon), deletes anti-virus data files (AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, AVGQT.DAT), patches the LGUARD.VPS file (anti-virus database?), and avoids infection of many anti-virus programs: TB, F-, AW, AV, NAV, PAV, RAV, NVC, FPR, DSS, IBM, INOC, ANTI, SCN, VSAF, VSWP, PANDA, DRWEB, FSAV, SPIDER, ADINF, SONIQUE, SQSTART.
One of the most important virus features is the fact that it encrypts/decrypts "on-the-fly" Windows libraries (DLL files) when they are loaded - upon loading a library, the virus decrypts it, an upon unloading, the virus encrypts the file body. To encrypt DLL files, the virus uses strong cryptographic algorithms (provided by Crypt API included in Windows). As a result, once infected system keeps working only in the case the virus code is present in the memory and realizes this encryption/decryption. In case the system is disinfected, the DLL libraries stay encrypted, and the system cannot load them. The first virus to use such technology was Onehalf multipartite virus that was "well known" in the second half of the 1990s.
The virus is incompatible with several Win32 versions, such as Win95 and Win98 standard editions. Under these conditions, the virus does not install itself into the system (does not infect KERNEL32.DLL) and/or does not PE EXE infect files.
[Only registered and activated users can see links. Click Here To Register...]
Possible Keylogger in countrymakeinUS.dll
A scan from [Only registered and activated users can see links. Click Here To Register...] shows a possible keylogger in countrymakeinUS.dll
However, I dont believe there is any risk with this as it probably the feature used to get item and monster names from conquer.
Final Report
So far I have had no problems with this software, And the 'Viruses' don't seem to be much of a problem. My theory is that Win32:Crypto is used to encrypt countrymakeinUS.dll to protect the program from being cracked. (Need verification).
All-in-all its up to you to decide what you wish to do if you acquire this program.
Any more information will be amended. Beyond this point with the date and time. If you have any information to add PM me.
Quote:
The "viruses" are part of ASProtect, used for anti-debugging(says in Crypto desc.)