Script Vessel Final Analysis

[Impeccable]

This is for Mr.Rattlz Cracked Script Vessel Release.


File Scan.
File: ScriptVessel.zip
Status:
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 f7c228717c06c8c5195cab5c10fad94d

Packers detected: PE_PATCH.UPX, UPX, ASPROTECT


AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Crypto
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found Possibly a new variant of W32/Internet-Trojan-patched-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found PossibleThreat!019139
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Virus Information

Win32.Crypto

This text was written with the help of Adrian Marinescu, GeCAD Software.

This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K in length. It infects KERNEL32.DLL and PE EXE files: it writes its code to the end of the file and modifies necessary fields in the PE header to gain control when an infected file is run. The virus also adds its "droppers" to archives of different types (ACE, RAR, ZIP, CAB, ARJ) and to some types of self-extracting packages (SFX ACE and RAR files).

The virus uses a polymorphic engine while infecting PE EXE files and archives only, and leaves the virus image non-encrypted in the KERNEL32.DLL file.

The virus uses anti-debugging tricks, disables anti-virus on-access scanners (Avast, AVP, AVG and Amon), deletes anti-virus data files (AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, AVGQT.DAT), patches the LGUARD.VPS file (anti-virus database?), and avoids infection of many anti-virus programs: TB, F-, AW, AV, NAV, PAV, RAV, NVC, FPR, DSS, IBM, INOC, ANTI, SCN, VSAF, VSWP, PANDA, DRWEB, FSAV, SPIDER, ADINF, SONIQUE, SQSTART.

One of the most important virus features is the fact that it encrypts/decrypts "on-the-fly" Windows libraries (DLL files) when they are loaded - upon loading a library, the virus decrypts it, an upon unloading, the virus encrypts the file body. To encrypt DLL files, the virus uses strong cryptographic algorithms (provided by Crypt API included in Windows). As a result, once infected system keeps working only in the case the virus code is present in the memory and realizes this encryption/decryption. In case the system is disinfected, the DLL libraries stay encrypted, and the system cannot load them. The first virus to use such technology was Onehalf multipartite virus that was "well known" in the second half of the 1990s.

The virus is incompatible with several Win32 versions, such as Win95 and Win98 standard editions. Under these conditions, the virus does not install itself into the system (does not infect KERNEL32.DLL) and/or does not PE EXE infect files.



Possible Keylogger in countrymakeinUS.dll

A scan from shows a possible keylogger in countrymakeinUS.dll

However, I dont believe there is any risk with this as it probably the feature used to get item and monster names from conquer.

Final Report

So far I have had no problems with this software, And the 'Viruses' don't seem to be much of a problem. My theory is that Win32:Crypto is used to encrypt countrymakeinUS.dll to protect the program from being cracked. (Need verification).

All-in-all its up to you to decide what you wish to do if you acquire this program.

Any more information will be amended. Beyond this point with the date and time. If you have any information to add PM me.

Quote:

The "viruses" are part of ASProtect, used for anti-debugging(says in Crypto desc.)

[elvison]

0___0 is this REALL? if it is then o wells i never got a copy of it

[n00bert]

wow, i guess it will be just a matter of time until pple starts losing items

[ftho]

well guess what noone will lose items cuz i scaned the older SV before the patch it showed the same **** as now, and still noone lost theyre acc, so you nubs can stop eorrying and trying to be smart <comment excludes lupurus and other programmers....the only ones who lost theyre acnts were Rtards who cant read or scan and got keyloggers from newb posters.

[keroseneman]

Quote:

Originally posted by ftho@Jan 7 2007, 20:18
well guess what noone will lose items cuz i scaned the older SV before the patch it showed the same **** as now, and still noone lost theyre acc, so you nubs can stop eorrying and trying to be smart <comment excludes lupurus and other programmers....the only ones who lost theyre acnts were Rtards who cant read or scan and got keyloggers from newb posters.

Lol, you can tell them 2,000,000,000,000,000,000 ****** times, and yet they still will cry about it ^^

[GreenPencil]

why dont u trust dm and rattlz???? why would dm corrupt her own forums???, if u can't trust dm and mr.rattlz, then u should'nt be on this forum........ i trust them and i'll keep using sv, and if u can't trust them??? then who can u trust?................ thats all i got to say

[Or-D]

Can I see the file?

[GreenPencil]

why would u want to see the file just so u coudl download it?

[Kristuliux19]

Quote:

Originally posted by GreenPencil@Jan 7 2007, 21:02
why dont u trust dm and rattlz???? why would dm corrupt her own forums???, if u can't trust dm and mr.rattlz, then u should'nt be on this forum........ i trust them and i'll keep using sv, and if u can't trust them??? then who can u trust?................ thats all i got to say

Agree with u, they won`t be hacking accs. I`ll keep on useing sv too. And these peoples who dont trust admins i think will never get cracked version

[andyd123]

Quote:

Originally posted by lupurus@Jan 7 2007, 18:34


So far I have had no problems with this software, And the 'Viruses' don't seem to be much of a problem. My theory is that Win32:Crypto is used to encrypt countrymakeinUS.dll to protect the program from being cracked. (Need verification).

The "viruses" are part of ASProtect, used for anti-debugging(says in Crypto desc.).

[Impeccable]

Quote:

Originally posted by GreenPencil@Jan 7 2007, 21:02
why dont u trust dm and rattlz???? why would dm corrupt her own forums???, if u can't trust dm and mr.rattlz, then u should'nt be on this forum........ i trust them and i'll keep using sv, and if u can't trust them??? then who can u trust?................ thats all i got to say

Maybe you havent perfected the skill of reading. So I will do it for you.

1. The program has viruses.
I told which viruses.
2. People want to know why there are viruses.
I told them why.
3. People want to know if the viruses are harmful.
I showed them that they arent.

So where in my post about backing up rattlz and dm2000 did I call them untrustworthy?

Perhaps if you read the full post you would have seen the part where I wrote what the 'viruses' do and how the dont affect you.

And to make sure this dosent happen again

[Impeccable]

Quote:

Originally posted by andyd123+Jan 7 2007, 21:25--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (andyd123 @ Jan 7 2007, 21:25)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--lupurus@Jan 7 2007, 18:34


So far I have had no problems with this software, And the 'Viruses' don't seem to be much of a problem. My theory is that Win32:Crypto is used to encrypt countrymakeinUS.dll to protect the program from being cracked. (Need verification).

The "viruses" are part of ASProtect, used for anti-debugging(says in Crypto desc.). [/b][/quote]
Thanks +k to you

[noelm]

Lol why would they **** over the senior members of EPVP, this is fake.

[Impeccable]

How is it fake? When scanned the file is shown as infected. Ive proved that it is safe. How is that 'fake'?

[xBlacKTigeRx]

The version I have (not rattlz's crack) comes up clean (both files). I very highly doubt that rattlz would try to pull anything though...being lvl 3, I don't think he would throw all that away for something as monotonous as CO..