Kkrunchy

jorkka · June 2008

Fantastic packer, no doubt.

However, if using kkrunchy packer Avira and Bitdefender stops it. NOD32/Kaspersky ignores.

My friend made a tic-tac-toe game, made an installer for it. Cant install. Because Bitdefender cant says its "kkrunchy.pack.A" or somethin like that.

Many, many programs got quarantined because BitDefender thinks that this is a "generic trojan"

So why Kaspersky, NOD32, Sophos, Mcafee and Symanted does not caught this?

rootkit · June 2008

Thank you for your post !

The guys from the LAB will take a look

gsl · August 2008

Here is some more information to help in the process of fp identification:

(I have the same issues. BitDefender keeps deleting huge parts of my collection of demos, most of which are probably packed with kkrunchy.)

Articles about demos and intros and why they are packed with exe packers:

http://en.wikipedia.org/wiki/Demo_(computer_programming)

http://en.wikipedia.org/wiki/64k_intro

The official download site of kkrunchy with more information on it: http://www.farbrausch.de/~fg/kkrunchy/

A list of demos, which are, most probably wrongly, identified as a thread by BitDefender:

http://scene.org/file.php?file=%2Fparties%...ip&fileinfo

http://www.scene.org/file.php?file=%2Fpart...ip&fileinfo

http://www.farbrausch.de/~fg/demos/fr-055_828_final.zip

http://atebit.org/downloads/pimpmyspectrum.zip

http://www.rgba.org/prods/rgba_paradise.zip

...as well as most of the demos here: http://conspiracy.hu/releases.php

I find it very questionable, to say the least, to automatically treat files as dangerous, just because they're packed by an executable packer. I tend to pack and/or encrypt the programs I release myself in order to make them a little bit harder to reverse engineer and I'd rather not have those files deleted from my computer or the computers of those who use them only for that reason. The decision whether a file is dangerous or not should only be made based on what they do after they unpack themselves.

csalgau · September 2008

Here is some more information to help in the process of fp identification:

(I have the same issues. BitDefender keeps deleting huge parts of my collection of demos, most of which are probably packed with kkrunchy.)

Articles about demos and intros and why they are packed with exe packers:

http://en.wikipedia.org/wiki/Demo_(computer_programming)

http://en.wikipedia.org/wiki/64k_intro

The official download site of kkrunchy with more information on it: http://www.farbrausch.de/~fg/kkrunchy/

A list of demos, which are, most probably wrongly, identified as a thread by BitDefender:

http://scene.org/file.php?file=%2Fparties%...ip&fileinfo

http://www.scene.org/file.php?file=%2Fpart...ip&fileinfo

http://www.farbrausch.de/~fg/demos/fr-055_828_final.zip

http://atebit.org/downloads/pimpmyspectrum.zip

http://www.rgba.org/prods/rgba_paradise.zip

...as well as most of the demos here: http://conspiracy.hu/releases.php

I find it very questionable, to say the least, to automatically treat files as dangerous, just because they're packed by an executable packer. I tend to pack and/or encrypt the programs I release myself in order to make them a little bit harder to reverse engineer and I'd rather not have those files deleted from my computer or the computers of those who use them only for that reason. The decision whether a file is dangerous or not should only be made based on what they do after they unpack themselves.

A large amount of malware was encountered over time using this packer and we chose to sign it. While detection for the packer will not be removed in the foreseeable future, we can exempt the intros themselves from detection. Please post any other false positives. Searching for these on my own takes time.

In a few hours the files you linked to should no longer be detected.