d-jamesinfo.com

[sowhat-x]

hxxp://www.d-jamesinfo.com/2007.rar

There are two executables in the archive:
one of them is a Hupigon variant (packed with PE-Armor),

The second one is actually a rar sfx archive,
which contains a .rm RealMedia file (malformed maybe?didn't checked it...),
and an actual .exe file,which is detected by some AV products as "Magania",
while others simply prefer flagging it from what I assume,
that is the packer that has been used..."Packed.Win32.NSAnti.r"...
I've seen again this naming convention for a few more samples...
seems to be some modded version of NsPack...

One more note regarding the domain itself...a bit of googling revealed,
it has been hosting different malware samples from time to time...
all other links I've digged though,weren't working at the moment...

EDIT:Lol,just found/got a copy of this NsAnti thingy...
he-he,it's an older version of NsPack actually...

[JohnC]

Is there anything interesting about the packer such as anti-debug tricks? Is it modified at all, or was it just a standard NsPack? Maybe some companies are having trouble unpacking it and that is why they are detecting it. I'm not sure.

Thanks for the domain it will be added soon.

[sowhat-x]

Maybe some companies are having trouble unpacking it and that is why they are detecting it.

To be honest,I've seen a few legitimate software,
(not really much,exceptions to the rule I'd say),
packed with later commercial versions of NSPack 3.xx...
but with this version/variant and the older 2xx series,well,I seriously doubt...
Maybe things are different over there in China,don't know,lol...
but for me,this is one of the few times,
that I will certainly won't blame AV companies for detecting it,he-he... 

...haven't had the time yet to check this NsAnti packer more thoroughly,
thereby I'm not sure yet if the executable itself is actually "clean":
the samples are always detected as "Packed.Win32.NsAnti.blah-blah...",
but VirusTotal reports all kinds of weird results regarding the packer himself,
so I couldn't figure out by the report a logical explanation...
It is also supposed to be a "cracked" version,
and this obviously raises the suspicions' bar a bit higher.
But exactly because I got really curious with VT's results,
I've checked hashes with every different NsAnti copy I've found on the net:
and they all matched...all sites,and also a couple of rce forums I checked,
they all host exactly the same release...

A really quick look reveals that an ep_true sig is not possible,
it's behavior is quite similar with the one that early 2.xx NsPack versions exhibit,
this doesn't happen with v3.xx and afterwards...
It should be equally difficult/easy to unpack it though,
as I noticed there's way too many repeative patterns/instructions...

...I have a somehow similar chinese thing here in my packers' archive,
not that much known to the (western world) public,called Anti007...
far more recent though than this NsAnti,a couple of different versions of it...
Hadn't bothered more than a few minutes with it,
but it had also given me the impression that it was NsPack-based...
maybe I was wrong on this,don't think so though,
I'll have to look at it also at some moment,now it makes me wonder...
NsPack seems to somehow have a whole "school" of variations/mods,
say like Morphine,or yoda's sources...what puzzles me though,
is that in contrast,at least from what I am aware,
NsPack's src wasn't ever released to the public...

[JohnC]

I don't recall ever coming across the source neither. Maybe it was released privately, perhaps the author sold it to a few people to make some extra money.