Some have speculated as to the exact cryptor or packer used in the get_flash_update.exe (false codec) found in a number of different spam campaigns – the latest being used with subject lines concerning the latest Batman movie starring Christian Bale. After running several PE signature scans against the executable it doesn’t appear to be packed or protected with anything that is commercially available, rather it appears to be using something else (possibly PCX graphics format);
Furthermore, all of the get_flash_update.exe binaries from different URLs share a common PE signature.
August 4, 2008 at 5:48 pm
Can you share or intro the “Signature Explorer II”. I make a find with Google and have no results.
August 4, 2008 at 6:26 pm
Signature Explorer can be found at:
http://www.softpedia.com/get/Programming/SDK-DDK/CFF-Explorer.shtml