UPX packed PE/COFF executable detected (UPX_Packed_Executable)

About this signature or vulnerability

BlackICE Agent for Server, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects PE/COFF executable files that have been packed using the UPX tool. While the presence of a UPX packed executable does not in itself represent an attack, it can be considered an anomaly. The UPX tool is commonly used to pack trojans and malware, while it is somewhat uncommon for the tool to be used to distribute legitimate commercial software. The file should be examined to determine if it constitutes malware.


False positives

BlackICE Agent for Server, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Legitimate software packed using UPX will trigger this signature.

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

BlackICE Agent for Server: 3.6eof, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, RealSecure Network: XPU 24.2, RealSecure Server Sensor: XPU 24.2, Proventia Network MFS: XPU 1.41, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network IDS: XPU 24.2, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: XPU 24.2, RealSecure Desktop: eoa, RealSecure Desktop Protector 3.6: eoa, Proventia Network IPS: XPU 1.42, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Suspicious Activity

Vulnerability description

A PE/COFF executable file that has been packed using the UPX tool has been detected. The UPX tool is commonly used to pack Trojans and malicious programs. The presence of a UPX packed executable itself does not represent an attack, however, it is uncommon for the tool to be used to distribute legitimate commercial software. The file should be examined to determine if it is malicious.

How to remove this vulnerability

This check is for informational purposes only.

Examine the contents of the file to determine if it contains malicious programs.

References

UPX Web site
UPX: the Ultimate Packer for eXecutables - Homepage
http://upx.sourceforge.net/

ISS X-Force
UPX packed PE/COFF executable detected
http://www.iss.net/security_center/static/19041.php