[Guide] Make your trojans detectable by fewer AVs

[Rowro]

So here I have a basic fairly public keylogger. I ran it through virus total to emphasis that this is a detected keylogger.

Code:

 File Server.exe received on 10.19.2008 00:03:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 32/36 (88.89%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
    
Antivirus     Version     Last Update     Result
AhnLab-V3    2008.10.18.0    2008.10.18    Win-Trojan/Espy.164189
AntiVir    7.9.0.5    2008.10.17    TR/Crypt.CFI.Gen
Authentium    5.1.0.4    2008.10.18    W32/SysKeylog.B.gen!Eldorado
Avast    4.8.1248.0    2008.10.15    Win32:Iespy-W
AVG    8.0.0.161    2008.10.18    PSW.Generic6.EFS
BitDefender    7.2    2008.10.18    Trojan.Spy.IESpy.DM
CAT-QuickHeal    9.50    2008.10.18    Win32.Trojan-Spy.ESpy.w.3
ClamAV    0.93.1    2008.10.18    Trojan.Spy-32763
DrWeb    4.44.0.09170    2008.10.18    modification of BackDoor.Generic.1381
eSafe    7.0.17.0    2008.10.16    Suspicious File
eTrust-Vet    31.6.6154    2008.10.17    Win32/EgySpy.A
Ewido    4.0    2008.10.18    Logger.ESpy.w
F-Prot    4.4.4.56    2008.10.18    W32/SysKeylog.B.gen!Eldorado
F-Secure    8.0.14332.0    2008.10.18    Trojan-Spy.Win32.ESpy.w
Fortinet    3.113.0.0    2008.10.18    -
GData    19    2008.10.18    Trojan.Spy.IESpy.DM
Ikarus    T3.1.1.44.0    2008.10.18    Backdoor.Win32.Vatos.24
K7AntiVirus    7.10.498    2008.10.18    Trojan-Spy.Win32.ESpy.w
Kaspersky    7.0.0.125    2008.10.18    Trojan-Spy.Win32.ESpy.w
McAfee    5408    2008.10.17    Generic Keylogger.g
Microsoft    1.4005    2008.10.18    TrojanSpy:Win32/Espy.B
NOD32    3535    2008.10.18    probably unknown NewHeur_PE
Norman    5.80.02    2008.10.17    W32/Smalltroj.DWTG
Panda    9.0.0.4    2008.10.18    Suspicious file
PCTools    4.4.2.0    2008.10.18    -
Prevx1    V2    2008.10.19    Cloaked Malware
Rising    20.66.52.00    2008.10.18    Trojan.Spy.Win32.VB.agc
SecureWeb-Gateway    6.7.6    2008.10.18    Trojan.Crypt.CFI.Gen
Sophos    4.34.0    2008.10.18    Mal/Heuri-D
Sunbelt    3.1.1732.1    2008.10.18    -
Symantec    10    2008.10.18    Infostealer
TheHacker    6.3.1.0.119    2008.10.18    Trojan/Spy.ESpy.w
TrendMicro    8.700.0.1004    2008.10.17    TROJ_ESPY.BU
VBA32    3.12.8.7    2008.10.18    Trojan-Spy.Win32.ESpy.w
ViRobot    2008.10.18.1426    2008.10.18    Trojan.Win32.ESpy.34444
VirusBuster    4.5.11.0    2008.10.18    -

Just about everything detected it. Not what we want. If you follow this most virus scanners wont detect it. Some still will but at least it will slip by more of them.

First you need to go and download Themida:
Themida.v2.0.3.0.cracked.net.support.rar

Alright so now you have what we need to make your virus detectable by fewer AVs. Start up Themida. That should bring you to this screen:

Click the little folder icon next to Input Filename and find your virus. If you want to change the name uncheck "Same as input" and click the folder and save it as what you want. Now on to the settings.

This is what I put for Protection Options:


The rest I leave with the default options. After that just click protect and it will save your slightly less detectable file too wherever you chose. Heres my after scan:

Code:

AhnLab-V3    2008.10.18.0    2008.10.18    -
AntiVir    7.9.0.5    2008.10.17    TR/Crypt.CFI.Gen
Authentium    5.1.0.4    2008.10.18    -
Avast    4.8.1248.0    2008.10.15    -
AVG    8.0.0.161    2008.10.18    -
BitDefender    7.2    2008.10.18    -
CAT-QuickHeal    9.50    2008.10.18    (Suspicious) - DNAScan
ClamAV    0.93.1    2008.10.18    -
DrWeb    4.44.0.09170    2008.10.18    -
eSafe    7.0.17.0    2008.10.16    -
eTrust-Vet    31.6.6153    2008.10.17    -
Ewido    4.0    2008.10.18    -
F-Prot    4.4.4.56    2008.10.18    -
F-Secure    8.0.14332.0    2008.10.18    -
Fortinet    3.113.0.0    2008.10.18    -
GData    19    2008.10.18    -
Ikarus    T3.1.1.44.0    2008.10.18    Trojan.Crypt.FKM
K7AntiVirus    7.10.498    2008.10.18    -
Kaspersky    7.0.0.125    2008.10.18    -
McAfee    5408    2008.10.17    New Poly Win32
Microsoft    1.4005    2008.10.18    -
NOD32    3535    2008.10.18    -
Norman    5.80.02    2008.10.17    -
Panda    9.0.0.4    2008.10.18    -
PCTools    4.4.2.0    2008.10.18    -
Prevx1    V2    2008.10.18    -
Rising    20.66.52.00    2008.10.18    -
SecureWeb-Gateway    6.7.6    2008.10.18    Trojan.Crypt.CFI.Gen
Sophos    4.34.0    2008.10.18    -
Sunbelt    3.1.1732.1    2008.10.18    -
Symantec    10    2008.10.18    -
TheHacker    6.3.1.0.119    2008.10.18    -
TrendMicro    8.700.0.1004    2008.10.17    -
VBA32    3.12.8.7    2008.10.18    -
ViRobot    2008.10.18.1426    2008.10.18    -
VirusBuster    4.5.11.0    2008.10.18    -

Much better. It slips past way more AVs now.

Edit: I forgot to add, make sure you test your server after doing this because it can break some servers.

[runemaster]

hmmm nice ill have to try this, + rep

[VICKalle]

Don't post it to virustotal.com because they send it to all anti-virus to check it so it will get detected much faster.

[Rowro]

Don't post it to virustotal.com because they send it to all anti-virus to check it so it will get detected much faster.

This has been around for awhile. Themida is a legit program used by a lot of companys to try and curb pirating.