One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:
Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.