The Latest in IT Security

XPAJ out with EPO & complex encryption

22
Sep
2011

The new variant of W32.Xpaj is in the wild which uses Entry Point Obfuscation (EPO) technique to infect the Windows executable files. This variant is one of the most complex polymorphic infector seen till date.

It overwrites any random subroutine from executable with its own code and redirects few call instructions to point to its infected subroutine. It keeps encrypted virus body in a section other than control section. Since the probability of executing virus code depends on the execution of that particular subroutine, it overwrites more than one subroutine and redirects more than one call to point to the infected subroutine. The virus preserves the initial values of subroutine, executes viral code, restores original values and then executes original subroutine.

It uses three levels of encryption to keep patched code bytes.

The overwritten subroutine consists of decryption code involving stack operations. Virus does not change the section characteristics, unlike other viruses do, it uses NtProtectVirtualMemory API to change the memory protection of virus body to PAGE_EXECUTE_READWRITE to execute the decryption routine. Using the same code it decrypts the code of second level decryptor.

Below is screenshot for first level decryptor

The second level of decryptor uses xor, rotate with carry and add instructions.

Screenshot for second level decryption

Third level of decryptor uses xor operation to get the original subroutine code. The overwritten subroutine is located in the encrypted part and executed from there. Since these functions are relocated, virus adjusts the values of resource and relocation directories so that the file can be executed properly.

This infector uses EPO with multiple level encryption making its detection and repair challenging.
Quick Heal detects and repairs this variant as W32.Xpaj.C.

Leave a reply


Categories

THURSDAY, SEPTEMBER 19, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks