Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technology. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist (aka Mistfall) – code emulators are not the best approach to consider. We came across a new W32/Xpaj variant which is actively spreading recently. It utilizes well known techniques to evade detection, but are otherwise, seldom found in live virus analysis.
The new W32/Xpaj uses random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout code section of the infected file. It is similar to what W32/Zmist used to employ, but uses code replacement, instead of code insertion.
Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:
1. Saving the original state of the infected application and preserving all the registers used by the virus;
2. Changing the protection flags of the memory virus body is located at;
3. Decrypting virus body;
4. Jumping to the decrypted virus body, etc.
http://www.avertlabs.com/research/blog/ ... hic-enemy/