File Infector Takes Infection Up a Notch
1:17 am (UTC-7) | by Det Caraig (Technical Communications)
Trend Micro threat analysts were alerted to the discovery of a not-so-common file infector. Unlike usual file infectors that only do simple modifications to the files they infect, PE_XPAJ.A does complex modifications to hide its malicious code.
Though it shares some characteristics with other PE variants, it is considered more than the average file infector. For instance, security experts will have a harder time finding its malicious code by ensuring that affected files do not exhibit any obvious sign of infection.
The file infector infects .DLL, .EXE, .SCR, and .SYS files in the following folders:
* %Program Files%
It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.
Read more: http://blog.trendmicro.com/file-infecto ... z0TGIxzH9v
http://blog.trendmicro.com/file-infecto ... p-a-notch/