XPAJ out with EPO & complex encryption

The new variant of W32.Xpaj is in the wild and it uses Entry Point Obfuscation (EPO) technique to infect the Windows executable files. This variant is one of the most complex polymorphic infector seen till date.

It overwrites any random subroutine from executable with its own code and redirects few call instructions to point to its infected subroutine. It keeps an encrypted virus body in a section other than the control section. Since the probability of executing virus code depends on the execution of that particular subroutine, it overwrites more than one subroutine and redirects more than one call to point to the infected subroutine. The virus preserves the initial values of subroutine, executes viral code, restores original values and then executes original subroutine.

It uses three levels of encryption to keep patched code bytes.

The overwritten subroutine consists of decryption code involving stack operations. The virus does not change the section characteristics unlike other viruses do. It uses NtProtectVirtualMemory API to change the memory protection of virus body to PAGE_EXECUTE_READWRITE to execute the decryption routine. Using the same code it decrypts the code of second level decryptor.

Below is screenshot for first level decryptor:

The second level of decryptor uses xor, rotate with carry and add instructions.

Screenshot for second level decryption:

Third level of decryptor uses xor operation to get the original subroutine code. The overwritten subroutine is located in the encrypted part and executed from there. Since these functions are relocated, virus adjusts the values of resource and relocation directories so that the file can be executed properly.

This infector uses EPO with multiple level encryption making its detection and repair challenging.
Quick Heal detects and repairs this variant as W32.Xpaj.C.