W32/Xpaj: Know Your Polymorphic Enemy

Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technologies. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist, (a.k.a. Mistfall) code emulators are not the best approach. We recently came across a new W32/Xpaj variant that is actively spreading. It utilizes well-known techniques to evade detection that are otherwise seldom found in live virus analysis.
The new W32/Xpaj uses a random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout the code section of the infected file. It is similar to what W32/Zmist used to employ, but W32/Xpaj uses code replacement instead of code insertion.
Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:

Saving the original state of the infected application and preserving all the registers used by the virus
Changing the protection flags of the memory where the virus body is located
Decrypting the virus body
Jumping to the decrypted virus body, etc.

Each task may be located in a separate (continue reading...)