File Infector Takes Infection Up A Notch

[Peaches]

Oct7 2009

File Infector Takes Infection Up a Notch

by Det Caraig (Technical Communications)

Trend Micro threat analysts were alerted to the discovery of a not-so-common file infector. Unlike usual file infectors that only do simple modifications to the files they infect,

PE_XPAJ.A does complex modifications to hide its malicious code.

Though it shares some characteristics with other PE variants, it is considered more than the average file infector. For instance, security experts will have a harder time finding its malicious code by ensuring that affected files do not exhibit any obvious sign of infection.

The file infector infects .DLL, .EXE, .SCR, and .SYS files in the following folders:

• %Program Files%
  
• %Windows%
  

It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file's codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.

The file infector also connects to the following URLs to download encrypted files:

• http://{BLOCKED}huy.com/plugin/plugin.dat
  
• http://{BLOCKED}ios.com/stamm/stamm.dat
  

If that is not troublesome enough, it also copies and hides legitimate files in the %UserTemp% folder as {random HEX value}.tmp.

Trend Micro Smart Protection Network already protects product users from this file infector. Non-users, on the other hand, can use HouseCall to clean their infected systems.

Article at TrendLabs - http://blog.trendmicro.com/