13 October 2009 ~ 0 Comments

File Infector Takes Infection Up a Notch

6.Articles

file infector File Infector Takes Infection Up a NotchTrend Micro threat analysts were alerted to the discovery of a not-so-common file infector virus. Unlike usual file infectors that only do simple modifications to the files they infect, PE_XPAJ.A does complex modifications to hide its malicious code.

Though it shares some characteristics with backdoor trojan other PE variants, it is considered more than the average file infector. For instance, security experts will have a harder time finding its malicious code by ensuring that affected files do not exhibit any obvious sign of infection.

The file infector infects .DLL, .EXE, .SCR, and .SYS files in the following folders:

  • %Program Files%
  • %Windows%

It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.

The file infectors also connect to the following URLs to download encrypted files:

  • http://{BLOCKED}huy.com/plugin/plugin.dat
  • http://{BLOCKED}ios.com/stamm/stamm.dat

If that is not troublesome enough, it also copies and hides legitimate files in the %UserTemp% folder as {random HEX value}.tmp.

Trend Micro Smart Protection Network already protects product users from this file infector. Non-users, on the other hand, can use HouseCall to clean their infected systems.

Post from: TrendLabs | Malware Blog – by Trend Micro

keywords:infector,exe infector,infectors,blaster,win32,trojan,trojan information

File Infector Takes Infection Up a Notch File Infector Takes Infection Up a Notch File Infector Takes Infection Up a Notch File Infector Takes Infection Up a Notch File Infector Takes Infection Up a Notch File Infector Takes Infection Up a Notch File Infector Takes Infection Up a Notch
Tags: , , , , , ,

Leave a Reply

PHVsPjxsaT48c3Ryb25nPndvb19hYm91dDwvc3Ryb25nPiAtIEN1cmV0aHJlYXQgIHByb3ZpZGVzIElOU1RBTlQgRlJFRSBjb21wdXRlciB2aXJ1cyByZW1vdmFsICxjb21wdXRlciB2aXJ1cyByZXBhaXIgYW5kIHRvdGFsbHkgZnJlZSBzcHl3YXJlIHJlbW92YWwgdG9vbHMsZnJlZSByZW1vdGUgYWNjZXNzLGNvbXB1dGVyIHR1bmUtdXAsc29mdHdhcmUgaW5zdGFsbGF0aW9uIGFuZCBvdGhlciBjb21wdXRlciBzZXJ2aWNlcy48L2xpPjxsaT48c3Ryb25nPndvb19hZHNfcm90YXRlPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzE8L3N0cm9uZz4gLSBodHRwOi8vaW1nMjMuaW1hZ2VzaGFjay51cy9pbWcyMy85MTc0L3NhdGVsbGl0ZWkuanBnPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfMjwvc3Ryb25nPiAtIGh0dHA6Ly93d3cucmVnaXN0cnllYXN5LmNvbS9pbWFnZXMvYmFubmVyMTI1eDEyNS5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV8zPC9zdHJvbmc+IC0gaHR0cDovL3d3dy5wZXJmZWN0dW5pbnN0YWxsZXIuY29tL2ltYWdlcy9iYW5uZXJzL2Jhbm5lci0xMjV4MTI1LmpwZzwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzQ8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTQuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfdG9wPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3RvcF9hZHNlbnNlPC9zdHJvbmc+IC0gPCEtLSBCZWdpbjogQWRCcml0ZSwgR2VuZXJhdGVkOiAyMDA5LTA5LTAxIDE0OjUyOjM4ICAtLT48c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj52YXIgQWRCcml0ZV9UaXRsZV9Db2xvciA9IFwnMDAwMEZGXCc7dmFyIEFkQnJpdGVfVGV4dF9Db2xvciA9IFwnMDAwMDAwXCc7dmFyIEFkQnJpdGVfQmFja2dyb3VuZF9Db2xvciA9IFwnRkZGRkZGXCc7dmFyIEFkQnJpdGVfQm9yZGVyX0NvbG9yID0gXCdDQ0NDQ0NcJzt2YXIgQWRCcml0ZV9VUkxfQ29sb3IgPSBcJzAwODAwMFwnO3RyeXt2YXIgQWRCcml0ZV9JZnJhbWU9d2luZG93LnRvcCE9d2luZG93LnNlbGY/MjoxO3ZhciBBZEJyaXRlX1JlZmVycmVyPWRvY3VtZW50LnJlZmVycmVyPT1cJ1wnP2RvY3VtZW50LmxvY2F0aW9uOmRvY3VtZW50LnJlZmVycmVyO0FkQnJpdGVfUmVmZXJyZXI9ZW5jb2RlVVJJQ29tcG9uZW50KEFkQnJpdGVfUmVmZXJyZXIpO31jYXRjaChlKXt2YXIgQWRCcml0ZV9JZnJhbWU9XCdcJzt2YXIgQWRCcml0ZV9SZWZlcnJlcj1cJ1wnO308L3NjcmlwdD48c3BhbiBzdHlsZT1cIndoaXRlLXNwYWNlOm5vd3JhcDtcIj48c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj5kb2N1bWVudC53cml0ZShTdHJpbmcuZnJvbUNoYXJDb2RlKDYwLDgzLDY3LDgyLDczLDgwLDg0KSk7ZG9jdW1lbnQud3JpdGUoXCcgc3JjPVwiaHR0cDovL2Fkcy5hZGJyaXRlLmNvbS9tYi90ZXh0X2dyb3VwLnBocD9zaWQ9MTMyNDI3NCZ6cz0zNDM2Mzg1ZjM2MzAmaWZyPVwnK0FkQnJpdGVfSWZyYW1lK1wnJnJlZj1cJytBZEJyaXRlX1JlZmVycmVyK1wnXCIgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPlwnKTtkb2N1bWVudC53cml0ZShTdHJpbmcuZnJvbUNoYXJDb2RlKDYwLDQ3LDgzLDY3LDgyLDczLDgwLDg0LDYyKSk7PC9zY3JpcHQ+PGEgdGFyZ2V0PVwiX3RvcFwiIGhyZWY9XCJodHRwOi8vd3d3LmFkYnJpdGUuY29tL21iL2NvbW1lcmNlL3B1cmNoYXNlX2Zvcm0ucGhwP29waWQ9MTMyNDI3NCZhZnNpZD0xXCI+PGltZyBzcmM9XCJodHRwOi8vZmlsZXMuYWRicml0ZS5jb20vbWIvaW1hZ2VzL2FkYnJpdGUteW91ci1hZC1oZXJlLWJhbm5lci5naWZcIiBzdHlsZT1cImJhY2tncm91bmQtY29sb3I6I0NDQ0NDQztib3JkZXI6bm9uZTtwYWRkaW5nOjA7bWFyZ2luOjA7XCIgYWx0PVwiWW91ciBBZCBIZXJlXCIgd2lkdGg9XCIxMVwiIGhlaWdodD1cIjYwXCIgYm9yZGVyPVwiMFwiIC8+PC9hPjwvc3Bhbj48IS0tIEVuZDogQWRCcml0ZSAtLT48L2xpPjxsaT48c3Ryb25nPndvb19hZF90b3BfaW1hZ2U8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy00Njh4NjAtMi5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF90b3BfdXJsPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzE8L3N0cm9uZz4gLSBodHRwOi8vY3VyZXRocmVhdC5ldHZjb3JwLmhvcC5jbGlja2JhbmsubmV0P3RpZD1ibG9ndHYgPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzI8L3N0cm9uZz4gLSBodHRwOi8vY3VyZXRocmVhdC5yZWdlYXN5LmhvcC5jbGlja2JhbmsubmV0PC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzM8L3N0cm9uZz4gLSBodHRwOi8vY3VyZXRocmVhdC5pbWVib29rLmhvcC5jbGlja2JhbmsubmV0P3RpZD1ibG9ndW5pbnN0YWxsPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzQ8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hbHRfc3R5bGVzaGVldDwvc3Ryb25nPiAtIGRlZmF1bHQuY3NzPC9saT48bGk+PHN0cm9uZz53b29fYXV0b19pbWc8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2NhdF9tZW51PC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2NvbnRlbnRfYXJjaGl2ZXM8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2NvbnRlbnRfaG9tZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fY3VzdG9tX2Nzczwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2N1c3RvbV9mYXZpY29uPC9zdHJvbmc+IC0gaHR0cDovL2N1cmV0aHJlYXQuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8xLWxvZ28uZ2lmPC9saT48bGk+PHN0cm9uZz53b29fZmFjZWJvb2s8L3N0cm9uZz4gLSBjdXJldGhyZWF0PC9saT48bGk+PHN0cm9uZz53b29fZmVlZGJ1cm5lcl91cmw8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19mb290X2NhdF9tZW51PC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2Zvb3RfbmF2X2V4Y2x1ZGU8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19nb29nbGVfYW5hbHl0aWNzPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fbG9nbzwvc3Ryb25nPiAtIGh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZzwvbGk+PGxpPjxzdHJvbmc+d29vX21hbnVhbDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9zdXBwb3J0L3RoZW1lLWRvY3VtZW50YXRpb24vbWFpbnN0cmVhbTwvbGk+PGxpPjxzdHJvbmc+d29vX25hdl9leGNsdWRlPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fcHJvZmlsZTwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX3Jlc2l6ZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fc2hvcnRuYW1lPC9zdHJvbmc+IC0gd29vPC9saT48bGk+PHN0cm9uZz53b29fdGhlbWVuYW1lPC9zdHJvbmc+IC0gTWFpbnN0cmVhbTwvbGk+PGxpPjxzdHJvbmc+d29vX3RodW1iX2hlaWdodDwvc3Ryb25nPiAtIDEwMDwvbGk+PGxpPjxzdHJvbmc+d29vX3RodW1iX3dpZHRoPC9zdHJvbmc+IC0gMTAwPC9saT48bGk+PHN0cm9uZz53b29fdHdpdHRlcjwvc3Ryb25nPiAtIGN1cmV0aHJlYXQ8L2xpPjxsaT48c3Ryb25nPndvb191cGxvYWRzPC9zdHJvbmc+IC0gYToxOTp7aTowO3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLmdpZiI7aToxO3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aToyO3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLmdpZiI7aTozO3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aTo0O3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aTo1O3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aTo2O3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aTo3O3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aTo4O3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aTo5O3M6NTE6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1sb2dvLnBuZyI7aToxMDtzOjUxOiJodHRwOi8vY3VyZXRocmVhdC5jb20vd3AtY29udGVudC91cGxvYWRzLzEtbG9nby5wbmciO2k6MTE7czo1MToiaHR0cDovL2N1cmV0aHJlYXQuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8xLWxvZ28ucG5nIjtpOjEyO3M6NDk6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1iZy5naWYiO2k6MTM7czo0OToiaHR0cDovL2N1cmV0aHJlYXQuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8xLWJnLmdpZiI7aToxNDtzOjQ5OiJodHRwOi8vY3VyZXRocmVhdC5jb20vd3AtY29udGVudC91cGxvYWRzLzEtYmcuZ2lmIjtpOjE1O3M6NDk6Imh0dHA6Ly9jdXJldGhyZWF0LmNvbS93cC1jb250ZW50L3VwbG9hZHMvMS1iZy5naWYiO2k6MTY7czo0OToiaHR0cDovL2N1cmV0aHJlYXQuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8xLWJnLmdpZiI7aToxNztzOjU3OiJodHRwOi8vY3VyZXRocmVhdC5jb20vd3AtY29udGVudC91cGxvYWRzLzEtY3VyZXRocmVhdC5naWYiO2k6MTg7czo1NzoiaHR0cDovL2N1cmV0aHJlYXQuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8xLWN1cmV0aHJlYXQuUE5HIjt9PC9saT48L3VsPg==