W32/Xpaj – Know Your Polymorphic Enemy

[SysAdMini]

http://www.avertlabs.com/research/blog/index.php/2009/09/21/w32xpaj-know-your-polymorphic-enemy/

Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technology. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist (aka Mistfall) – code emulators are not the best approach to consider. We came across a new W32/Xpaj variant  which is actively spreading recently. It utilizes well known techniques to evade detection, but are otherwise, seldom found in live virus analysis.

[SysAdMini]

Mal/Xpaj-B - how to avoid looking like a virus
http://www.sophos.com/blogs/sophoslabs/?p=6686

However, Xpaj-B has a major new feature in the form of multi-layer encryption. While Xpaj-A hid its strings and data with a rolling XOR key, Xpaj-B goes a few steps further: the whole of the virus body (including the already-encrypted data) has been put through another layer, its decryption is called by a Virtual Machine and the bytecode for that VM is stored (encrypted again) after the virus body.

[RS-232]

W32.Xpaj.B – An Upper Crust File Infector
http://www.symantec.com/connect/blogs/w32xpajb-upper-crust-file-infector

[SysAdMini]

W32/Xpaj Botnet Growing Rapidly
http://www.avertlabs.com/research/blog/index.php/2009/10/06/w32xpaj-botnet-growing-rapidly/

Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.