Threat Research

ExPirO - An EPO File Infector

By Raul Alvarez | September 02, 2013

File infectors are malware that are capable of attaching themselves to executable files, e.g. "calc.exe" and "notepad.exe". When we run an infected file, we don't notice that "calc.exe" is infected, since it still shows the calculator running properly. But, behind the scenes, the malware is doing its malicious activities.

In this post, we will look into Expiro. It is not a new file infector, but it comes back from time to time with a different punch.

Expiro's Characteristics

Usually, a file infector changes the entry point of the host file during its infection process to point to the malware body that has been attached to the host file. The malware body are the binary codes that perform the malicious activities.

Expiro, however, does not change the entry point. Instead, it moves some of the host's original codes and replaces them with some of Expiro's code. We call this type of malware an EPO (entry point obscuring) file infector.

Expiro adds a new section in the host file and places most of the malware body in that new section. A section in an executable file separates the data, code, and other resources of the given file (see Figure 1).

raul added section

Figure 1. Section header information of the newly added section in the infected file.

The added section's name is ".vmp0". The virtual size in the example above is (0x1a6000) 1,728,512 bytes. In some infected files, the virtual size is the same as the size of raw data which is (0x7d000) 512,000 bytes. The size of raw data is the physical size of the added section, while the virtual size is the allocated memory in the running process.

The virtual address (0x42000) depends on the allocated memory for the host file, while the file pointer to raw data depends on the original size of the host file.

The characteristic flags tell the operating system that the section has execute, read, and write access (0xE0000000).

The content of the .vmp0 section is encrypted. Expiro uses a layered decryption algorithm for the entire section and uses a simple on-demand decryption routine whenever it needs a string.

Tell-tale of Infection

Expiro increases the infected file by (0x7d000) 512,000 bytes, as shown in Figure 2.

raul file properties compared

Figure 2. Difference in file sizes of the infected against the clean host file.

However, it is not easy to determine if the size of your files have already increased by 512,000 bytes unless you know the original file size, making it hard to tell if your files have been infected or not.

One way to tell if our system is already infected is by using Process Explorer. Using this tool, we will be able to see the mutexes created by Expiro.

Mutexes are used to synchronize threads in a given process, but for most malware and file infectors, they are used as a marker to determine if the system is already infected.

If the infected file is one of the services in the system, the mutexes used are "gazavat-svc_28" and "gazavat-svc" (see Figure 3). For regular infected files, the mutexes used are "kkq-vx-mtx28"and "kkq-vx-mtx1"(see Figure 4).

raul blog infected service process

Figure 3. Mutexes for an infected service.

raul blog infected file mutexes

Figure 4. Mutexes for regular infected files.

Wrapping Up

Our computer system can be infected by file infectors, trojans, and other different kinds of malware. Our best defense against them is to practice safe computing, and have antivirus and other security products installed in our system. And of course, we have to make sure that they are always updated.

Stay safe.

Join the Discussion