File infector malware adds malicious code to current files. This makes removal tricky because deleting infections results in the loss of legitimate files. Although file infectors were more popular in the 1990s and early 2000s, they still pose a significant threat. The complex disinfection process is usually leveraged by malware authors to ensure systems stay infected for a long period. This may explain why complex file infectors such as W32/VirRansom, W32/Sality, W32/Xpaj, and Expiro are still active today.
The Expiro virus is has been around for more than a decade, and the authors continue to update it with more features. Expiro is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Recently we discovered a new variant of Expiro with a significant change in its infection routine. In previous variants, Expiro modified and stole code at the entry point and appended the viral payload only at the end of the original file, typical of an appender virus.
The new variant, however, changes the size of the base relocation table and encrypts the addresses inside, causing traditional appender virus repair routines to corrupt files unless they correctly restore the original base relocation table. By adding the encryption, Expiro increases the complexity of analysis and requires a customized repair routine, which makes it hard to combat.
The following screenshots demonstrate this point: The base relocation table of a file infected by the old variant of Expiro is unaffected and the contents are untouched.
Figure 1: The relocation table remains intact when infected by the old Expiro variant.
Figure 2: The relocation table contents are not modified by the old Expiro variant.
The new variant reduces the size of the base relocation table and encrypts portions of it (outlined in red).
Figure 3: The latest Expiro variant reduces the size of the relocation table.
Figure 4: The relocation table encrypted by the latest Expiro variant.
To fix relocations prior to the execution of the original file’s code, the Expiro virus first executes its own malicious payload. It then decrypts the relocation table and dynamically reloads all addresses to make sure the original file can run correctly.
Decryption involves a simple XOR operation with a key hardcoded within the sample.
Figure 5: Relocation table being decrypted using a hardcoded XOR key.
After the decryption, the rest of original base relocation table is recovered.
Figure 6: The EDI register now contains decrypted relocation data.
In recovery step 2, Expiro computes the address that contains the relocation address using the formula Relocation_Address = NewImageBase + Offset + VirtualAddress.
Figure 7: Calculation of the address to be relocated in Expiro’s code.
As we see in the following screenshot, the formula leads to Relocation_Address = 0x950000 + 0x354 + 0x1000, so the address in 0x951354 should be relocated (stored in eax).
Figure 8: Relocation address being calculated.
In recovery step 3, Expiro computes the relocation value using the formula Relocation_Value = OldValue + (NewImageBase – OldImagebase).
Figure 9: Relocation value being computed by Expiro.
In this case, the formula is Relocation _Value = 0x01001354 + (0x00950000 – 0x01000000), so the relocation value is 0x00951354.
Figure 10: Expiro performing relocations on its own.
Using this technique, we can decrypt and repair the entire relocation table of the files infected by Expiro. This also helps us to calculate and replace the relocation table size in an executable’s optional header with the correct values. These changes ensure the infected files can run properly after removing the malicious payload.
McAfee products detect Expiro as W32/Expiro.gen.rd and W64/Expiro.d and repair infected files from DAT Version 8665. Users can find additional information at this McAfee Labs Threat Advisory.