polymorphic virus analysis


  • The virus is Polymorphic and very infectious.
  •  EPO : Entry Point Obscuring – the entry point address in the header is not modified, the virus injects code in the real entry point and hops around a few times, before it jumps to the virus entry point.
  • Obfuscated layers, using junk instructions, and different decryption operations (simple ones tho).
  • The junks code actually abuses a bug in VMWARE 5, so the virus actually crashed in the VM at the time of the analysis