Benny
29a [4full]
March 2000
Well, whatsa go? That's the main question. Entrypoint Obscuring techniques, also abrieviated as EPOs, r relatively new but very efficent ways how to make your virus undetectable by existing heuristic scanners. The main idea is: don't modify entrypoint, don't activate virus immediatelly when infected program is executed, dig the "JMP VIRUS" instruction into the center of program. For instance, virus won't be activated when the program will be executed, but when program will call ExitProcess API. Why do we do that? It's very simple. Heuristic scanners can't analyse whole Win32 program (in short words, it's just not possible for existing scanners) and if virus code will be hidden inside the program, heuristic scanners won't be able to reach the virus code and so, virus won't be detected. In my opinion, every modern virus should contain EPO routines. And if the ways of realising EPOs will be random, it would be impossible to clean the virus. Think about it.