Most file infectors attempt to avoid heuristic detection by
implementing an EPO (entry-point obscuring) technique.
EPO confuses anti-virus scanners by emulating the
instructions from the beginning of the executable – which
makes it look as if it is still operating within the host file. The
technique varies slightly from malware to malware.
Expiro uses an EPO technique, as discussed in [1], in
which it replaces a block of code from the entry point of the
executable with its malicious binaries, which contain the
initial decryption algorithm. This article focuses on an old
file infector, but one which is still active in the wild.
W32/Daum is a simple file infector, but it is worth looking at
more closely for its unique EPO methodology
more here..........https://www.virusbtn.com/pdf/magazine/2014/vb201407-API-EPO.pdf
implementing an EPO (entry-point obscuring) technique.
EPO confuses anti-virus scanners by emulating the
instructions from the beginning of the executable – which
makes it look as if it is still operating within the host file. The
technique varies slightly from malware to malware.
Expiro uses an EPO technique, as discussed in [1], in
which it replaces a block of code from the entry point of the
executable with its malicious binaries, which contain the
initial decryption algorithm. This article focuses on an old
file infector, but one which is still active in the wild.
W32/Daum is a simple file infector, but it is worth looking at
more closely for its unique EPO methodology
more here..........https://www.virusbtn.com/pdf/magazine/2014/vb201407-API-EPO.pdf