Some Bits About UPolyX


You must have heard that there are a number of new variants of the long lived WORM_BAGLE. Well, that’s because of UPolyX.

UPolyX is not new, in fact its first version UPolyX v0.1 has been around since 2004. By searching through the net, it has four (4) versions in existence.

UPolyX is basically a scrambler. It specifically needs a UPX packed input file to produce an output file. Through its polymorphic decrypter engine, it can produce a number of different output files even on one input file. That’s why we are receiving a number of WORM_BAGLE variants from time to time.

The latest version of the scrambler which is, UPolyX v0.5, has added some permutation module to further improve its polymorphism.

The scrambler also implements an Executable Trash Generator or ETG that places trash (dummy instructions) in between the polymorphic decryptor and the code itself. ETG can be configured to control the number of bytes of trash to generate. ETG 1.00 is the only version known in the public and has been around since March 2000.

From the characteristics mentioned above, it seems like the authors primary purpose is to defeat the decryptor emulation techniques of various Anti-Virus engines.

Using this technology of the UPolyX, a detected malware can still be relived and get into the wild again.

So far as what I have noticed, the type of samples that we received are based on this principle:

Detected Malware + UPX + UPolyX (polymorphic decrypter + Executable Trash Generator) = New Undetected Malware


What if some worm authors decided to embed UPolyX’s technology? Hmm.. oh well, we might have a hard time to tell which variant of the worm is in the wild!
But, that’s just one of the possibilities, some may come along the way and that’s another story.:=)