108 lines
6.2 KiB
Plaintext
108 lines
6.2 KiB
Plaintext
Subject: Polymorphic Virus
|
|
|
|
Here is a new entry from the Computer Virus Catalog, produced and
|
|
distributed by the Computer Anti-Virus Researcher's Organization (CARO),
|
|
at the University of Hamburg.
|
|
|
|
Note the description of the Polymorphic Method, below, and that this
|
|
virus can presently be detected in a file only by the file change it
|
|
produces.
|
|
|
|
|
|
==== Computer Virus Catalog 1.2: Dedicated Virus (31-January 1992) ===
|
|
Entry...............: Dedicated Virus
|
|
Alias(es)...........: ---
|
|
Virus Strain........: ---
|
|
Polymorphism engine.: Mutating Engine (ME) 0.9
|
|
Virus detected when.: UK
|
|
where.: January 1992
|
|
Classification......: Polymorphic encrypted program (COM) infector,
|
|
non-resident
|
|
Length of Virus.....: 3,5 kByte (including Mutating Engine)
|
|
--------------------- Preconditions ----------------------------------
|
|
Operating System(s).: MS-DOS
|
|
Version/Release.....: 2.xx upward
|
|
Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles
|
|
--------------------- Attributes -------------------------------------
|
|
Easy Identification.: COM file growth (no other direct detection means
|
|
are known as virus encrypts itself, and due
|
|
to the installed mutation engine, all occu-
|
|
rences of this virus differ widely)
|
|
Type of infection...: COM file infector: all COM files in current
|
|
directory on current drive (disk,diskette)
|
|
are infected upon executing an infected file.
|
|
Infection Trigger...: Execution of an infected COM file.
|
|
Media affected......: Hard disk, any floppy disk
|
|
Interrupts hooked...: ---
|
|
Crypto method.....: The virus encrypts itself upon infecting a COM
|
|
file using its own encryption routine; upon
|
|
execution, the virus decrypts itself using
|
|
its own small algorithm.
|
|
Polymorphic method..: After decryption, the virus' envelope consisting
|
|
of Mutating Engine 0.9 will widely vary the
|
|
virus' coding before newly infecting another
|
|
COM file. Due to this method, common pieces
|
|
of code of more than three bytes (=signatures)
|
|
of any two instances of this virus are highly
|
|
improbable.
|
|
Remark: Mutating Engine 0.9 very probably was
|
|
developed by the Bulgarian virus writer
|
|
"Dark Avenger"; such a program was announced
|
|
early 1991 as permutating more than 4 billion
|
|
times, and it appeared in October 1991 or
|
|
before.
|
|
The class of permutating viruses is named
|
|
"polymorphic" to indicate the changing
|
|
structure which may not be identified with
|
|
contemporary means. To indicate the relation
|
|
to such common engine, the term "Polymorhic
|
|
engine (method)" has been introduced.
|
|
ME 0.9 was distributed via several Virus
|
|
Exchange Bulletin Boards, so it is possible
|
|
that other ME 0.9 related viruses appear.
|
|
According to (non-validated) information, an-
|
|
other ME 0.9 based virus (Pogue?) has been
|
|
detected in North America: COM file infector,
|
|
memory resident, length about 3,7 kBytes.
|
|
Damage..............: Virus overwrites at random times random sectors
|
|
(one at a time) with garbage (INT 26 used).
|
|
Damage Trigger......: Random time
|
|
Similarities........: ---
|
|
Particularities.....: The virus contains a text greeting a US based
|
|
female hacker; this text is visible after
|
|
decryption.
|
|
--------------------- Agents -----------------------------------------
|
|
Countermeasures.....: Contemporarily, no automatic method for reliable
|
|
identification of polymorphic viruses known.
|
|
- ditto - successful: ---
|
|
Standard means......: ---
|
|
--------------------- Acknowledgement --------------------------------
|
|
Location............: Virus Test Center, University Hamburg, Germany
|
|
Classification by...: Vesselin Bontchev, Klaus Brunnstein
|
|
Documentation by....: Dr. Alan Solomon
|
|
Date................: 31-January-1992
|
|
===================== End of Dedicated Virus =========================
|
|
|
|
======================================================================
|
|
== Critical and constructive comments as well as additions are ==
|
|
== appreciated. Descriptions of new viruses are appreaciated. ==
|
|
======================================================================
|
|
== The Computer Virus Catalog may be copied free of charges provided =
|
|
== that the source is properly mentioned at any time and location ==
|
|
== of reference. ==
|
|
======================================================================
|
|
== Editor: Virus Test Center, Faculty for Informatics ==
|
|
== University of Hamburg ==
|
|
== Vogt-Koelln-Str.30, D2000 Hamburg 54, FR Germany ==
|
|
== Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, ==
|
|
== Simone Fischer-Huebner, Wolf-Dieter Jahn ==
|
|
== Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.) ==
|
|
== Fax: (+40) 54 715 - 226 ==
|
|
== Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de ==
|
|
== bontchev@rz.informatik.uni-hamburg.de> ==
|
|
== FTP site: ftp.informatik.uni-hamburg.de ==
|
|
== Adress: 134.100.4.42 ==
|
|
== login anonymous; password: your-email-adress; ==
|
|
== directory: pub/virus/texts/catalog ==
|
|
======================================================================
|