Subject: Polymorphic Virus Here is a new entry from the Computer Virus Catalog, produced and distributed by the Computer Anti-Virus Researcher's Organization (CARO), at the University of Hamburg. Note the description of the Polymorphic Method, below, and that this virus can presently be detected in a file only by the file change it produces. ==== Computer Virus Catalog 1.2: Dedicated Virus (31-January 1992) === Entry...............: Dedicated Virus Alias(es)...........: --- Virus Strain........: --- Polymorphism engine.: Mutating Engine (ME) 0.9 Virus detected when.: UK where.: January 1992 Classification......: Polymorphic encrypted program (COM) infector, non-resident Length of Virus.....: 3,5 kByte (including Mutating Engine) --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: COM file growth (no other direct detection means are known as virus encrypts itself, and due to the installed mutation engine, all occu- rences of this virus differ widely) Type of infection...: COM file infector: all COM files in current directory on current drive (disk,diskette) are infected upon executing an infected file. Infection Trigger...: Execution of an infected COM file. Media affected......: Hard disk, any floppy disk Interrupts hooked...: --- Crypto method.....: The virus encrypts itself upon infecting a COM file using its own encryption routine; upon execution, the virus decrypts itself using its own small algorithm. Polymorphic method..: After decryption, the virus' envelope consisting of Mutating Engine 0.9 will widely vary the virus' coding before newly infecting another COM file. Due to this method, common pieces of code of more than three bytes (=signatures) of any two instances of this virus are highly improbable. Remark: Mutating Engine 0.9 very probably was developed by the Bulgarian virus writer "Dark Avenger"; such a program was announced early 1991 as permutating more than 4 billion times, and it appeared in October 1991 or before. The class of permutating viruses is named "polymorphic" to indicate the changing structure which may not be identified with contemporary means. To indicate the relation to such common engine, the term "Polymorhic engine (method)" has been introduced. ME 0.9 was distributed via several Virus Exchange Bulletin Boards, so it is possible that other ME 0.9 related viruses appear. According to (non-validated) information, an- other ME 0.9 based virus (Pogue?) has been detected in North America: COM file infector, memory resident, length about 3,7 kBytes. Damage..............: Virus overwrites at random times random sectors (one at a time) with garbage (INT 26 used). Damage Trigger......: Random time Similarities........: --- Particularities.....: The virus contains a text greeting a US based female hacker; this text is visible after decryption. --------------------- Agents ----------------------------------------- Countermeasures.....: Contemporarily, no automatic method for reliable identification of polymorphic viruses known. - ditto - successful: --- Standard means......: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Vesselin Bontchev, Klaus Brunnstein Documentation by....: Dr. Alan Solomon Date................: 31-January-1992 ===================== End of Dedicated Virus ========================= ====================================================================== == Critical and constructive comments as well as additions are == == appreciated. Descriptions of new viruses are appreaciated. == ====================================================================== == The Computer Virus Catalog may be copied free of charges provided = == that the source is properly mentioned at any time and location == == of reference. == ====================================================================== == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Vogt-Koelln-Str.30, D2000 Hamburg 54, FR Germany == == Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, == == Simone Fischer-Huebner, Wolf-Dieter Jahn == == Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.) == == Fax: (+40) 54 715 - 226 == == Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de == == bontchev@rz.informatik.uni-hamburg.de> == == FTP site: ftp.informatik.uni-hamburg.de == == Adress: 134.100.4.42 == == login anonymous; password: your-email-adress; == == directory: pub/virus/texts/catalog == ====================================================================== .