DEFGENA.CVP 930819 Polymorphism and variations The latest development is the polymorphic "engine". This is not a virus as such, but code which can be added to *any* virus in order to make it polymorphic. The most widely known of these is the "Mutating Engine", known as MtE, written by the virus writer who identifies himself as the Dark Avenger. There *is* no MtE (or DAME: Dark Avenger's Mutating Engine) virus; only other viri which have had the code attached. MtE is not the only such program around, many others have been developed such as the more recent model known as TPE (Trident Polymorphic Engine). (vx groups tend to have as little imagination in naming as in programming.) The polymorphic engines are sometimes confused with "virus kits". The polymorphic engine, if properly attached to the original virus, will "reform" the viral code on each new infection. A virus kit is a program to automate the actual writing of a virus. The user picks characteristics from a menu of choices, and the kit program sticks together pre-programmed pieces of code to make a virus for you. A polymorphic engine, then, is code added to a virus to make the same virus change its appearance each time it reproduces. A virus kit is a non-replicating, non-viral program which automates the process of generating viral programs each with different characteristics. Unless polymorphism is one of the options chosen, viral programs produced by a kit will retain their signatures from that point on. Fortunately, polymorphism, in whatever form and at whatever level, has not been a significant threat. Polymorphs are still easily detected by change detection and activity monitoring software. Even scanners have not had great difficulty dealing with polymorphic programs. The early self-encrypting programs generally left readily identifiable signatures since the decryption code had to be left "en clair". Even those programs which performed significant encryption, or used different encryption routines, generally had few forms which could be readily identified. The latter polymorphs are marginally more difficult to identify but algorithmic, as opposed to pure signature, scanning is having reasonable success. Indeed, in the case of the polymorphic engines, these codes have sometimes been a boon to the antiviral researcher. When you can identify the MtE code, you can also identify, at least as a virus, every new virus to which it is attached. copyright Robert M. Slade, 1993 DEFGENA.CVP 930819 ============== Vancouver ROBERTS@decus.ca | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User p1@CyberStore.ca | First Law of Security Canada V7K 2G6 | Data Security