DEFGENA.CVP   930819
 
                    Polymorphism and variations
 
The latest development is the polymorphic "engine".  This is not a
virus as such, but code which can be added to *any* virus in order
to make it polymorphic.  The most widely known of these is the
"Mutating Engine", known as MtE, written by the virus writer who
identifies himself as the Dark Avenger.  There *is* no MtE (or DAME: 
Dark Avenger's Mutating Engine) virus; only other viri which have
had the code attached.  MtE is not the only such program around,
many others have been developed such as the more recent model known
as TPE (Trident Polymorphic Engine).  (vx groups tend to have as
little imagination in naming as in programming.)
 
The polymorphic engines are sometimes confused with "virus kits". 
The polymorphic engine, if properly attached to the original virus,
will "reform" the viral code on each new infection.  A virus kit is
a program to automate the actual writing of a virus.  The user picks
characteristics from a menu of choices, and the kit program sticks
together pre-programmed pieces of code to make a virus for you.  A
polymorphic engine, then, is code added to a virus to make the same
virus change its appearance each time it reproduces.  A virus kit is
a non-replicating, non-viral program which automates the process of
generating viral programs each with different characteristics. 
Unless polymorphism is one of the options chosen, viral programs
produced by a kit will retain their signatures from that point on.
 
Fortunately, polymorphism, in whatever form and at whatever level,
has not been a significant threat.  Polymorphs are still easily
detected by change detection and activity monitoring software.  Even
scanners have not had great difficulty dealing with polymorphic
programs.  The early self-encrypting programs generally left readily
identifiable signatures since the decryption code had to be left "en
clair".  Even those programs which performed significant encryption,
or used different encryption routines, generally had few forms which
could be readily identified.  The latter polymorphs are marginally
more difficult to identify but algorithmic, as opposed to pure
signature, scanning is having reasonable success.  Indeed, in the
case of the polymorphic engines, these codes have sometimes been a
boon to the antiviral researcher.  When you can identify the MtE
code, you can also identify, at least as a virus, every new virus to
which it is attached.
 
copyright Robert M. Slade, 1993   DEFGENA.CVP   930819

==============
Vancouver      ROBERTS@decus.ca         | "Don't buy a
Institute for  Robert_Slade@sfu.ca      |     computer."
Research into  rslade@cue.bc.ca         | Jeff Richards'
User           p1@CyberStore.ca         | First Law of
Security       Canada V7K 2G6           | Data Security