To date, four versions of TPE have come out. The author has
implied that he considers the product finished, and will not
write further versions. The later versions of TPE are highly
complex, making it one the most advanced polymorphic generators
in the world.
TPE version 1.1 was technically advanced, but it contained bugs
which made it incompatible with some processor types. Versions
1.2 and 1.3 corrected this problem. The last version, 1.4,
introduced an improved, highly complex encryption method, which
makes TPE-hidden viruses difficult to identify by using
decryption-based detection methods.
A separate, modified version of TPE has also appeared. It is
known as the Darwinian Genetic Mutation Engine (DGME). DGME was
published in Mark Ludwig's latest disputed book 'Computer
Viruses, Artificial Life and Evolution'.
TPE takes up about 1.6 KB. Presently, it is known to be linked to
10 different viruses.
Girafe was the first virus to use TPE-encryption in its code.
It infects COM and EXE files. On thursdays it shows a picture
from Cannabis magazine and a text "Legalize Cannabis". Infected
files are 2000-4000 bytes longer than original files.
The next text can be found inside Girafe in a crypted form:
[ MK / Trident ]
Amsterdam = COFFEESHOP!
See also: Cruncher
[Analysis: Mikko Hypponen, F-Secure]