F-PROT Professional Update Bulletins
F-PROT Professional 2.12 Update Bulletin
--- CONTENTS 2/94
--- New ideas in the field of anti-virus utilities
--- New viruses in the wild
--- Finnish Sprayer
--- News In Short
--- Two new Macintosh viruses discovered
--- Virus Bulletin 1994 conference is coming
--- Malware floating in BBSs
--- Common Question and Answers
--- Polymorphic Generators
--- Polymorphic viruses
--- Polymorphic generators
--- Operating Principles
--- Algorithmic methods
--- Decryption-based detection
--- What is the best solution?
--- Thus far found...
--- MtE (Mutation Engine)
--- TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine)
--- NED (NuKE Encryption Device)
--- DAME (Dark Angel's Multiple Encryptor)
--- DSME (Dark Slayer Mutation Engine)
--- GPE (Guns'n'Roses Polymorphic Engine)
--- DSCE (Dark Slayer Confusion Engine)
--- Ethics in Anti-Virus Toolkit Marketing
--- A sad episode
--- An efficient press campaign
--- Changes in F-PROT Professional 2.12
--- Changes in F-PROT's DOS version
--- Changes in F-PROT's Windows version
--- Changes in both DOS and Windows version
--- New viruses detected by F-PROT 2.12
F-Secure Ltd, Wavulinintie 10, 00210 Helsinki, Finland
Tel. +358-0-692 3622, Fax +358-0-670 156, E-mail: email@example.com
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.12 Update Bulletin; Copyright (c) 1994 F-Secure Ltd.
New ideas in the field of anti-virus utilities
New viruses in the wild
Two new Macintosh viruses discovered
Virus Bulletin 1994 Conference is coming
Malware floating in BBSs
Common Questions and answers
Feature: Polymorphic Generators
Ethics in Anti-Virus Toolkit marketing
Changes in F-PROT's DOS version
Changes in F-PROT's Windows version
Changes in both DOS and Windows versions
New viruses detected by F-PROT Professional 2.12
New ideas in the field of anti-virus utilities
Any modern software application should adapt to different kinds of end
users. The more widely an application is used within an organisation
the more adaptable it should be.
An anti-virus utility should be installed in all personal computers.
It should thus adapt to all kinds of users. We have aimed at
developing a product family which combines the best possible scanner
technology with a user interface that serves all kinds of users.
With this accompanying release of F-PROT for Windows we have added
some interesting features for the sophisticated end user. It is now
possible to start a scan by double-clicking a task file in the Program
Manager or in the File Manager. F-PROT will be launched and the
specified task executed.
This means that icons called Scan A:, Scan B: and Scan Hard Disk can
be brought to the desktop. When a scan is needed, just double-click
one of them and the corresponding task will be carried out.
We have also implemented something else that is, as far as we know, a
first of its kind in the world. You can now drag and drop a bunch of
files or folders from the File Manager on top of the F-PROT icon or
window and they will be scanned with the settings given to the default
These features are not absolutely essential in an antivirus toolkit.
However, as F-PROT serves a wide variety of users, we think it is
important to keep abreast with modern user interface innovations.
F-PROT Professional for OS/2's 16-bit version is now ready and
shipping. The 32-bit OS/2 version has just entered beta-test phase.
Contact your local F-PROT Professional distributor for more
information about our OS/2 virus protection solutions.
New viruses in the wild
The last few months have brought little variety to the global virus
situation; most of the infections reported have been caused by old,
well known viruses. However, a couple of viruses have recently been
able to spread to several locations - and most of these have been boot
The Quox virus has been reported in the wild in several locations in
Europe, Asia and USA during the last year. Quox is a relatively simple
diskette and Master Boot Record infector.
Quox is only able to infect a hard disk when a computer is booted from
an infected diskette in drive A:. At this time, Quox infects the Main
Boot Record. During later boot-ups from the hard disk, Quox will go
resident in high DOS memory.
Once Quox is resident in memory, it will infect practically all non-
write protected diskettes used in the machine. Quox is also a stealth
virus - if you try to examine an infected boot record while the virus
is resident in memory, you will be shown the original, clean one
Quox contains no activation routines or text strings. However, it will
corrupt some diskettes seriously. Due to the virus's stealth
capability, the damage may not be visible as long as the virus is
resident in memory. When infected diskettes are used in certain clean
machines, they will prove to be unreadable and, due to a bug in DOS,
may even crash the computer.
The virus was found in Thailand, in July 1992. It was named "Quox" at
the IBM High Integrity Labs, because, to quote David Chess of IBM,
"there was no obvious good name, and we didn't have very many viruses
starting with `Q'".
F-PROT Professional detects the Quox virus.
This virus is also known as Black Wind. It was originally found in
Estonia in the beginning of 1994. Afterwards, this virus has been
reported to be in the wild in several Northern European countries.
Like the original Danish_Tiny, this new variant is a direct action
infector that targets COM files. The virus is encrypted with a
Danish_Tiny.476 increases the size of infected programs by 476 bytes.
It activates on the 6th day of any month, at which time it formats the
hard disk's first track, overwriting the MBR code and the partition
information. This makes the hard disk effectively inaccessible. After
this, the virus displays the following text and hangs the computer:
BLACK WIND VIRUS...
Copyright (C) 1992, Destructive Technologies, Unlimited.
F-PROT Professional detects the Danish_Tiny.476 virus.
Misis is a very small boot sector virus from Russia. It is known to be
in the wild in the west also - confirmed reports have been received
from UK and Norway.
The virus uses stealth routines, so the infected boot sectors will
seem to be clean if they are inspected while the virus is resident in
Practically all boot sector viruses decrease the amount of available
DOS memory from 640 KB and use this 'memory-hole' to store their code
in. They cannot go resident by using the usual DOS calls, because they
activate before DOS is even loaded. This makes most boot sector
viruses easy to spot, since the user can check the amount of total DOS
memory with the MEM or CHKDSK commands.
Misis uses an unusual way to circumvent this symptom: it stores its
code in low system memory, overwriting part of the interrupt vector
table. This makes the system potentially unstable, because any program
that changes the higher interrupt vectors (from 94h to FFh) will
overwrite part of the resident virus code, probably causing the system
One side-effect of this virus is that infected diskettes will work
normally in an infected machine, but will cause read errors if
accessed in a clean computer. This happens because the virus
overwrites the disk parameter block which, on diskettes, is stored in
the beginning of the boot sector. On infected machines this has no
effect, because the virus stealths the changes it has made.
Misis contains several phrases of Russian text. These are not
comprehensible on machines without a Russian screen driver. Translated
to English, the texts read approximately as:
Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov
Soft 236-25-35. "Zharinov" come!.. Database NIKA!
Go away from computer! Work for programmers! Fame to Lozinsky!
Were you warned by the Surgeon General?! Pray all...
Lozinsky is a well-known Russian antivirus expert. The virus contains
an activation routine, which causes some of the above-mentioned texts
to be displayed in the upper left corner of the screen. On western
machines, these messages show up as garbage. The texts are displayed
in yellow blinking colour on brown background. The virus triggers
every 16th time the boot sector is accessed.
The Misis virus displays Russian comments in the upper-left
corner of the screen
The Misis virus was originally known as Zharinov. The name was changed
when it was found out that Zharinov is the name of a professor at the
MISiS, and that the virus was most likely written by one of his
students. Mr. Zharinov himself obviously has nothing to do with this
F-PROT Professional detects the Misis virus.
Dinamo is another Russian boot sector virus. It has been found in the
wild in Europe and Asia. Reports of Dinamo have been received from
Hong Kong, China and Denmark. The virus infects MBRs and diskette boot
records in the same manner as the Quox and Misis viruses. Unlike them,
however, Dinamo is not a stealth virus.
The virus gives the only visible sign of its presence if it encounters
an error while reading the boot sector. Then it will display the
following text and beep the speaker three times:
This text is encrypted with a XOR BDh operation, but the virus is not
F-PROT Professional detects the Dinamo virus.
Finnish Sprayer was first found in Finland in December 1993.
Thereafter, it quickly became very widespread, emerging all over
Finland. Later on, this virus has also been found in Sweden, Russia
Finnish Sprayer operates as a normal boot sector virus, infecting
floppy boot sectors and hard disk MBRs. It contains the following
Tks to B.B, Z-VirX ..... [Aija]
Finnish Sprayer is two sectors long. It stores the original boot
sector and its own code on the last sectors of the active partition.
The virus will not infect a hard disk if the active partition's file
system is not DOS. This means that PCs running, for example, OS/2,
Novell DOS with HD password protection, Windows NT or some UNIX
variant will not be infected.
Finnish Sprayer uses stealth techniques, which means that it cannot be
found from the MBRs of hard disks while it is active in memory.
The virus activates on the 25th of March, which, in Finland, is the
name day of Aija. Aija, which is a girl's name, is referenced twice in
the virus code. When the virus activates, it overwrites random sectors
of the active partition, changes the screen background to grey, and
displays the following text:
FINNISH_SPRAYER.1. Send your painting +358-0-4322019 (FAX), [Aija]
This text is not visible inside the virus code, for it is encrypted
with a XOR 50h operation. The phone number belongs to the Finnish
House of Parliament - which received tens of faxes during this year's
In Finland alone, the virus is reported to have activated on
approximately two hundred PCs - and the total number of infected
machines rises to several hundreds. These numbers are quite amazing,
because the virus was first found only couple of months ago.
The Finnish anti-virus organisations have followed the Finnish Sprayer
incident very closely, and this has made it possible to compile
remarkably accurate statistics of the incident. We have attached one
of these statistics here: a map of Finland with markers showing the
locations where this virus was found.
F-PROT Professional detects the Finnish Sprayer virus.
News In Short
Two new Macintosh viruses discovered
During the last months, there have been two new Macintosh virus
sightings. The new viruses are INIT9403 and INIT-29-B. INIT9403 has a
destructive activation mechanism: after infecting a certain number of
files, it erases the disks connected to the system and attempts to
destroy disk information on all connected hard drives. For finishing
touches, it attempts to completely erase the boot volume.
All major Macintosh antivirus products have been upgraded to handle
these viruses. Contact your local F-PROT Professional support for a
free copy of the Disinfectant 3.4.1 antivirus software to protect your
Virus Bulletin 1994 conference is coming
Virus Bulletin, an UK-based publication focusing on computer virus
prevention, recognition and removal, is gearing up for its annual VB
Conference. This year's conference will be held on the 8th and 9th of
September in Jersey, UK.
For the first time, this year's conference will feature an exhibition
of anti-virus products. And as usual, a large number of experts will
present their papers on current topics in antivirus field. This years
o Vesselin Bontchev (University of Hamburg, Germany)
o Steve White (IBM, USA)
o Jeremy Gumbley (F-PROT Support of Symbolic, Italy)
o Alan Solomon (S&S International, UK)
o Joe Wells (Symantec, USA)
o Mikko Hypponen (F-PROT Support of F-Secure, Finland)
o Jan Hruska (Sophos, UK)
o Sara Gordon (Indiana University, USA)
For more information, contact Virus Bulletin at +44 235 531889, e-
Malware floating in BBSs
As usual, the BBS scene has been plagued by the occasional trojan
horse or two. At least two widespread cases have occurred during the
last few months.
In the beginning of March, a file called NOVADEMO.ZIP was uploaded to
several European BBSs. The file was described to contain "a new
amazing demonstration". Amazing it was indeed. The unsuspecting users
found out that, instead of showing graphical patterns, the program
copied its own code over all other executable files it could find. The
program was classified as an overwriting virus, and F-PROT
Professional now recognizes it as HLLO.Novademo. The program also
contained the following text: "This is Dangerous Messanger, and here
is my message to the world". Another version of this piece of malware
seems to be floating around in a file called !BBS_AD.ZIP.
In the start of April 1994, another harmful program was spread via
BBSs. This time an existing application, the Galaxy Music Player, was
trojanized. The trojanized program claimed to be the version 2.06 of
Galaxy Music Player, but it proved to be a simple trojan horse, which
attempted to overwrite part of the hard disk when run. In order to
gain enough time to do as complete a destruction as possible, the
trojan started by displaying an initialization message. This trojan
contained several texts like "Hello F...ing Rasist !!! Try your
harddrive now." and "HD-VIPER BY PHROPHET PHARAKHAN OF C.O.N.E '94".
The author of this trojan also showed a twisted sense of humour: a
questions-and-answers text file included in the archive had been
modified to contain one additional question:
Q: Why i got message 'INVALID MEDIA TYPE' after running GLX ?
A: Because this is fake production to nail same lamers. Coded by
Phrophet Pharakhan of C.O.N.E.H '94.
Common Question and Answers
If you have questions about data security or antivirus issues, please
contact your local F-PROT distributor. You can also contact Data
Fellows Ltd. directly, in the number 358-0-692 3622. Written questions
can be mailed to: F-Secure Ltd, F-PROT Support, Wavulinintie 10,
00210 HELSINKI, Finland. If you prefer e-mail, the address in Internet
is: F-PROT@DF.elma.fi, and in X.400: S=F-PROT, OU1=DF, O=elma, P=inet,
After installing F-PROT Professional and executing VIRSTOP.EXE, I
received the message "VIRSTOP.EXE has been modified - reboot from a
clean disk!" What has happened?
For some reason, VIRSTOP did not pass its self-check. There are two
1) Either your diskette or diskette drive is faulty, and this
has caused the VIRSTOP.EXE file to be corrupted during the
copying process. Try to install the program on another
computer. If that doesn't help, ask for a new floppy from
your local F-PROT Professional support. Try to execute
F-PROT.EXE, which is also self-checking.
2) Your computer's memory contains a virus, which has infected
the VIRSTOP.EXE file either when it was copied or when it
was executed. Again, see what happens if you execute
F-PROT.EXE. You may also want to compare the contents and
the file size of the VIRSTOP.EXE file to the same file on
the write-protected distribution diskette. Boot the machine
from a clean DOS diskette and execute F-PROT from the
installation diskette to check your hard drive.
I have a HP48 pocket computer, and I have heard that there are viruses
which are able to infect them. Is this true?
Yes it is. It sounds unbelievable that these little computers
which look like pocket calculators could actually have a virus
problem, but there are currently several different viruses which
infect HP48 series.
One of the HP48 viruses that has been found in the wild is
called Michigan. It is probably written in USA. The original
version of this virus only displayed error messages like
"Defective ROM", but later variants have destructive routines
added to them. There are also several different HP48 viruses
which originate in France. Contact your local HP48 user group
for antivirus tips and utilities.
Our users like the way F-PROT Professional for Windows adds new quick-
access icons to Program Manager for scanning floppies. However, on
slower machines the memory test takes longer than the actual floppy
scan. Is it really necessary to scan the memory every time a quick-
access icon is clicked?
If your users are already running scheduled checks on their
local drives, it is not necessary to perform the memory check
before every scan. There are two ways to by-pass the check.
Your users can start the actual F-PROT for Windows application
and keep it minimized. When they want to check a floppy, they
can enlarge the application and click the appropriate toolbar
button. F-PROT for Windows will only check the memory when the
first scan is made.
Another way is to directly modify the properties of the
quick-access icons. Select an icon, and open its Properties
dialog by choosing the command File/Properties in Program
Manager. In the dialog, add the switch /NOMEM to the end of the
command line. After this, the memory check is automatically
by-passed when the icon is clicked. It is not recommended to
disable the memory check for the Check hard drive icon, though.
Properties-dialog of a F-PROT for Windows task file
The rise of polymorphic viruses can be seen as virus writers' response
to the increasing expertise of virus scanners. Since properly built
scanners can recognise viruses by their characteristic code, the
obvious way to try to beat scanners was to design viruses that change
their code, thus rendering recognition with search strings impossible.
Polymorphic viruses employ code alteration and encryption to hide
themselves from scanners. Their usual tactic is to encrypt the main
part of their code with a variable key and leave only the decryption
executor unencrypted. The decryption code is altered during every
infection to prevent detection with a search string.
However, it takes considerable skill to design a polymorphic virus.
This kept the number of true polymorphic viruses quite small for a
relatively long time. Of course, this couldn't last forever: At some
stage, the heavyweights of the virus trade took notice and came to
rescue their less skilled brethren by writing and distributing
Polymorphic generators are routines which can be linked to existing
viruses. The generators are not viruses per se; their purpose is to
hide actual viruses under the cloak of polymorphism.
The first all-purpose polymorphic generator was the Mutation Engine,
or MtE. Published in 1991, capable of billions of different
permutations, linkable to any virus, it heralded the age of instant
polymorphism. Today, there are 33 different viruses which are known to
use the MtE.
Other polymorphic generators followed in MtE's wake. The next two
appeared late in the year 1992. They were the TridenT Polymorphic
Engine (TPE) and NuKE Encryption Device (NED).
TPE was written in the Netherlands. In principle it is capable of
producing smaller number of different permutations than the MtE.
However, it created detection problems for antivirus products because
the decryptors it creates are more generic than those produced by MtE.
NuKE's generator wasn't quite as advanced, but unlike most other
polymorphic generators, it was distributed as readable source code
instead of an object module.
Other known polymorphic generators are Dark Angel's Multiple Encryptor
(DAME), Darwinian Genetic Mutation Engine (DGME), Dark Slayer Mutation
Engine (DSME), MutaGen, Guns'n'Roses Polymorphic Engine (GPE) and Dark
Slayer Confusion Engine (DSCE).
These generators are typically distributed via underground networks,
virus exchange BBSs and private areas in the internet.
Polymorphic generators are code modules which a programmer can
incorporate into a program. After this, the program can use the
functions the code module contains. This process is called linking.
Once a generator is linked to a virus, it becomes an intrinsic part of
the said virus. The virus will thereafter carry the engine along while
It should be noted that the generator itself does not care in which
kind of a program it is linked to. The known polymorphic generators
are clearly written to be linked to viruses, but in principle they
could be used in other kinds of programs as well.
When a virus that employs a polymorphic generator is infecting a
program file (or some other object), it requests the generator to
create an encrypted copy of the virus code and the generator itself.
Besides performing the encryption, the generators also create a
decryptor - a routine which is able to undo the encryption applied to
the actual virus code.
The generators often use relatively simple encryption techniques.
However, they do change the encryption key during every execution.
This alone makes the detection of such a virus difficult, but
encrypted viruses retain one Achilles heel: the decryption routine,
which must remain unencrypted if it is to be executable. Thus, the
true effectiveness of a polymorphic generator is measured by its
ability to mutate the decryption routine.
All polymorphic generators need some kind of a randomisation routine
in order to create different algorithms each time. Some of the
generators allow the virus programmer to substitute his own
randomisation routines instead of the original one.
Polymorphic generators are able to create completely different
encryption methods and a wide variety of different decryption routines
for them. They modify their decryption routines by such means as
shifting the commands inside the routine around, adding ineffectual
commands in random places and using different processor registers and
The basic idea is to make the binary image of the decryption routine
totally different between different infections. All this makes it
impossible to search for the decryption routine with fixed search
strings - there is no search string that could always be found in
infections made by a polymorphic virus.
How does a virus using a polymorphic generator infect a file?
1. A clean file before the infection. We'll call this the
2. The virus starts the infection process by modifying the
victim file's first commands. It replaces them with a
command to jump to the end of the file. The original first
bytes of the file are stored in the virus's body.
3. Next, the virus calls the polymorphic generator to create an
encrypted copy of the virus code and the generator itself.
The generator also creates a decryption routine, which is
added to the end of the victim file.
4. The encrypted code is added to the end of the victim file.
This encrypted section contains three parts: a copy of the
actual virus code, the original first bytes of the victim
file, and the code of the polymorphic generator.
When the first polymorphic generators were found, it was feared that
there would be a huge rise in the number of polymorphic viruses.
However, these generators have not proved as popular as was originally
thought - only about one hundred viruses are known to use a generator.
One of the reasons for this is that a generator must be linked to the
program to be encrypted, and since the operation requires changes to
the program itself, some programming experience is necessary. This
alone places the generators out of the reach of the run-of-the-mill
virus enthusiasts. Unfortunately, the generators usually come with
detailed instructions on their use, so that virus aficionados with
even limited experience of assembly programming can easily use them.
Another limitation is the generators' size. Although the generators
are quite small in themselves, they do increase the size of viruses by
some amount. This makes it difficult to link them to boot sector
viruses, which have limited code space. No generator-masked boot
sector viruses have been found. With the exception of V-Sign (a mildly
polymorphic boot sector virus), polymorphic capabilities seem to be
the privilege of file viruses.
Of course, the advantage that viruses get from polymorphic generators
is somewhat questionable. If an anti-virus program is able to
recognise the presence of a particular generator, it is usually able
to detect all viruses masked by it.
Despite the cunning nature of polymorphic generators, viruses masked
by them can be detected by using proper tools. Antivirus programs
often employ algorithmic means to recognise files infected by
polymorphically hidden viruses. Another way to find such viruses is to
use checksumming. It is also possible to try to solve the encryption
and search for the virus underneath the encryption layer.
Algorithmic methods are based on the fact that however much a
generator mutates the decryption routine, it must still contain
certain programming structures which make the decryption possible. If
a program file contains such structures, the antivirus program can say
with sufficient certainty that the file is infected by a
polymorphically cloaked virus.
As polymorphic generators vary a lot, a different algorithm is needed
for each generator - and in order to build such algorithm, the
generator will have to be studied closely.
However, the algorithmic methods have a certain weakness: they are
prone to false positives. The program structures employed by
polymorphic generators can be very random. This means that similar
structures sometimes occur inside legitimate program code. False
alarms may crop up especially if data files are also included in the
search, because they typically contain data similar to the random
'garbage-code' which the generators produce. It is relatively easy to
create an algorithm that will find all infections created with a
polymorphic engine, but if the algorithm would also flag a large
amount of clean programs as infected, it is useless.
Checksums are comparison values calculated from the executables in a
system. These values are stored in a database. When a checksum search
is made, the checksums are re-calculated and compared with the
original values in the database. Since this method detects all changes
to a system, the mutability of polymorphically hidden viruses does
them no good; a change is a change, and thus detectable.
Checksumming has its drawbacks, too: checksummers suspect all changes
that happen inside a system, and occasionally give warnings of
ordinary programs which alter their own code. Nowadays, checksummers
are usually equipped with an exclude-list and a heuristic faculty to
prevent this from happening.
Although theoretically able to detect all changes to a system,
checksummers are vulnerable to stealth viruses. If such a virus is
active in a computer's memory, it is able to hide all the changes it
has made. When stealth viruses are involved, checksummers base their
calculations on false data, and will consequently find everything to
be in order. It should be noted that polymorphic viruses which also
stealth their presence are very rare, simply because they are
technically difficult to create.
The decryption-based detection of polymorphic viruses work by first
reasoning whether the examined object is encrypted. If the object
seems to warrant suspicion, generic decryption methods are applied to
it, and a string-based search is done to the code found underneath the
This method works against some polymorphic generators with great
success, but is difficult to implement for others.
What is the best solution?
Checksumming is the strongest method against polymorphic viruses - as
long as the machine is clean when the checksummer is installed, and
the virus is not falsifying the information received by the
checksummer. Checksummers will also detect those polymorphic (and
normal) viruses that have not yet been analysed.
The algorithm-based detection mechanisms against polymorphic viruses
tend to have problems with false alarms, but these can be overcome by
designing the detection engine carefully. One advantage of algorithm-
based detection is that, once a detection engine is able to detect a
certain polymorphic generator, it will probably detect all viruses
A decryption-based detection mechanism can only detect those
polymorphic viruses that have been analysed by the creator of the
antivirus product, but it is very unlikely to produce false alarms.
Furthermore, such a mechanism is also able to detect the exact variant
of the virus in question - this is something that most algorithm-based
detection methods are unable to do.
Thus far found...
In the following are brief descriptions of the polymorphic generators
that have been found to this date. The generators usually come with
introductory notes which explain their use, and in which the authors
seek to justify themselves, for example by prohibiting the use of
their products in viruses, by trying to explain why polymorphic
generators are beneficial, necessary and generally morally uplifting,
or by giving the by now well-established lecture about free speech and
freedom of expression. Since many of the generators' authors are
members of well-known virus groups, these disclaimers can be seen as
MtE (Mutation Engine)
Mutation Engine was the first polymorphic generator, written by
the Dark Avenger. MtE was put into circulation in 1991. It is
the most widespread polymorphic generator, and has been
incorporated to 33 different viruses.
Though revolutionary in its time, Mutation Engine is currently
somewhat outdated. Practically all anti-virus products can
detect MtE-hidden viruses. Nevertheless, MtE continues to be a
source of inspiration for people aspiring to write polymorphic
generators - for example, almost all generators written after
MtE mimic the documentation provided with MtE.
MtE v0.91's size is 2048 bytes.
TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine)
TPE was written in 1992 by Masud Khafir, a Dutch member of the
TridenT virus group. Before and after TPE, Masud Khafir has
created several advanced viruses. Among them are the first
Windows virus, Win_Vir, the Cruncher virus series, and one of
the most widespread viruses using MtE, the MtE.Pogue virus. TPE
itself is based on the encryption routine of Masud Kafir's
Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A.
To date, four versions of TPE have come out. The author has
implied that he considers the product finished, and will not
write further versions. The later versions of TPE are highly
complex, making it one the most advanced polymorphic generators
in the world.
TPE version 1.1 was technically advanced, but it contained bugs
which made it incompatible with some processor types. Versions
1.2 and 1.3 corrected this problem. The last version, 1.4,
introduced an improved, highly complex encryption method, which
makes TPE-hidden viruses difficult to identify by using
decryption-based detection methods.
A separate, modified version of TPE has also appeared. It is
known as the Darwinian Genetic Mutation Engine (DGME). DGME was
published in Mark Ludwig's latest disputed book 'Computer
Viruses, Artificial Life and Evolution'.
TPE takes up about 1.6 KB. Presently, it is known to be linked
to 10 different viruses.
NED (NuKE Encryption Device)
NED, the first polymorphic generator from USA, appeared at
approximately the same time as TPE. According to the
generator's documentation, it was released in October, 1992.
Nowhere Man is credited as being the author of this generator,
but there have been suspicions that it is actually written by
some other programmer. Nowhere Man is the author of NuKE's
Virus Creation Laboratory, the VCL.
Unlike most other polymorphic generators, NED was distributed
as source code. This, of course, makes it easier for other
virus creators to modify the generator, but so far only a
single version of NED has been found. The generator's
documentation expressly forbids its distribution outside NuKE
itself, but it has obviously been in wide distribution.
NED version 0.90B takes up 1355 bytes. It is known to have been
linked to two different viruses.
DAME (Dark Angel's Multiple Encryptor)
Naturally enough, Phalcon/SKISM didn't want to be upstaged by
NuKE. In 1993, this virus group, which originates from Canada,
joined the fray with Dark Angel's Multiple Encryptor, DAME. The
new generator's name may have been meant as a dig at some
members of the anti-virus community, who had been using the
name DAME for Dark Avenger's Mutation Engine, MtE.
Dark Angel published his generator during the summer of 1993 in
issue 11 of Phalcon/SKISM's magazine, 40Hex. Dark Angel has
also written the two virus creation toolkits published by
Phalcon/SKISM, the PS-MPC and G2.
Like NED, DAME was distributed as commented source code. Along
with the generator, Dark Angel published an article which dealt
with polymorphism and the writing of polymorphic generators in
Dark Angel was apparently not completely satisfied with his
initial product, because he introduced an improved version of
DAME in the next issue of 40Hex.
The first version of DAME, 0.90, took up 1574 bytes. The
improved 0.91 version had grown to 1960 bytes. Dame is known to
have been linked to two different viruses.
DSME (Dark Slayer Mutation Engine)
DSME was the first polymorphic generator from Taiwan. It was
written by a person calling himself Dark Slayer. DSME was
published in the end of 1993.
Interestingly, DSME contains documentation both in English and
Chinese. The author sends greetings to Dark Avenger and Nowhere
Man and thanks for the inspiration he received from earlier
DSME is not as advanced as the generators produced before it.
Dark Slayer admits this in his notes. The actual size of the
generator is little over 2 kilobytes.
At the moment, only one virus is known to use the DSME.
In the beginning of 1994, a new author entered the stage.
Calling himself MnemoniX, this American virus writer proudly
presented a new generator called MutaGen.
At the moment, there are four different versions of MutaGen in
distribution. Each successive version is more complex than the
previous ones. Their sizes range from 1032 bytes to 1385 bytes.
In MutaGen's documentation, MnemoniX criticizes the other
polymorphic generators for being too unreliable and easy to
MnemoniX himself has published two different viruses which
utilise the MutaGen generator, but otherwise the response of
the virus underground to this new generator is unknown.
GPE (Guns'n'Roses Polymorphic Engine)
The Guns'n'Roses Polymorphic Engine is a newcomer, written by a
person calling himself Slash Wu. Like the Dark Slayer Mutation
Engine, this generator originates from Taiwan - and it only
comes with Chinese documentation.
In the generator's documentation, the author prohibits the use
of the generator in viruses and other malicious software. He
claims to have developed GPE solely for the purpose of
protecting data and programs from unauthorised use. These
claims are lent some credence by the fact that the author has
included his apparently real name and phone number in the
Version 1.00 of the Guns'n'Roses Polymorphic Engine was
released in March 1994. So far, the generator is not known to
have been linked to any virus. It's size is about two
DSCE (Dark Slayer Confusion Engine)
There is at least one polymorphic generator which has so far
eluded the antivirus researchers. The one that we know of is
called DSCE, and it is written by the same author as DSME.
A file that demonstrated DSCE's abilities was sent to F-PROT
Professional Support during April 1994. Deductions based on
this demo indicate that DSCE is a rewritten version of DSME,
and capable of creating far more complicated samples.
Ethics in Anti-Virus Toolkit Marketing
Anti-virus applications belong to a very special group of programs.
When buying an anti-virus toolkit you might suffer a considerable loss
if you purchase a second-class product. If you compare this to
purchasing a word processor or a disk compression utility, the loss
that results from getting a 3% smaller compression ratio or missing
out on some special indexing options for long text documents is almost
This means that you need to buy one of the best anti-virus utilities.
How do you choose from the multitude of available tools? There are
well over one hundred different anti-virus products in the market.
Even if you represent an extremely large company, you can not test the
software yourself since you do not have an extensive and up-to-date
Performance tests done against a large and well maintained collection
of viruses give you a good idea of which toolkits are better than
Imagine yourself distributing an inferior anti-virus application. The
position is not enjoyable. You have to convince the customers to buy
your products, knowing all the while that there are much better
products available. Furthermore, you know that if the customer
purchases your product, it is possible that he will suffer a major
loss because of the choice.
This has led some companies to shift from promoting their own product
to badmouthing a competing product. One thing continuously claimed of
F-PROT by one competitor is that the winning test results are due to a
hidden test mode in F-PROT. According to them F-PROT would not find
viruses as well when used normally. This is, of course, technically
absurd and simply false.
There are other possible tactics as well. If you already have a
customer and you do not want him to swap products, you can always
threaten him with legal action.
According to several customers of a certain anti-virus utility, an
agent for the product has threatened them with legal action if a
single copy of the licensed anti-virus programs is found on their
computers after their license has expired. The threat was used when
the customers announced their intention to change to another product.
If you have thousands of computers you have no way of guaranteeing
that you can remove all copies of the software before the specified
date, a fact which the agent naturally realized.
As an F-PROT customer you naturally retain license rights to the last
update that you have received even if the update service expires.
A sad episode
We believe the extremely competitive market situation sheds some light
on a recent course of events in Finland. An ex-employee of a local
representative of a leading anti-virus utility was accused of hacking
into the agent's BBS. Let us call the ex-employee John.
According to John the charges were brought after an unresolved dispute
about unpaid holiday compensations.
John claims that he was told about a possible bug in the agent's BBS
setup by an important customer. The customer contacted John because
the BBS informed every caller that John was still responsible for
technical support for the BBS. The system was originally built by
John, and he decided to check whether a bug existed.
He accessed the BBS using a password belonging to the managing
director of the agent. As the BBS only contained files related to the
anti-virus utility and even the mail feature was disabled the managing
director felt safe using a password composed of three similar letters
(like "XXX"). This was well known by the employees of the company. We
hope that he has already changed his password.
Even though John should never have used anyone else's user id, he did
not stop to think about this. After all, he knew that there was
nothing confidential in the system.
If John has reported the chain of events fully, it makes one wonder
why criminal charges were brought against him. An answer may be found
in the fact that John was employed by us at the time of the alleged
When we heard about the charges being brought against John and after
talking with the managing director of the agent, we decided to fire
John. We decided to do this even though we believed and still believe
his story, because in our line of business we have to be completely
We also informed the agent that we had fired John.
An efficient press campaign
After a few days the truth began to come out. A well orchestrated
press campaign was launched and a couple of articles were printed. In
these articles the managing director of the agent was quoted as saying
something like: "It will be very difficult to determine the extent to
which John's current employer is involved in this theft of
These articles were also faithfully translated and sent to members of
the international press to get more publicity to the suspicions.
No one thought of asking the police whether they had suspicions
against F-Secure. The superintendent in charge of the
investigation would have been happy to reply that at no time during
the investigation had F-Secure been even suspected.
After all this, we saw no choice but to sue the agent for
orchestrating false rumours about our involvement.
At this stage it seems that, if John's story is true, the agent is
happily sacrificing an innocent person's career just to get a couple
of short lived punches in at us.
All of this would be even more depressing if the agent were found to
have actually falsified evidence to support claims about data theft.
This is one of the problems in data crimes. The owner of the
information still has the information after it has been stolen. This
makes it difficult to prove that information has been stolen but it
makes it even more difficult to prove that nothing has been stolen.
If the information system has a log, it will only show that a
legitimate user has visited the system (in this case the managing
director has visited the BBS). It is practically impossible to specify
which login is done by an impostor and which is legal if the owner of
the system does not want this to be found out.
Changes in F-PROT Professional 2.12
Changes in F-PROT's DOS version
VIRSTOP's behaviour has changed: it will now beep whenever it finds a
virus. It will not display a separate alarm screen under Windows, but
instead sound an alarm and display the alert text as in DOS.
When the /ANALYSE option is used, F-PROT will no longer report
'Invalid entry point' if a file has some other extension than COM or
EXE - OVL, for example. This reduces the amount of non-important
messages during Heuristic Analysis.
Also the operation of VIRSTOP's /DISK-parameter has been changed. When
this parameter is used, two temporary, hidden files are created:
_VIRSTOP.TMP and _VIRSTOP.SWP. By default, these files are stored in
the root directory of drive C:. Files can be located to another disk
by issuing a drive letter after the /DISK command. For example,
/DISK:E stores the temprorary files to drive E: Temporary drive should
be as fast as possible because it affects the speed of VIRSTOP - a
RAM-drive is a good choice. Due this change, the VIRSTOP.EXE file can
now be updated or deleted while VIRSTOP is resident with the /DISK-
parameter. VIRSTOP 2.12 allocates 3.7KB of memory with the /DISK
Changes in F-PROT's Windows version
An Update option has been added to the SETUP program.
Memory check now allows multitasking at the same time. A progress bar
has been added to the dialog.
F-PROT could not scan all network or local drives if VIRSTOP was
resident in memory. Instead, it only scanned the first available
drive. This has now been corrected.
The 'Stack overflow' message appeared if very deep directory
structures were scanned. The problem has now been fixed.
If a task with an impossible drive specification was sent over the
network, F-PROT entered a loop state. Now tasks which specify invalid
drives are deleted and a message about this is sent to the
In some cases VIRSTOP would interfere if a diskette infected with a
boot sector virus was scanned. This has been corrected.
If F-PROT is started with a Taskfile's pathname as the first command
line parameter, the task is automatically executed.
Previously, the administrator could not delete protected tasks if they
were sent from another workstation. Administrator is now able to
delete all tasks.
A user-defined message used to be covered by the scanning indicator
dialog, so the message wasn't visible until the scanning dialog was
closed. The matter has been taken care of.
F-PROT can now be launched from F-Agent's system menu.
F-Agent's polling interval can now be adjusted from F-PROT's
F-PROT can now install icons directly in Program Manager: Scan A:,
Scan B: and Scan Hard Disk. These icons can be used to execute
The scanning dialog now displays some informational messages during
scanning, and a summary after the scan is finished.
Even when a task was distributed with the 'Prevent aborting scan'
option, an end user was able to abort the scan. No more.
Disinfection capabilities have been added to F-PROT for Windows.
Nevertheless, we still recommend booting from a clean diskette and
using F-PROT for DOS to clean infections on the local hard drive.
Occasional sharing violation errors on the network drive have been
F-PROT now supports the dragging and dropping of files and directories
on top of the F-PROT or F-Agent icon. The dropped objects will be
F-PROT now supports multitasking during the initial memory test.
Changes in both DOS and Windows version
The identification of boot sector viruses has been improved
significantly. F-PROT performs an exact identification of most boot
sector viruses it detects. Previously, it would refuse to remove
variants that differed by as little as one bit from the original
virus, while other programs which did not do as good an identification
would happily remove the virus. F-PROT now attempts to determine
whether a new boot sector virus is sufficiently similar to a known
variant for disinfection to be carried out.
If a virus is damaged when the file it infects has, for one reason or
other, been shortened by a few bytes, F-PROT will now report '-
truncated (xxx bytes missing)', instead of reporting just 'New or
modified variant of ...'. This situation is very rare under normal
circumstances. However, the function may interest researchers who have
corrupted samples in their collections.
Previously, F-PROT would not detect all Cysta.8045-infected .SYS
files. This has now been fixed.
The Stoned.Angelina virus could not be identified properly on 3.5"
diskettes. The problem is now corrected.
Voronezh.1600-infected files were not always disinfected correctly.
They are now.
The following false positives do not occur any more. The 'Tamanna'
false positive appeared in 2.11. The others were present in older
versions of F-PROT as well, but had not been reported to us before.
'Possibly a new variant of Tamanna' in PWLICLMT.EXE (part of a beta
release of DEC Pathworks).
'Possibly a new variant of Cysta' in KBDF.COM (Turkish keyboard
'Possibly a new variant of SillyOR' in a program named TRAPKEY.EXE.
'Leprosy' in a program named OPENPORT.COM. This false alarm occurred
only with VIRSTOP and Quick Scan.
New viruses detected by F-PROT 2.12
The following 57 viruses are now identified, but can not be removed as
they overwrite or destroy infected files. Some of them were detected
by earlier versions of F-PROT, but only reported as "New or modified
F-PROT can detect and remove the following 443 new viruses. Earlier
versions of F-PROT could detect many of these viruses. Now they are
also identified accurately.
Ash 712 1586
Ear Job Homecoming
Praying 579 587
The following 58 new viruses can now be detected but not yet removed.
F-PROT's earlier versions could detect the following viruses. Now they
can also be removed.
The following viruses have been renamed in order to make F-PROT follow
the CARO naming standard as closely as possible. Also, the _758 and
Gemand viruses have been moved into the Hungarian_Andromeda virus
_1068 -> Spinner
_1417 -> Spanish_Fool
_1441 -> Sum
_1588 -> Distrust
_1784 -> Three_Tunes
_2000 -> Alphastrike
Anticlr -> Anti-Clerical
Commonwealth -> CIS
Dos1 -> Dos_1
Error_412 -> Runtime
Groz -> Grozny
Inoc -> Inoculation
Krusha -> Khrusha
Micro-128 -> Micro
NGV -> Genvir
QMU.1513 -> QMU
Quit-1992 -> Quit
Satwar -> Satanic_Warrior
Simple -> Simple_Minded
Talking_Heads -> No_Party
Tula.419 -> Tula
V-1920 -> Dostepu
This text may be freely used as long as the source is mentioned
F-PROT Professional 2.12 Update Bulletin
Copyright (c) 1994 F-Secure Ltd
This file may not be placed to be available for download in a system which
allows users to access live computer viruses, source codes for viruses, or
instructions for generating a new virus. Also, the guys in 'Immortal Riot'
virus group are specifically *not* granted a right to publish any parts of
this document in their own, virus-related publications. Thank you.
F-PROT Professional Support < firstname.lastname@example.org >