Threat Description



Category: Malware
Platform: W32
Aliases: TPE


TridenT Polymorphic Engine

TPE was written in 1992 by Masud Khafir, a Dutch member of the TridenT virus group. Before and after TPE, Masud Khafir has created several advanced viruses. Among them are the first Windows virus, Win_Vir, the Cruncher virus series, and one of the most widespread viruses using MtE, the MtE.Pogue virus. TPE itself is based on the encryption routine of Masud Kafir's Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

To date, four versions of TPE have come out. The author has implied that he considers the product finished, and will not write further versions. The later versions of TPE are highly complex, making it one the most advanced polymorphic generators in the world.

TPE version 1.1 was technically advanced, but it contained bugs which made it incompatible with some processor types. Versions 1.2 and 1.3 corrected this problem. The last version, 1.4, introduced an improved, highly complex encryption method, which makes TPE-hidden viruses difficult to identify by using decryption-based detection methods.


A separate, modified version of TPE has also appeared. It is known as the Darwinian Genetic Mutation Engine (DGME). DGME was published in Mark Ludwig's latest disputed book 'Computer Viruses, Artificial Life and Evolution'.

TPE takes up about 1.6 KB. Presently, it is known to be linked to 10 different viruses.

Variant:Girafe (Coffeeshop)

Other:Resident, COM/EXE-files

Girafe was the first virus to use TPE-encryption in its code. It infects COM and EXE files. On thursdays it shows a picture from Cannabis magazine and a text "Legalize Cannabis". Infected files are 2000-4000 bytes longer than original files.

The next text can be found inside Girafe in a crypted form:

    COSCCLVSNEHTTBVIFIGIRAFEMTBRIM       [ MK / Trident ]       Amsterdam = COFFEESHOP!  

See also: Cruncher

Description Details: Mikko Hypponen, F-Secure


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More