Subject: Polymorphic Virus

Here is a new entry from the Computer Virus Catalog, produced and
distributed by the Computer Anti-Virus Researcher's Organization (CARO),
at the University of Hamburg.
Note the description of the Polymorphic Method, below, and that this
virus can presently be detected in a file only by the file change it
produces.

==== Computer Virus Catalog 1.2: Dedicated Virus (31-January 1992) ===
Entry...............: Dedicated Virus
Alias(es)...........: ---
Virus Strain........: ---
Polymorphism engine.: Mutating Engine (ME) 0.9
Virus detected when.: UK
where.: January 1992
Classification......: Polymorphic encrypted program (COM) infector,
non-resident
Length of Virus.....: 3,5 kByte (including Mutating Engine)
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: COM file growth (no other direct detection means
are known as virus encrypts itself, and due
to the installed mutation engine, all occu-
rences of this virus differ widely)
Type of infection...: COM file infector: all COM files in current
directory on current drive (disk,diskette)
are infected upon executing an infected file.
Infection Trigger...: Execution of an infected COM file.
Media affected......: Hard disk, any floppy disk
Interrupts hooked...: ---
Crypto method.....: The virus encrypts itself upon infecting a COM
file using its own encryption routine; upon
execution, the virus decrypts itself using
its own small algorithm.
Polymorphic method..: After decryption, the virus' envelope consisting
of Mutating Engine 0.9 will widely vary the
virus' coding before newly infecting another
COM file. Due to this method, common pieces
of code of more than three bytes (=signatures)
of any two instances of this virus are highly
improbable.
Remark: Mutating Engine 0.9 very probably was
developed by the Bulgarian virus writer
"Dark Avenger"; such a program was announced
early 1991 as permutating more than 4 billion
times, and it appeared in October 1991 or
before.
The class of permutating viruses is named
"polymorphic" to indicate the changing
structure which may not be identified with
contemporary means. To indicate the relation
to such common engine, the term "Polymorhic
engine (method)" has been introduced.
ME 0.9 was distributed via several Virus
 Exchange Bulletin Boards, so it is possible
that other ME 0.9 related viruses appear.
According to (non-validated) information, an-
other ME 0.9 based virus (Pogue?) has been
detected in North America: COM file infector,
memory resident, length about 3,7 kBytes.
Damage..............: Virus overwrites at random times random sectors
(one at a time) with garbage (INT 26 used).
Damage Trigger......: Random time
Similarities........: ---
Particularities.....: The virus contains a text greeting a US based
female hacker; this text is visible after
decryption.
--------------------- Agents -----------------------------------------
Countermeasures.....: Contemporarily, no automatic method for reliable
identification of polymorphic viruses known.
- ditto - successful: ---
Standard means......: ---
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Vesselin Bontchev, Klaus Brunnstein
Documentation by....: Dr. Alan Solomon
Date................: 31-January-1992
===================== End of Dedicated Virus =========================
======================================================================
== Critical and constructive comments as well as additions are ==
== appreciated. Descriptions of new viruses are appreaciated. ==
======================================================================
== The Computer Virus Catalog may be copied free of charges provided =
== that the source is properly mentioned at any time and location ==
== of reference. ==
======================================================================
== Editor: Virus Test Center, Faculty for Informatics ==
== University of Hamburg ==
== Vogt-Koelln-Str.30, D2000 Hamburg 54, FR Germany ==
== Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, ==
== Simone Fischer-Huebner, Wolf-Dieter Jahn ==
== Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.) ==
== Fax: (+40) 54 715 - 226 ==
== Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de ==
== bontchev@rz.informatik.uni-hamburg.de> ==
== FTP site: ftp.informatik.uni-hamburg.de ==
== Adress: 134.100.4.42 ==
== login anonymous; password: your-email-adress; ==
== directory: pub/virus/texts/catalog ==
======================================================================