Name: Nearly An Engine
Creator/Origin: Tornado / Denmark
AKA: NAE
Type: Polymorphic Engine
Known versions:
NAE 1.00 - December 1995
NAE 2.00 - Unknown
Features:
This polymorphic engine was released with issue #2 of PlasmaMag, the E-Zine of the now disbanded virus
writing group Dark Conspiracy. The simple engine is used in
Tornado's Fatal Illusion virus 1.00 and 1.50
Name: NBK Polymorphic Engine
Creator/Origin: NBK
/ Brasil
AKA: NBKPE
Type: Polymorphic Engine
Known versions:
NBKPE - December 1999
Features:
Unknown. The source to this engine was released in Matrix
zine #1.
Name: Nexiv Der Polymorphic Engine
Creator/Origin: Dandler / Unknown
AKA: NDPE
Type: Polymorphic Engine
Known versions:
NDPE - October 1996
Features:
Unknown. The engine is used in the Red Vixen virus by the same author.
Third party analysis:
"The mutation engine isn't perfect, it frequently generates code that
causes the pc to crash during a file infection."
Name: NuKE Encryption Device
Creator/Origin: Nowhere Man / USA
AKA: NED
Type: Polymorphic Engine
Known versions:
NED 0.90B - October 1992
Features:
NED, the first polymorphic generator from USA, appeared at approximately
the same time as TPE. According to the generator's documentation,
it was released in October, 1992. Nowhere Man is credited as being the author
of this generator, but there have been suspicions that it is actually written
by some other programmer. Nowhere Man is the author of NuKE's Virus Creation
Laboratory, the VCL.
Unlike most other polymorphic generators, NED was distributed as source
code. This, of course, makes it easier for other virus creators to modify
the generator, but so far only a single version of NED has been found. The
generator's documentation expressly forbids its distribution outside NuKE
itself, but it has obviously been in wide distribution. NED version 0.90B
takes up 1355 bytes.
It is known to have been linked to two different viruses.
Name: Not Even Near A Polymorphic Engine
Creator/Origin: Rajaat / UK
AKA: NENAPE
Type: Polymorphic Engine ?
Known versions:
NENAPE - January 1999
Features:
Unknown.
Author's note:
"The reason i wrote NENAPE was that I didn't have an engine yet that
I easily call multiple times to generate more than one layer of encrytion.
At the moment the encryption method is very bad, but I will hope to improve
this soon, together with the code it generates. The main thing is that the
encryptor is build up perfectly and that the code is compact yet modular."
Name: Nigromante Engine Polimorfic
Creator/Origin: Nigromante / Spain
AKA: NEP
Type: Polymorphic Engine
Known versions:
NEP - 1998
Features:
Unknown. The engine is included in the La Diosa.2369 virus.
Name: Nexus
Creator/Origin: Deadman / Russia
AKA: --
Type: Polymorphic Engine
Known versions:
Nexus - August/September 1999
Features:
Unknown. Engine is used in the Ksenia series viruses by the same author.
Source codes including the engine can be found in DVL#9
and 29A#4.
Name: NIK
Creator/Origin: Nikademus / USA
AKA: --
Type: Polymorphic Engine
Known versions:
NIK 0.84 - Unknown
Features:
Unknown.
Name: Necromantic Mutation Engine
Creator/Origin: Wintermute / Spain
AKA: NME
Type: Polymorphic Engine
Known versions:
NME - January 1998
Features:
Used in the Zohra virus by Wintermute. It
was released in 29A#2.
Name: Neurotic Mutation Engine for Neuropath
Creator/Origin: Mnemonix / USA
AKA: NMEN
Type: Mutation Engine
Known versions:
NMEN 1.00 - June 1994
Features:
Unknown. Used in the Neuropath virus by the same author.
Name: Narflung's Macro Permutation Engine
Creator/Origin: Narflung / Unknown
AKA: NMPE
Type: Permutation Engine
Known versions:
NMPE 0.0b - December 1999
Features:
Line switching technique used to avoid detection of macro viruses. Released
with DVL #10.
Name: NoMut
Creator/Origin: NoOne / Australia?
AKA: NoMut
Type: Polymorphic Engine
Known versions:
NoMut 0.01 - July 1995
Features:
Polymorphic engine included in VLAD Magazine #5. According to the author
it is similar to other engines except for two major differences: 1. It does
not generate junk instructions. 2. It generates two decryptors where the
first decrypts the second one.
Name: Object Infection Engine
Creator/Origin: e [Ax] / Bosnia Herzegovina
AKA: OIE
Type: Viral Infection Technique
Known versions:
OIE 1.0 - Unknown
Features:
Unknown. Included/selectable in the Macro Virus Generator (MVG)
by the same author.
Name: NOP / HLT Engine
Creator/Origin: Young Adult Male / Unknown
AKA: ---
Type: Garbage Engine
Known versions:
NOP / HLT 1.0 - Unknown
Features:
Name: Octarine Polymorphic Script Engine
Creator/Origin: jackie twoflower / Austria
AKA: OPSE
Type: Polymorphic Routine
Known versions:
OPSE 0.1 - May 2000
Features:
For use in VBS (script) viruses/worms. It was also released with LineZero
Zine #2.
Author's note:
"This little engine was a concept of writing a variable names exchanging
routine. Some features are:
- Exchanges all variables in your code
- Creates random variable names
- Extreme fast "
Name: Payload Construction Kit
Creator/Origin: Lys Kovick
/ Unknown
AKA: PCK
Type: Payload Tool
Known versions:
PCK Public Beta - July 1999
Features:
Tool created to help the author produce file dropping payloads for his
macro viruses. By the author of FDCK.
Name: Polimorphic Engine
Creator/Origin: Zombie / Russia
AKA: PE
Type: Polymorphic Engine
Known versions:
PE 0.2 - September 1997
Features:
Unknown. Polymorphic engine included in the first issue of the Russian
Virus Magazine.
Name: PE-100
Creator/Origin: T-2000
/ Unknown
AKA: ---
Type: Polymorphic Engine
Known versions:
PE 100 - February 1999
Features:
Unknown.
Author's note:
"Attempt to write a small but effective polymorphic engine, uses BX/SI/DI/BP
as a pointer-register and conditional JMPs as junk. Size engine: 125 bytes."
Name: Pascal Extra Polymorphics Engine
Creator/Origin: Deviator / Russia
AKA: PEPE
Type: Polymorphic Engine
Known versions:
PEPE 1.0 - July 1999
PEPE 1.1 - December 1999
Features:
Polymorphic engine that was programmed using Pascal. Version 1.0 was released
with a demo virus in DVL #8 and viruses still
used an ASM loader while version 1.1 released with DVL
#9 is 100% Pascal. It apparently uses techniques used in the TPPE
engines.
Author's note:
"Source for encryption must be an Exe file. PePe rebuilds Exe header,
places encrypted body of source .exe after new header and appends decryptor
to it. When decryptor finished it's work, it returns work to host (uncrypted
body). But if there was some relocations, PePe decryptor set's it up before
finishing it work... Thats all. "
Name: Poly Engine Random Junker
Creator/Origin: Lys Kovick
/ Unknown
AKA: PERJ
Type: Polymorphic Engine
Known versions:
PERJ - October 1999
Features:
A specific macro virus technique used in the Comment virus by the same
author.
Name: PGPME-32
Creator/Origin: Zombie / Russia
AKA: Pretty Good Privacy Mutation Engine 32 bit
Type: Mutation Engine
Known versions:
PGPME-32 0.01 - May 1999
PGPME-32 0.01a - May 1999
Features:
Unknown. By the author of AZCME, FIRE,
PE and ZCME.
Name: Polymorphic Header Idiot Random Engine
Creator/Origin: Billy Belcebu / Spain
AKA: PHIRE
Type: Polymolrphic Engine Plug-In
Known versions:
PHIRE 1.0 - September 1999
Features:
Released with Xine #4 and used in the Legacy
virus by the same author. It works in conjunction with MMXE
and IENC.
Author's Note:
"This is a plug-in for MMXE. It generates
a block of 256 bytes of polymorphic code that will be placed at the entrypoint
of the host. The particularity of that code is, besides the EntryPoint Obscuring
(EPO) ability that it gives to the virus, is that the generated code will
generate an exception handler (SEH), for laterly generate a fault, thus
bypassing the control to the handler, that will pass the control to the
MMXE decryptor. This will stop every known emulator. "
Name: Polymorphic Infection Engine
Creator/Origin: jackie twoflower /
Austria
AKA: PIE
Type: Polymorphic Engine
Known versions:
PIE 1.0 - August 1999
PIE 2.0 - Unknown
Features:
A polymorphic procedure written in VBA for use in macro viruses. Version
1.0 was released as part of the Class Macro Kit (CMK).
Version 2.0 is used in several macro viruses by the same author. PIE can
be used for Word and Excel and is sometimes used in combination with PVP
by the same author. Evolved into JUMP/JSMP.
A version of PIE was released in Metaphase Zine
#2.
Name: Phantasie Mutation Engine
Creator/Origin: Burglar / Taiwan
AKA: PME
Type: Polymorphic Engine
Known versions:
PME 1.0 - January 1995
PME 1.01 - February 1995
PME Windows 0.0 - July 1995
Features:
Joining the wave of polymorphic engines originating in Taiwan these are
created by someone who calls himself Burglar. No viruses using the engine
are known.
Name: P**** Mutation P****
Creator/Origin: Deviator / Russia
AKA: PMP
Type: Polymorphic Engine
Known versions:
PMP - November 1999
Features:
Unknown. The engine is programmed using Pascal and was released with DVL
#9.
Name: Prizzy Polymorphic Engine
Creator/Origin: Prizzy / Czech Republic
AKA: PPE
Type: Polymorphic Engine
Known versions:
PPE 1.0 - July 1999
PPE 2.0 - December 1999
Features:
Release 1.0 of the engine is used in the Win9X.Prizzy virus and release
2.0 is used in the Win32.Crypto virus by the same author.
Author's note on 1.0:
"I'm very proud on my very good polymorphic engine because as the
first virus it can generate decoding decoding loop in MMX and Coprocessor
instructions. I would like to remind decoder couldn't supports MMX and copro
instructions at one bout (because MMX has been built on copro).
What instructions I can generate:
* 149 type of base-instructions (37 from GriYo/29A, thanks)
* 43 type of copro-instructions
* 46 type of MMX-instructions
But no every computer, where is Windows 95/98, do not need be CPU with
MMX technology. So, I use CPUID instruction to get result. But this intruction
CPU supports on 486+, if it isn't supports the PPE use only coprocessor.
I can generate some more difficult garbage, as are instructions CMPS/LODS/STOS/SCAS/MOVS
(and set their regz), CALL/JMP reg32, or iluzo return (find "g_iluzo_return:"
for more infoz - this garbage simulate the end of decoding - jump to non-decoded
virus body), or the garbage which simulate decoding compare (find "g_compare:"
for more infoz).
Some beastly doing functions are termed as "sado-maso function"
as are:
* reg + garbage + dec reg + jnz reg
* encryption a destination value
* putting CPUID and MMX test to poly-decode loop and so on..."
Author's note on 2.0:
I've removed all copro & mmx garbages and I've coded these new stuff:
* brute-attack algorithm
* random multi-layer engine
By "brute-attack" I'm finding right code value by checksum. And
because I don't know that number, AV neither. This process can take mostly
0.82 seconds on my P233.
In the second case I don't decode by default (up to down) but by random
multi-layer algorithm. It means I generate the certain buffer and by its
I decode up or down. Thus I can generate more then 950 layers and typical
some 69 layers. Also the random buffer, behind poly loop, has anti-heuristic
protection (gaps) to AV couldn't simulate that process. So, only in my decoding
loop are stored the places where the gaps are.
Name: Phantom Polymorphic MultiLayer Engine
Creator/Origin: Unknown / USA
AKA: PPMLE
Type: Polymorphic Engine
Known versions:
PPMLE 1.2 - Unknown
Features:
Unknown. The engine is included in RDA.Fighter.7408, by the same author.
Name: Polymorphic Recursive Cycle Generator
Creator/Origin: Zombie / Russia
AKA: PRCG
Type: Polymorphic Engine
Known versions:
PRCG 1.00 - May 2000
Features:
Author's Note:
"...used to slow down or even fuckup emulation process "
"PRCG engine may be used to slow down emulation process. It will generate
some random number of nested cycles with trash between instructions. So,
emulation of generated code will take lots of time. "
It can be used together with ETG by the same
author.
Name: Qozah's Block Cyphering Engine
Creator/Origin: Qozah / Finland
AKA: QBCE
Type: Encryption Engine
Known versions:
QBCE - November 1999
Features:
The engine is used in the Unreal virus by the same author and was released
with 29A#4.
Author's note:
"...QBCE ( Qozah's Block Cyphering Engine ), which is a block cypher
deeply analyzed forward. In a few words, it makes 24 rounds of encryption
with random operations on the code, making it a good algorithm for crypting.
"
Name:Quantum Encryption Engine
Creator/Origin: John Darland / USA?
AKA: QEE
Type: Polymorphic Engine
Known versions:
QEE 1.41 - 1996
QEE 1.42 - 1997
Features:
Unknown. The engine is used in the JDC viruses by the same author.
Name: Random Arithmetic Polymorphic Engine
Creator/Origin: Error /
Unknown
AKA: RAPE
Type: Polymorphic Engine
Known versions:
RAPE 1.1 - 1999
RAPE 1.2 - 1999
RAPE 2.0 - 1999
Features:
Version 1.1 and 1.2 were released/used in the Evolution W97M viruses while
version 2.0 was released/used in the Revolution W97M virus, all by Team
Necrosis.
Author's note:
(1.1 and 1.2):
- Randomly Morphs Source Code by Adding Random Remarks
- Randomly Selects Source Code Export File - Then Morphs it
- Randomly Creates Virus Macro Name
- Randomly Adds 1 to 6 Commands to Code
(2.0):
- Randomly Morphs Source Code by Adding Remarks (now improved)
- Randomly Selects Source Code Export File - Then Morphs it (improvised)
- Randomly Creates Virus' Module Name (2 - 10 letters)
- Randomly Adds Commands to Code (now improved)
- Randomly recreates Startup Directory *New
- Randomly determines Wyrm Mail Subject/Contents *New
- Randomly creates Word "Boot" Infector *New
Name: RedArc Mutation Engine
Creator/Origin: RedArc
/ Russia
AKA: RAME
Type: Polymorphic Engine
Known versions:
RAME 0.1 - 1998
Features:
Unknown. Released in Moon Bug #7 together
with Red Arc's RAME.Trivial virus.
See also: RPME by the same author.
Name: Random Comment Junker
Creator/Origin: e [Ax] / Bosnia Herzegovina
AKA: RCJ
Type: Garbage Technique
Known versions:
RCJ 1.0 - Unknown
Features:
Unknown. Included/selectable in the Macro Virus Generator (MVG)
by the same author.
Name: Random Decoding Algorith Engine
Creator/Origin: Darkman / Denmark
AKA: RDAE
Type: Polymorphic Engine
Known versions:
RDAE 1.00 - January 1999
Features:
Released with 29A#3.
Author's note:
Flags:
xxxxxx00 Low security, high speed, 256 different algorithms.
xxxxxx01 Medium security, medium speed, 65.536 different algorithms.
xxxxxx10 High security, low speed, 16.777.216 different algorithms.
xxxxxx11 Highest security, lowest speed, 4.294.967.296 different algorithms.
Encryption/decryption algorithms:
NOP; SEGCS; NEG AL; NOT AL; DEC AL; INC AL; ROL AL,01h; ROR AL,01h
ADD AL,CL; ROL AL,CL; ROR AL,CL; SUB AL,CL; XOR AL,CL; ADD AL,imm8
SUB AL,imm8; XOR AL,imm8
Encryption/decryption keys:
Eighty-one, random, 8-bit, with the possibility of being a sliding key.
Checksum:
32-bit Cyclic Redundancy Check (CRC-32), of the decryption algoritm.
Levels of security:
Four.
Random Decoding Algorithm Engine v 1.00 [RDAE] length: 567 bytes.
Name: Random Encryption Synthezator
Creator/Origin: Stainless Steel Rat / Russia
AKA: RES
Type: Polymorphic Engine
Known versions:
Unknown - April 1996
Features:
Unknown. The engine is included in SSR.18273,18364, by the same author.
See also: MME/SSR and SSRME
Name: Rickety and Hardly Insidious yet New Chaos Engine
Creator/Origin: Rhincewind
/ Australia
AKA: RHINCE
Type: Polymorphic Engine
Known versions:
RHINCE 1.0 - April 1995
RHINCE 2.0 - February 1996
Features:
RHINCE 1.0 a tiny 100% table-driven engine styled after the DSCE.
The engine is a mere 416 bytes in length.
Author's note (1.0):
"I wrote this one to see how small an engine of this type can get,
as the original DSCE is very much overweight. It's trivial to detect, but
hey, it's still an engine."
Author's note (2.0):
RHINCE v2.0 is almost TBAV heuristics proof. A negligible amount of samples
still gets G flags on pointer references in the first 32 bytes. Then there
is the occasional E, U, t or D flag probably caused by Thunderbyte interpreting
the random byte and word values as code, i.e. signature scanning. This version
doesn't use encoding routines that use tables. No, it uses one encoding
routine and a set of tables. In almost every engine, the routines all have
a certain structure in common and yet they're never quite the same so optimisation
by using subroutines is difficult. This is an easier approach. RHINCE v2.0:
377 bytes undiluted polymorphic generation code.
Name: RHQ
Creator/Origin: AweScream / RSA
AKA: RHQ
Type: Polymorphic Engine
Known versions:
RHQ - June 1997
Features:
Under development. A unfinished version of this engine was released with
RSA #1 zine.
Name: Reconstructed Necromantic Mutation Engine
Creator/Origin: Wintermute / Spain
AKA: RNME
Type: Polymorphic Engine
Known versions:
RNME - September 1998
Features:
Together with GROG used in the Ithaqua virus
by Wintermute. It was released in 29A#3.
It is a reworked NME used in the Zohra virus.
Name: Rajaat's Push Engine
Creator/Origin: Rajaat / UK
AKA: RPE
Type: Utility
Known versions:
RPE - January 1999
Features:
Unknown. Minor version of LPE, redone and
optimized, done by Rajaat / 29A as joke.
Name: Random Push Generator
Creator/Origin: Frizer / Russia
AKA: RPG
Type: Utility
Known versions:
RPG 0.1 - May 1998
Features:
Unknown.
Name: Realistic Polymorphic Macro Code Engine
Creator/Origin: Cybershadow / Russia
AKA: RPMCE
Type: Polymorphic / Encryption Engine
Known versions:
RPMCE 1.2 - November 1999
Features:
Similar to many other tools (ME/U, ME/D,
VVSC, MCPRACE) RPMCE
uses encryption and polymorphism to decrease detection of macro viruses.
It was released with DVL #9.
Name: Real PerMutating Engine
Creator/Origin: Zombie / Russia
AKA: RPME
Type: (Per)Mutation Engine
Known versions:
RPME 1.00 - June 2000
Features:
Uses permutation technique to decrease detection chances of viruses. The
engine changes instruction codes using an instruction list of possible opcodes
and opcodes details. The engine uses mutation (substitution, transposition
and trash) to build the same (functionality wise) virus from changed instructions.
To quantify different opcodes the LDE32
tool by the same author is used.
Author's Note:
"PERMUTATION -- changing viral code on the opcode-level. I.e. generating
new virus copy from the previous one, but new copy will consist of different
instructions. "
Name: Random Push Mutation Engine
Creator/Origin: RedArc / Russia
AKA: RPME
Type: Mutation Engine
Known versions:
RPME 0.1 - May 1998
RPME 0.2 - May 1998
Features:
Unknown. Both versions were released with issue #5 of the Moonbug
e-zine.
See also RAME by the same author.
Name: Rajaat's Recursive Random Assembler Code Creator
Creator/Origin: Rajaat
/ UK
AKA: RRRACC
Type: Utility
Known versions:
RRRACC 0.01B - January 1999 (AKA Swapline)
RRRACC 1.00 - January 1999
RRRACC 1.01 - January 1999
RRRACC 1.02 - January 1999
RRRACC 1.03 - February 1999
Features:
Author's note:
"Rajaats Recursive Random Assembler Code Creator, RRRACC for short
(and if you still don't like it you can pronounce it as ROCK), is a utility
that processes text files, recognizes special tokens which it uses to randomize
the input, and write the result to an output file. This does not have to
mean assembler code, but my primary intention was to make it work mainly
with assemblers. "
Release 1.02 includes the Swapline utility by the same
author. Release 1.03 is the final release and includes the PERL source code.
Name: Rajaat's Tiny Flexible Mutator
Creator/Origin: Rajaat
/ UK
AKA: RTFM
Type: Polymorphic Engine
Known versions:
RTFM 1.0 - December 1994
RTFM 1.1 - December 1994
RTFM 1.2 - August 1996
Features:
RTFM is an object module that can be linked to a virus to make it impossible
for a scanner to use a simple string.It will encrypt your virus and generates
a random decryptor using random registers and random instructions. Therefore,
an algorithmic approach will be needed to detect viruses using this object
module.
(Author's note: RTFM was not meant to make an unscannable virus, it's only
purpose is to make string scanning impossible. The code generated by RTFM
is by no means extremely polymorphic and it will not be very difficult to
devise an algorithm to detect viruses using RTFM. The size of RTFM is smaller
than 650 bytes.)
Version 1.2 was released with the Diametric/Matricide virus in Insane
Reality Magazine issue #8.
Name: Red Team Polymorhpy
Creator/Origin: Soul Manager / IR/G
AKA: RTP
Type: Polymorphic Engine
Known versions:
RTP 0.1b - December 1997
Features:
Author's notes:
RTP was the polymorphic engine originally written for my Red Team virus,
but as the virus was already quite large and complex, I decided not to complicate
methods further. This is the second polymorphic engine I am releasing, the
first being [TCE] published in IR#7
zine, 1996.
A generator program (RTP_GEN) is included for you to sample the RTP engines
capabilities.
The engine boasts a number of features:
- Highly flexible decryptor structure:
+ 8/16 bit.
+ forwards/backwards.
+ many different loop types.
+ single/double reference.
- Anti-Emmulator code:
+ checks for hardware interrupts.
+ checks for AAM/AAD emmulation.
+ string moves.
+ calls to DOS, causing infinite loops if results are inconsistant.
+ anti-heuristic code (see below).
+ multiple layers of decryption.
- Anti-Debugger code:
+ checks for INT 01h tracing.
- Anti-Cryptanalysis techniques:
+ multiple decrption and key modification operations.
+ 1st level cryptanalytic techniques ( add/xor/sub/rol/ror [txt],imm
).
+ 2nd level cryptanalytic techniques ( add/xor/sub [txt],[key / ptr
/ count] ).
+ 3rd level cryptanalytic techniques. ( add/xor/sub [key],[ptr / count]
).
- Realistic code structures (anti-heuristic):
+ loops.
+ *forward* referenced calls and jumps.
+ interrupt calls.
+ memory reads.
+ string memory moves (rep movs?)
+ the ability to push and pop registers modified in loops and by interrupt
calls, as nescessary.
Name: $moothie's ASCII Encrypter
Creator/Origin: $moothie
/ Unknown
AKA: SAE
Type: Conversion/Encryption Tool
Known versions:
SAE 1.0 - August 2000
Features:
Similar to VVSC this tool converts ASCII code to CHR
codes for use in VBA macro viruses. Avoiding clearly readable text strings
in macro viruses makes deciphering/reading the code a little harder.
Name: Super DeFormed Engine
Creator/Origin: Zhuge Jin
/ Taiwan
AKA: SDFE
Type: Polymorphic Engine
Known versions:
SDFE 1.0 - March 1995
SDFE 2.0 - May 1995
SDFE E2.0 - August 1995
Features:
Joining the wave of polymorphic engines originating in Taiwan this one
is created by someone who calls himself Zhuge Jin of TPVO.
No viruses using the engine are known.
Name: Serg Enigma Encryption Generator
Creator/Origin: Serg Enigma / Russia
AKA: SEEG
Type: Polymorphic Engine
Known versions:
SEEG 0.01 - Unknown
SEEG 1.0b - October 1996
Features:
Unknown. Used in the Seeg.1422, Seeg.1698 and Seeg.1870 viruses. Author
of the IDA engine.
Name: ShiftMut
Creator/Origin: NoOne / Unknown
AKA: ShiftMut
Type: Mutation Engine
Known versions:
ShiftMut 0.01 - August 1995
ShiftMut 0.02 - August 1995
ShiftMut 0.03 - August 1995
ShiftMut 0.04 - August 1995
ShiftMut 0.05 - August 1995
ShiftMut 0.06 - August 1995
ShiftMut 1.00 - September 1995
ShiftMut 1.01 - September 1995
ShiftMut 1.10 - September 1995
ShiftMut 1.11 - September 1995
ShiftMut 1.20 - September 1995
ShiftMut 1.21 - September 1995
Features:
A series of mutation engines by the VLAD
member NoOne.
Name: Super Hierchial Initerative Transmuter
Creator/Origin: A-o / Unknown
AKA: SHIT
Type: Polymorphic Engine
Known versions:
SHIT 0.1B - May 1995
SHIT 0.3B - June 1995
Features:
Unknown. The garbage code generation routines used are from pulled RHINCE.
Name: Simple Mutation Engine
Creator/Origin: Stefan Esser / Germany
AKA: SimpMut
Type: Polymorphic/Mutation Engine
Known versions:
SimpMut 0.1 - October 1997
Features:
From the author's documentation:
- 4 different counter registers
- 4 different ways to load the counter register
- 2 directions
- 3 different crypting methods
- 2 positions for the PrefetchQue Cleaner jump
- 192 different cryptors
- length: 14-16 bytes / up to 5 totally random bytes
Name: SLIM
Creator/Origin: 1nternal / Australia
AKA: SLIM
Type: Polymorphic Engine
Known versions:
SLIM 0.1 - April 1998
SLIM 0.2 - April 1998
SLIM 0.33 - June 1998
Features:
Unknown. By the same author as HOPE.
Name: Small Mutation Engine
Creator/Origin: Deviator / Russia
AKA: SME
Type: Mutation Engine
Known versions:
SME 1.0 - April 1999
SME 1.1 - April 1999
SME 1.2 - April 1999
SME 1.3 - April 1999
SME 1.4 - April 1999
SME 1.5 - July 1999
SME 1.6 - July 1999
Features:
Author's note:
Features:
- Different (Si,Di) pointers
- Garbage registers - Ax,Bx,Cx,Dx,Ah,Al,Bh,Bl,Ch,Cl,Dh,Dl
- Garbage creating
- Standard one-byters
- Different opcodes with Ax
- Add/Sub/Xor/Or/And/Mov,etc Reg,Imm16/mem/etc
- Forward jxx
- Forward call creating
- Different encryption methods + different keys
- Xchg Ax,Reg
- Antiheuristics trick (int 12h based). Undecryptable in DrWeb'n'F-Prot.
Have no other av'rs...
Name: Simple Mutation Engine
Creator/Origin: Darkray
/ Netherlands
AKA: SME
Type: Mutation Engine
Known versions:
SME 0.1B - July 1993
Features:
Unknown. Generic encryption/decryption mutator.
Name: Simulated Metamorphic Encryption Generator
Creator/Origin: Black Baron / UK
AKA: SMEG
Type: Polymorphic Engine
Known versions:
SMEG 0.1 - Unknown
SMEG 0.2 - September 1993
SMEG 0.3 - June 1994
Features:
SMEG is a polymorph engine that can be linked into a source code, it was
designed for computer viruses but could be used for other things, to encrypt
and provide a unique decryptor. SMEG v0.3 is the first version to be made
available to "the public", there have been two versions prior
to this, v0.1 used in the PATHOGEN virus and v0.2 used in the QUEEG virus.
SMEG v0.3, however, contains more advanced "junk program generator"
technology than versions 0.1 and 0.2. SMEG v0.3 is 2016 bytes big.
See also:
Methods Behind A Polymorph Engine
by Black Baron
British man pleads guilty as virus writer
The sad tale of Chris Pile's 15 seconds of fame.
Name: Simple Mutation Machine
Creator/Origin: Deviator / Russia
AKA: SMM
Type: Mutation Engine
Known versions:
Features:
More versions than listed have probably been released.
Author's Note:
"Trivial polymorphic decryptor generator"
Name: Simple Mutation Machine 32
Creator/Origin: Deviator / Russia
AKA: SMM32
Type: Mutation Engine
Known versions:
SMM32 1.00 - July 1999
Features:
A follow on to the SMM series it uses a 32 bit keyword
and 32 bit garbage.
Name: Sailor Moon Polymorphic Engine
Creator/Origin: Bozo /
Padania
AKA: SMPE
Type: Polymorphic Engine
Known versions:
SMPE 0.1 - Autumn 1996
SMPE 0.2 - April 1997
SMPE 0.3 - Mid/late 1997
Features:
This polymorphic engine was used in a totally revamped version of the Red
Vixen virus, Sailor Moon, which was released in Insane
Reality Magazine Issue #8. Version 0.2 was incorporated in several viruses.
Version 0.3 was used and released with the Sailor Saturn virus which was
included in Xine #3. Author of DPE.
Author's note:
"Version 0.1 was used in Sailor_Moon which is a midfile infector,
so it has some special add-ons to make it work with a midfile infector.
In fact SMPE 0.1 generated also the random PUSHing and POPping of all the
registers, segments and flags since the virus must preserve all the data
from the victim. SMPE 0.1 also included a small part of code to be able
to generate a poly decryptor for Boot sectors, since Sailor_Moon infected
also Boots. SMPE 0.2 and greater (SMPE 0.3 is already running and rocking
:)) ) don't include the PUSH/POP stuff (since the viruses that use them
don't need this) and don't generate Boot decryptors too. Of course on the
other hand they have many other improvements."
Name: Simple Polymorphic Engine
Creator/Origin: Lord Zero / Sweden
AKA: SPE
Type: Polymorphic Engine
Known versions:
SPE 1.1 - November 1994
SPE 1.21 - March 1995
Features:
Just like the name implicates, this is a very simple polymorphic engine
with version 1.1 being 380 bytes and version 1.21 419 bytes long. Both versions
included the source code of a demo virus using the engine: "Another
World". The engine does not incorporate any encryption and author leaves
this up to the user.
Name: Small Polymorphic Engine
Creator/Origin: VBA / Unknown
AKA: SPE
Type: Polymorphic Engine
Known versions:
SPE - Unknown 1999
Features:
Unknown. Released with 29A#4.
Name: Small Polymorphic Engine
Creator/Origin: Wild Worker / Ukraine
AKA: SPE(WW)
Type: Polymorphic Engine
Known versions:
SPE(WW) 0.01 - 1996
SPE(WW) 0.02 - September 1996
Features:
These polymorphic engines were released with issue #2 of PlasmaMag,
the E-Zine of the now disbanded virus writing group Dark Conspiracy. They were used in several of
Wild Worker's viruses.
Third party comments:
A apparent hack of this engine was released as the Mini Polymorphic Engine
[MPE]. The differences between Mini Polymorphic Engine
[MPE] and Small Polymorphic Engine [SPE], are as follows:
- Both versions of the Mini Polymorphic Engine [MPE] is vulnerable to
the X-Ray technique (cryptoanalysis). Small Polymorphic Engine v 0.01
[SPE] is less vulnerable, but still vulnerable and Small Polymorphic Engine
v 0.02 [SPE] ain't vulnerable.
- All decryptor's generated by Mini Polymorphic Engine v 0.01 [MPE] is
of equal size. All decryptor's generated by Small Polymorphic Engine v
0.01 [SPE] is of random size.
- Mini Polymorphic Engine v 0.01 [MPE] has seven stable bytes, Small Polymorphic
Engine v 0.01 [SPE], has a single stable byte.
- Both versions of the Mini Polymorphic Engine [MPE] is not EXE infection
compatible, both versions Small Polymorphic Engine [SPE] is.
- Both versions of Mini Polymorphic Engine [MPE], is far from being as
optimized as both versions of Small Polymorphic Engine [SPE].
- The size of the different versions of the different engines is as follows:
- Mini Polymorphic Engine v 0.01 [MPE] size: 229 bytes.
- Mini Polymorphic Engine v 0.02 [MPE] size: 366 bytes.
- Small Polymorphic Engine v 0.01 [SPE] size: 380 bytes.
- Small Polymorphic Engine v 0.02 [SPE] size: 1273 bytes.
Name: Small Polymorphic Insane Cryption Engine
Creator/Origin: TNSe /
Unknown
AKA: SPICE
Type: Polymorphic Engine
Known versions:
SPICE - October 1996
Features:
Used in the Eat & Die virus by the same author it has selectable encryption
schemes:
AL = Selects engine number (See Below)
Encryption methods:
AL IS =
0. ROR AX,8
1. ROL AX,8
2. XOR AX,N ; N = DX
3. NOT AX
4. XCHG AH,AL ;
5. XCHG AL,AH ;ALIKE AREN'T THEY??
6. NOT AX
XCHG AH,AL
7. NOT AX
XCHG AL,AH ;NEEDED TWO EXTRA...
All of them are reversable... Can be run twice to crypt/decrypt.
Name: Simple Polymorfic Language
Creator/Origin: Anaktas / Greece
AKA: SPL
Type: Polymorphic Engine Language
Known versions:
SPL 1.0 - August 1997
SPL 2.0 - January 1998
SPL 2.1 - March 1998
SPL 2.2 - July 1998
Features:
A language that will create polymorphic engines for use in viruses. It
can be found here [March
1999].
Author's note (version 1.0):
"SPL is a VX tool which helps you to write complex polymorphic engines
fast and easy. Every lamer can now write his own engine. But SPL is for
YOU too. With your knowlenge you can create the engine which Mcafee allways
afraid of! You can create engines which builds not only decryptors but the
hole entry point of your virus (GetInt,AllocMem,HookInt,RetHost,etc) and
more! I hope to see a True-Poly virus written at all for SPL!"
Author's note (version 2.0):
"SPL is not just another polymorphic Engine. SPL is a new idea, a
new perception, of polymorphism! I believe that more tools based on the
idea of SPL will be out soon.
SPL is a script language with simple syntax and functions. With SPL you
can write superior polymorphic engines (or what ever you can think of).
This will be the new way of writing polymorphic-engines, since it’s
easier, the generated engines can be much better than a hand-written engine,
and the size of the engine is smaller than an equal assembly routine.
Instead of decryptors, it’s easy to write other parts of your virus
such us interrupt hooking routines, infection checking, and more. In that
way the decryptor will be founded deep in your virus code, for a code analyzer
to reach it.
A nice project, would be a virus construction kit where all the routines
are generated by SPL-engines!
SPL works somehow like JAVA. The compiler just translate the script into
a compact form and then compress it. What you have to do, is to include
in your virus the generated data and the interpreter (a small assembly routine
less than 650 bytes) . Each time you want a decryptor, you just allocate
the needed memory, and call the interpreter, which decompress and interpret
the script."
Name: Some Other Polymorphic System
Creator/Origin: jackie twoflower
/ Austria
AKA: SOPS
Type: Polymorphic Engine
Known versions:
SOPS - May 1999
Features:
SOPS is basically a new version of SPS which was a modified
version of Pyro's APMRS.
Name: Some Polymorphic System
Creator/Origin: jackie twoflower
/ Austria
AKA: SPS
Type: Polymorphic Engine
Known versions:
SPS - May 1999
Features:
SPS is basically a modified version of Pyro's APMRS.
It is included in the Word 97 Macro Virii Creation Kit (W97MVCK)
by the same author and is one of two user selectable polymorphic modules
(APMRS being the other).
Name: Sirius Polymorphic Module
Creator/Origin: Sirius / Germany
AKA: SPM
Type: Polymorphic Engine
Known versions:
SPM (Unknown) - November 1994
Features:
Unknown. Used in several of Sirius' viruses.
Name: Small Padanian Windows Mutator
Creator/Origin: Bozo /
Italy
AKA: SPWM
Type: Polymorphic Engine
Known versions:
SPWM 0.1 - January 1998
Features:
Author's note:
" This is the first version and maybe the last version of the SPWM.
I started writing this poly engine with the idea to keep it quite small.
It's actually about 1100 bytes, not too much. It creates poly decryptors
to be used for Win16 viruses. The generated decryptor can use bx,di,si as
pointer, all the others except ax for counter and key. The body is encrypted
with a word add/sub/xor with either stable or changing (again add/sub/xor
on 16 or on 8 bit part key) key. It doesn't generate too much garbage or
different decryptor types, but anyway the garbage generation scheme is quite
interesting and compact, I think. give it a look... Since it is designed
for a midfile infector it also stores everything on the stack at the beginning
and restores everything at the end of the decryptor. A part of the decryptor
is also encrypted. "
Name: Stainless Steel Rat Mutation Engine
Creator/Origin: Stainless Steel Rat / Russia
AKA: SSRME
Type: Polymorphic Engine
Known versions:
SSRME 1.21ß - April 1996
SSRME 2.0ß - 1997
Features:
Unknown.The engine is included in SSR.18273,18364, by the same author.
See also: MME/SSR and RES
Name: Super Tiny Compression Engine
Creator/Origin: Super / Spain
AKA: STCE
Type: Compression Engine
Known versions:
STCE - February 1998
Features:
An engine specifically created to be used in viruses it is based on repeated
byte sequences and is 413 bytes long. It was released in 29A
#2.
Name: Stealth This Document Infection Engine
Creator/Origin: Lord Arz / Austria
AKA: STDIE
Type: Infection Engine
Known versions:
STDIE 1.0 - September 1998
STDIE 1.2 - May 1999
Features:
A follow-on to the TDIE tool this tool uses stealth
and a specific infection technique to avoid detection of a macro virus.
Name: Small/Full Tunneling Engine
Creator/Origin: Dark Fiber / USA
AKA: STE/FTE
Type: Tunneling Engine
Known versions:
STE/FTE 1.0 - August 1995
Features:
A tunneling engine included in VLAD magazine #6. Written by Dark Fiber (NuKE
ex-AIH) this engine incorporates Single Step Tunneling
using INT 01H. For more in dept information study his tutorial "Single Step Tunnel Techniques".
See also:
Tunneling shortcuts.
Name: Spirit's Universal Polymorphic Device
Creator/Origin: Night Spirit / Russia
AKA: SUPD
Type: Polymorphic Engine
Known versions:
SUPD 1.0 - December 1995
SUPD 1.5 - January 1996
SUPD 2.0 - April 1996
SUPD 2.1 - April 1996
SUPD 2.2 - June 1996
Features:
Author's note:
"$pirit's Universal Polymorphic Device ($UPD) is the polymorph-based
constructor of encoders/decoders. This device is not similar with MTE, TPE,
APE, PME, SMEG, GPE and lot of another polymorphic analogs. Of course I
acquainted with such engines, but during my creative process I never tried
to make something which resemble the plagiarism. So, $UPD-engine present
your possibility to convert some ;) your progs into full polymorphic ones.
I think what in first viriis makers will turn one's attention to my engine.
Yes, they will be right, but this engine can serve for most useful purpose.
For example, you can use it for saving your progs from hacking. WARNING!
Correct work of [$UPD_2.0] guaranted only if nothing was changed in it's
code! During encrypting $UPD build decryptor which consist of several encoding
instructions. They are select by $UPD from xor/not/add/sub/dec/inc/rol/
ror/neg types. If selected instruction is xor/add/sub, it can use random
registers-keys during encoding or decoding. One of them will be xor with
special register, which contain CRC of all decryptor :) So, it's unpossible
to change any data in decoder (direct jump anywhere, for example)."
Name: Swapline
Creator/Origin: Rajaat
/ UK
AKA: ---
Type: Utility
Known versions:
Swapline 1.00 - January 1999
Features:
Also known as RRRACC 0.01B this utility can be used
to mutate ASM sources by swapping lines that have an exclamation mark at
the first line.
Name: This Document Infection Engine
Creator/Origin: Lord Arz / Austria and
Flitnic
AKA: TDIE
Type: Infection Engine
Known versions:
TDIE 1.0 - August 1998
TDIE 2.0 - September 1998
TDIE 3.0 - June 1999
Features:
A specific infection technique to avoid detection of macro viruses. Later
evolved to STDIE
Name: The Hobbit Mutation Engine
Creator/Origin: Billy Belcebu / Spain
AKA: THME
Type: Polymolrphic Engine
Known versions:
THME 1.00 - September 1999
Features:
Released with Xine #4 and used in the Thorin
virus by the same author.
Author's Note:
Features:
- Non-realistic code (copro used, etc)
- Able of use any register (except ESP) as Pointer, Counter, and Delta.
- Crypt operations : ADD/SUB/XOR
- Garbage generator abilities:
- CALLs to subroutines (can be recursive)
- Arithmetic operations REG32/REG32
- Arithmetic operations REG32/IMM32
- Arithmetic operations EAX32/IMM32
- MOV reg32,reg32/imm32
- MOV reg16,reg16/imm16
- PUSH/Garbage/POP structures
- Coprocessor opcodes
- Simple onebyters
- Encryptor fixed size, 2048 bytes.
This engine was simple in its idea, and was simple in its developement.
It was my first ever released poly (i've written several polys before,
as X-FME for MS-DOS, or D0PE32 for Win32, but i
didn't released'em) and it can be found at my Win32.Thorin virus. I
can build all simple math operations with 32 bit regs/immediates, movs
with 16/32 bit registers, recursive calls to subroutines, PUSH/POP structures,
and use copro opcodes as garbage. The poly operations available are
XOR, ADD and SUB, chosen randomly. The size of the generated encryptors
is fixed, 2k of poly code, always.
Name: Tiny Mutation Compiler
Creator/Origin: Ender / Slovakia
AKA: TMC
Type: Polymorphic Engine
Known versions:
TMC 1.0 - April 1997
Features:
Author's note:
"Body of the virus contains just some kind of compiler, which from
from excrypted source pseudocode compiles virus to the memory. Because the
compilation doesn't use structure, which is heuristic sensitive, there is
no heuristic alert here :) The compiler is also capable to insert garbage
jump instruction in the virus copy in memory so again, no siple scanstring
in memory here. Just one little thingy is here not perfect. These jump 'll
not have known size, so the compiler puts here some extra NOPs. The virus
is the like asm proggy compiled under TASM without /m switch." ...
"TMC contains some kind of anti cleaning trap. So it is not easy to
remove from infected file. Well another lige insurance" ...
"TMC has in different generations different features. Just check it
out"
Third party analysis:
It is a uncommon polymorphic engine - each time the virus installs itself
into the memory it mixes blocks of its code and data and inserts random
data. The virus also changes data offsets in its assembler instructions,
constants and so on. As a result, the virus is not 100% encrypted, but it
has no constant parts of code and ever the length of virus is changed.
Being installed into the memory the virus does not changes its code anymore,
and all its replications have constant set of instructions. After reboot
the virus installs itself into the memory and generates new set of instruction
and infects files with this new set.
Name: Tiny Lame Poly Engine
Creator/Origin: Dark Cobra / Unknown
AKA: TLPE
Type: Polymorphic Engine
Known versions:
TLPE 2.0 - January 1999
Features:
This 48 byte small engine was released in 29A#3
and according to the author " ........ is not intended to be useful,
but rather interesting. That's why I made it small and useless."
Name: Tiny Mutation Engine
Creator/Origin: Unknown / Unknown
AKA: TME
Type: Polymorphic Engine
Known versions:
TME 1.0 - Unknown
Features:
Author of the disassembly note:
"TME.643 is a 643 bytes polymorphic generator. Generates a new polymorphic
example, upon execution. TME.643 is polymorphic in file using its internal
polymorphic engine."
Min. decryptor size: 36 bytes. Max. decryptor size: 134 bytes.
Name: Tracer
Creator/Origin: CyberGOD / Unknown
AKA: Tracer
Type: Tunneling Engine
Known versions:
Tracer - December 1996
Features:
A tunneling engine included in Insane Reality issue #8
Author's note:
"This tracer is 1262 bytes code, it can trace trough Lock Master 9.
This is an protection program that uses many tricks like setting the Trap
flag to go single stepping itself, it uses may Int 1 and Int 3 opcodes in
it's code, it makes sure that the tracer cannot use the Lock Masters stack
segment (so stack checking code, like in tbdriver, doesn't work).
Then I should thank Antigen for his inspiring
source ART22.ASM. He gave me the idea this was possible.
His idea was perfect, only the code written to realize it wasn't that good.
His code 1407 bytes, lacked the support for single stepping. This is a very
quick and simple way to detect ART22.ASM. If you start single stepping,
the return address of int 1 will be pointing at the ART code and not to
the anti tunneling code."
See also:
Tunneling shortcuts.
Name: Trident Polymorphic Engine
Creator/Origin: Masud Khafir / Netherlands
AKA: TPE
Type: Polymorphic Engine
Known versions:
TPE 1.1 - December 1992
TPE 1.2 - December 1992
TPE 1.3 - January 1993
TPE 1.4 - July 1993
Features:
TPE was written by Masud Khafir, a member of the Dutch TridenT
virus group. Before and after TPE, Masud Khafir has created several advanced
viruses. Among them are the first Windows virus, Win_Vir, the Cruncher virus
series, and one of the most widespread viruses using MtE,
the MtE.Pogue virus. TPE itself is based on the encryption routine of Masud
Kafir's Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A.
To date, four versions of TPE have come out. The author has implied that
he considers the product finished, and will not write further versions.
The later versions of TPE are highly complex, making it one the most advanced
polymorphic generators in the world.
TPE version 1.1 was technically advanced, but it contained bugs which made
it incompatible with some processor types. Versions 1.2 and 1.3 corrected
this problem. The last version, 1.4, introduced an improved, highly complex
encryption method, which makes TPE-hidden viruses difficult to identify
by using decryption-based detection methods.
Name: Trans & PINC Permutation Engine aka Turbo Pascal
Polimorphic Engine
Creator/Origin: Duke /
Russia
AKA: TPPE
Type: Polymorphic Engine
Known versions:
TPPE 0.1 - January 1999
TPPE 0.2 - April 1999
TPPE 0.3 - May 1999
Features:
This is a permutation engine, written in Turbo Pascal. For polymorphism
TPPE uses permutation, encrypting with a random 40-byte key and junk code.
For permutation it uses 2 techniques: TRANS and PINC. Five viruses using
the TPPE tool are known. Version was 0.1 released with DVL#4.
Version 0.2 was released with DVL #6 while
0.3 was released with a demo virus in DVL#9.
Name: The Chaos Engine
Creator/Origin: Sepultura
/ Australia
AKA: TCE
Type: Polymorphic Engine
Known versions:
TCE 0.4 - December 1995
Features:
A polymorphic engine included in the Chaos-AD virus published in issue
#7 of Immortal Riot's Insane Reality magazine.
The techniques used are specifically aimed at defeating the heuristic anti-virus
techniques of Thunderbyte Anti-Virus and F-Prot.
Name: The Spy's Vampirism Toolkit
Creator/Origin: The Spy / Argentina
AKA: TSVT
Type: Virus Development Tool
Known versions:
TSVT 0.3b - March 2000
Features:
Tool designed to find and use blocks of code in system files. The idea
behind the toolkit is to use known blocks of code from a victim's system
files to assemble the final virus at runtime. It also claims to be able
to use blocks of code that are similar to the required block. It will modify
/ convert the known block to a block required by the virus. The toolkit
was released with the the G9N e-zine.
Name: Tricky Trout Plurimorphic Encryptor Builder
Creator/Origin: Tricky Trout / Italy
AKA: TTPEB
Type: Polymorphic Engine
Known versions:
TT-PEB 2.01 - 1995
Features:
Used in the "Second NewBorn Trout" virus. A disassembly of the
engine by Bozo was released in Xine #3.
Name: Trurl Variable Encryption Device
Creator/Origin: Trurl / Argentina
AKA: TVED
Type: Polymorphic Engine
Known versions:
TVED 1.0B - March 1994
Features:
The 684 byte long TVED has been released by Trurl, a member of the Argentinian
virus group "Digital Anarchy" (DAN).
It was released with the Bonsembiante virus incorporating the engine.
Name: Ultras Access Macro Polymorphic
Creator/Origin: Ultras / Russia
AKA: UAMP
Type: Polymorphic Module/Engine
Known versions
UAMP - November 1998
Features:
Polymorphic engine/module for Access 97 macro viruses from the creator
of UCK, UMP, UMPE,
ZSZPE and ME.
Name: Unknown Entrry Point Infection Engine
Creator/Origin: DaemonSerj / Russia
AKA: UEP
Type: Mutation Engine
Known versions:
UEP 1.0 - June 1998
UEP 2.0 - June 1998
UEP 3.0 - July 1998
Features:
Unknown. Released with DVL #10.
Name: Ultras HTML Encryptor
Creator/Origin: Ultras / Russia
AKA: UHE
Type: Encryption Tool
Known versions:
UHE 1.0 - July 1999
Features:
Tool that uses Javascript to encrypt HTML viruses. By the author of AMG,
UCK, UAMP,
UMPE, UMP,
ME, ZSZPE and MUCK.
Name: Ultimate Mutation Engine
Creator/Origin: Black Wolf / USA
AKA: Ultimute
Type: Mutation Engine
Known versions
Ultimute 0.93B - August 1993
Features:
Claiming to have written Ultimute as a "hack prevention" encryption
tool the author warns against using the engine in viruses since it was not
meant for that. Being 1017 bytes long it is supposed to have anti-tracing
and anti-disassembling capabilities.
Name: Ultras Macro Polymorphic
Creator/Origin: Ultras / Russia
AKA: UMP
Type: Polymorphic Module/Engine
Known versions
UMP 1.0 - July 1998
Features:
Polymorphic engine/module for Word macro viruses from the creator of UCK,
UMPE, UAMP, ZSZPE
and ME.
Name: Ultras Macro Polymorphic Engine
Creator/Origin: Ultras / Russia
AKA: UMPE
Type: Polymorphic Module/Engine
Known versions
UMPE - October 1998
Features:
Polymorphic engine/module for Word macro viruses from the creator of UCK,
UMP, UAMP, ZSZPE
and ME.
Name: Uncleanable Virus Engine
Creator/Origin: Qozah / Finland
AKA: UVE
Type: --
Known versions
UVE - November 1999
Features:
Engine / technique to prevent the cleaning of a virus infected file. It
is used in the Unreal virus by the same author and was released with 29A#4.
Author's note:
The UVE is an idea performed after making my article
about polymorphism, and how it can always be detectable. Thinking on
alphabets and languages, a poly engine cannot be undetected, but a file
infected by a virus can be made uncleanable.
That's the idea behind this engine, making it impossible to remove the
virus from a file, at least by a normal procedure. You could make this idea
bigger supporting many instructions, but that's not my point. Be it one
instruction as in my engine, or X instructions, the important objective
is accomplished. I've received some complaints because most files didn't
begin by mov reg,imm32. But the main objective on uncleanable making is
made: confussion, and not knowing if the instruction was or wasn't in the
beggining of the file.
I'll describe it in 5 points:
- First of all, check if the first instruction of the legit code, the
one on the entry point, is a mov reg,imm32.
- In the beggining of the virus code, place that mov reg,imm32 if it
exists, and another 6 mov reg,imm32 instructions which use random
- If there's no mov reg,imm32 instruction in the beggining of the legit
code, the engine will anyway generate 7 random mov reg,imm32 instructions
at the beggining of the virus.
- The legit code instruction 'mov reg,imm32' is overwritten with 0s,
and the old entry point is added 5.
- When the .exe is run, these 7 instructions are executed, then registers
are pushed onto the stack, and when returning to original host, they're
replaced. So, an antivirus can't know if there was a 'mov reg,imm32' in
the beggining of the original host code, or which one was it, so it can't
replace it.
Name: Virogen's 32bit Polymorphic Engine
Creator/Origin: Virogen / USA
AKA: V32P
Type: Polymorphic Module
Known versions:
V32P 0.06a - April 1999
Features:
Author's note:
"This is a real polymorphic engine; 100% polymorphism with large
variations in the decryptor type, size, functioning, instruction, and
register usage. This polymorphic engine isn't finished, but since it's
been laying around my hard drive for about a year, I figured I'd go and
release it to the public as is and release subsequent updates. Expect
many more versions, with more power in each. Version 1.0 will be the final
release.
Features:
+100% polymorphic. This may be the most powerful 32bit polymorphic engine
released to date.
+Win32 compatible.
+support for relocations (displacement caused by decryptor added) "
Name: Vic's Advanced Macro Poly
Creator/Origin: VicodinES / USA
AKA: VAMP
Type: Polymorphic Module
Known versions:
VAMP - December 1998
Features:
By the author of many Word macro viruses, VMPCK, VSMP and VVSC
this is an advanced polymorphic module for Word macro viruses.
Name: Virus Code Generator
Creator/Origin: RedArc / Russia
AKA: VCG
Type: Polymorphic Engine
Known versions:
VCG - April 1999
Features:
A virus code "manipulator" released with Moonbug
Zine #10.
Third party analysis:
"A quite complex polymorphic engine that rebuilds virus code each
time the infection procedure is activated. In different infected files different
assembler instructions or sets of instructions are used to do the same operations.
The engine also mixes blocks of virus code, inserts junk instructions, etc.
Viruses using the engine also change data offsets in their assembler instructions,
constants and so on. As a result, the viruses are not encrypted, but they
have no constant parts of code and the length of virus is often changed."
Name: Vengine
Creator/Origin: Veggietailz / Unknown
AKA: --
Type: Polymorphic Module
Known versions:
Vengine - March 1999
Features:
A VBA polymorphic engine released in the wake of the Melissa
virus hype. It comes with the source of the "regular" Melissa
virus and a polymorphic version that was treated by Vengine. An Italian
hacked version called Firestarter was created
and released by Xarabas in April of 1999.
Name: Vecna's Random Boot Loader
Creator/Origin: Vecna
/ Brasil
AKA: VRBL
Type: Polymorphic Engine
Known versions
VRBL - February 1998
Features:
This polymorphic engine for boot viruses was released in 29A
#2.
Author's note:
This is the first polymorphic engine exclusively designed for boot viruses
ever, and it's, maybe, one of the most variable engines in the world! This
engine creates a loader, to be put in the MBR/BOOT, and sets up registers
for further polymorphism in the virus body. The engine, btw, is very small
as it's only 739 bytes long.
The engine operates this way: first it creates random movs, jmps, xchgs,
adds, xors, and so on. They are fully random, with no fixed structure. Af-
ter this, it executes the loader in single step mode. The int 1 handler
checks for the end of the generated code, when it passes control to the
final routine, which fixes the needed registers, thru xors, adds and subs,
using the values that are already held in the registers. So, not even the
moves are fixed. After this, the loader passes control to the virus body,
either by an intersegmented jump, or by means of a retf instruction.
Name: Virogen's Irregular Code Engine
Creator/Origin: Virogen / USA
AKA: VICE
Type: Polymorphic Engine
Known versions:
VICE 0.1B - February 1995
VICE 0.2B - February 1995
VICE 0.3B - February 1995
VICE 0.4B - February 1995
VICE 0.5 - May 1995
Features:
This engine, which is one of the newest, has a lot of techniques incorporated
aimed specifically at Frans Veldman's Thunderbyte anti-virus product. Several
viruses using the engine were released with it.
Part of the author's revision history:
v0.1B = 02-05-95: Started coding. 02-09-95: First Beta Release.
v0.2B = 02-11-95: Fixed bug. Added capability of garbage code. Improved
Anti-TBSCAN code significantly.Optimized code.
v0.3B = 02-21-95: Rewrote garbage code engine. Fixed bugs
v0.4B = 02-24-95: Improved engine power.
v0.5 = 05-07-95: Went through and commented the code, optimized some of
it. Released complete source code.
Name: VLAD Infinite Polymorphic
Creator/Origin: Qark
/ Australia
AKA: VIP
Type: Polymorphic Engine
Known versions:
VIP 0.01 - October 1994
VIP 1.0B - October 1995
VIP 1.0 - February 1996
Features:
Version 0.01 was used in Qark's VLAD virus released in VLAD
magazine #2.Version 1.0 of this polymorphic engine was included in VLAD magazine #6.
Author's note:
"This engine is good in some respects, and poor in others. The encryption
it creates is fairly easy to crack, being a looping xor with a keychange
(all registers/values chosen at random), but the encryption loops are very
hard to detect. There are four different loop types, of which TBSCAN can
only find two."
Name: Visible Mutation Engine
Creator/Origin: Mark Ludwig / USA
AKA: VME
Type: Polymorphic Engine
Known versions:
VME 0 - April 1993
VME 1 - April 1993
Features:
The Visible Mutation Engine is a Mark Ludwig (American Eagle Publications,
Inc.) release. It is an actual, functional mutation engine. It can be attached
to a virus and make it totally undetectable by scanners using current technology
(March, 1993). The engine is an object module which can be linked into a
virus, or any other software that needs to be self-encrypting. For full
details see Computer Virus Developments Quarterly, Spring 1993
Name: Varna's Polymorphic Engine 32
Creator/Origin: Varna / Poland
AKA: VPE32
Type: Polymorphic Engine
Known versions:
VPE32 - May 2000
Features:
Unknown.
Name: Vic's Simple Macro Poly
Creator/Origin: VicodinES / USA
AKA: VSMP
Type: Polymorphic Module
Known versions:
VSMP - June 1998
Features:
By the author of many Word macro viruses, VMPCK, VVSC and VAMP
this is a simple polymorphic module for Word macro viruses.
Name: VLAD Surface Tunneling Engine
Creator/Origin: Qark
/ Australia
AKA: VSTE
Type: Tunneling Engine
Known versions:
VSTE 1.0B - November 1995
VSTE 1.0 - February 1996
Features:
A tunneling engine included in VLAD magazine #6.
Author's note:
"This engine works by calculating the length of the instructions, and
continuously going through code, until it comes to a conditional jump, or
an opcode it doesn't know. Even though the engine doesn't normally tunnel
far, because conditional jumps are so common, it is extremely effective
against heuristical scanners, always giving zero flags."
See also:
Tunneling shortcuts.
Name: VTech Mutation Engine
Creator/Origin: Unknown / Unknown
AKA: VTME
Type: Mutation Engine
Known versions:
VTME 1.0 - Unknown
VTME 1.11 - Unknown
Features:
Unknown. Used in the Lunacy viruses.
Name: VicodinES VBA String Converter
Creator/Origin: VicodinES / USA
AKA: VVSC
Type: Conversion/Encryption Tool
Known versions:
VVSC - July 1998
Features:
This tool by the creator of VMPCK and VAMP scrambles/converts
text strings in macro viruses.
Author's note:
"This utility can help you hide text strings in your macro code.
For example, if you have a string in your macro virus that would be extremely
obvious to anyone who stumbled into your code. Say a text string like this
:
msgbox "Virus !!"
Then you need a way to hide your text strings but Word 97 does not support
macro encrytpion. What can you do? Encode it with my VVSC utility. This
way it is much less obvious what your message box is going to say or even
what your macro virus is going to do."
Name: White Noise
Creator/Origin: White Angel / RSA
AKA: --
Type: Polymorphic Engine
Known versions:
White Noise - June 1997
Features:
Released with RSA #1 zine it comes with one
sample virus.
From the author [sic]:
Description of my generator:
Name: White_Noise
EnCryption: very simple gamma encryption with dynamycal change of
internal crypt parameters. To encryption can be used instructions: Xor,
Sub, Add, Ror, Rol, Not. Count of crypt instructions can be from 2 to 10.
Carbage complexity: for carbage i`m use several instruction types:
1) interrupr 21h with functions:
4Dh, 54h, 19h, 0Dh;
interrupt 16h with functions:
1, 2;
interrupt 10h with functions:
8, 0Dh
interrupt 12h.
2) instruction, that write to memory. Very stupid heuristic try found
encryption cycle by find command that write to memory ... And very nice
;-)
3) i`m use a call instruction with push a parameter in stack sample:
Push 1234
Push 1234
Push 1234
Push 1234
Call Sub1
---------
Sub1: Push Bp
Mov Bp,Sp
[Sample carbage]
Pop Bp
Ret 8
4) Sub, Add, Xor, Mov, Cmp, Jx, Jmp and other .
5) Push & Pop
6) Simple one-byte instructions: nop, cld, std, sti ...
Technical info: generator compiled with: Org 100h, model tiny, pascal
calling conversion, use .386 instructions.
Details:
Function MakeCryptor( CryptAreaLen:Word; CryptorPtr, DeCryptorPtr:DWord);
CryptAreaLen - length in bytes of area, that must be encrypted
CryptorPtr - pointer, where create a cryptor.
DeCryptorPtr - pointer, where create a decryptor.
Name: Windows Scripting Host 2 Polymorphic Engine
Creator/Origin: Rajaat / UK
AKA: WSH2PE
Type: Polymorphic Engine
Known versions:
WSH2PE - Unknown 2000
Features:
Unknown. Polymorphic engine for use in VBS viruses/worms. Released with
Metaphase Zine #2.
Name: Written-In-One-Day Mutation Engine
Creator/Origin: Doctor Revenge / Unknown
AKA: WIODME
Type: Mutation Engine
Known versions:
WIODME - February 1994
Features:
Unknown. It was written for and used in the Dream.2000 virus by the same
author.
Name: Wild Worker Polymorphic Engine
Creator/Origin: Wild Worker / RSA
AKA: WWPE
Type: Polymorphic Engine
Known versions:
WWPE 0.1 - June 1997
Features:
Released with RSA #1 zine it comes with one
sample virus.
From the author [sic]:
How it works:
Virus code divded in to random number of section (min=1, max=10). Each
section encrypted with own encryptor and have own decryptor. When all sections
decryptros generated, they all encrypted again...Of course all decryptors
can have garbage if you set flag when calling (look how to use section).
Garbage generator can make almost all instructions:) It can make call/jmp/jxx
reg manip/port reading/single ops/interrupt calling. Decryptors with garbage
can be large and sometimes can be 6kb:) All decryptors placed at the end
of virus. That's look like:
---------------
| HOST |
|-------------|
| JMP/CALL |--
|-------------| |
->|Encrypted | |
| | virus| |
| |-------------| |
--| Decryptors |<-
---------------
Name: Weiners XOR Machine
Creator/Origin: Australian Parasite / Australia
AKA: WXM
Type: Polymorphic Engine
Known versions:
WXM 1.0 - June 1994
Features:
Generates relatively simple XOR decryptor's, with a lot garbage. The decryptor
is placed before the encrypted code. The engine is included in the Australian.990
(Digitised Paradise) virus, by the same author.
Name: 8087 Mutation Engine
Creator/Origin: Golden Cicada / Taiwan
AKA: X87ME
Type: Polymorphic Engine
Known versions:
X87ME 1.0 - January 1996
Features:
Unknown. The engine was meant for inclusion in viruses created by the CVEX
virus creation software by the same author.
Name: X-Files Mutation Engine
Creator/Origin: Billy Belcebu / Spain
AKA: XFME
Type: Mutation Engine
Known versions:
XFME - Unknown 1997
Features:
Unknown.
Name: XXL Mutation Engine
Creator/Origin: Unknown / Unknown
AKA: XXLME
Type: Polymorphic Engine
Known versions:
XXLME 1.0 - April 1998
Features:
Unknown. The engine is included in the Win32.Libertine virus.
Name: Yet Another Data Encryption Kernel Advance
Creator/Origin: Unknown / Unknown
AKA: YADEKA
Type: Mutation Engine
Known versions:
YADEKA 1.0 - Unknown
Features:
Unknown. The engine is included in the Yade.2365 virus
Name: Zdob Shi Zdub Polymorphic Engine
Creator/Origin: Ultras / Russia
AKA: ZSZPE
Type: Polymorphic Engine
Known versions:
ZSZPE - March 2000
Features:
A polymorphic engine for macro viruses by the author of UCK,
UAMP, UMPE and UMP
Name: Zombie's Code Mutation Engine
Creator/Origin: Zombie / Russia
AKA: ZCME
Type: Polymorphic Engine
Known versions:
ZCME 0.00 - October 1997
ZCME 0.01 - October 1997
Features:
The engine is included in the Zombie.ZCME.16384 virus. The engine and the
virus were released in the first issue of the Russian
Virus Magazine.
Third party analysis:
The virus is not encrypted, but it has no any constant part of code. The
virus does that by "mixing" its code while infecting files: by
using its internal disassembler the virus disassembles itself and copies
its Assembler instruction to 16K buffer at random selected addresses. If
sequential instruction are copied to different blocks of buffer, to "link"
them the virus uses Assembler instruction JMP. The virus then fixes addresses
of Jump-by-condition (Jcc) instructions and subroutine CALLs. The virus
also randomly inserts "do-nothing" NOP instruction in its code.
As a result, 1346 bytes of actual virus code are randomly placed within
16K buffer.
Name: Zhengxi Mutation Engine
Creator/Origin: Unknown / Unknown
AKA: ZME
Type: Polymorphic Engine
Known versions:
ZME - Unknown 1996
Features:
The engine is included in the Zhengxi family, by the same author. For an
in depth view at Zhengxi look here.
Name: Zaxon's Polymorphic Engine
Creator/Origin: Zaxon / Spain
AKA: ZPE
Type: Polymorphic Engine
Known versions:
ZPE - Unknown 1997
Features:
Unknown. The engine was originaly written for the never released version
2.666 of the NOP Virus Creator by members
of DDT.
Name: Zoom23 Virus Engine
Creator/Origin: Zoom23 / Philippines
AKA: ZVE
Type: Polymorphic Engine
Known versions:
ZVE - May 1998
Features:
Unknown. Released with issue #2 of the Pinoy Virus Writers zine.
Author's note:
"This engine was made using turbo pascal compiler. It's a UNIT (ZVE.TPU)
file and you can use it to create your viruses. It's a simple engine it
could be the first Pascal made virus engine. It only replicates and does'nt
detroy infected files. It only increases it's file lenght. It searches for
it's signature so it wont infect files that are already infected."
