home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ukma!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: RADAI@vms.huji.ac.il (Y. Radai)
- Newsgroups: comp.virus
- Subject: Re: MtE ?? (PC)
- Message-ID: <0006.9211091912.AA05064@barnabas.cert.org>
- Date: 2 Nov 92 15:10:10 GMT
- Sender: virus-l@lehigh.edu
- Lines: 29
- Approved: news@netnews.cc.lehigh.edu
-
-
- Holt Sorenson writes:
- > MtE is the Mutation Encryption Engine developed by Dark Avenger. It
- > changes filesizes, checksum, and other info that would make it
- > possible to detect a virus in a file at runtime so that the virus can
- > continue to hide on your computer.
-
- Changes filesizes and checksums??? You've missed the entire point of
- MtE! MtE (Mutation Engine) is a method for converting a given virus
- into a *polymorphic* one, i.e. one which looks different on each
- infection, because of variable encryption and/or because of replace-
- ment of some instructions by others which have the same effect.
- MtE consists of an .OBJ module which, when linked to a assembled
- virus containing a call to it (and to a random-number generator
- supplied in another module), causes the virus to become polymorphic.
- There are several specially designed scanners which claim to achieve
- perfect detection on MtE'd viruses, and these claims are often correct
- in the case of mutations in which the viral code is actually encryp-
- ted. But in some cases MtE does not perform an encryption, and some
- scanners fail in such cases. A few scanners succeed in detecting all
- such viruses in some existing text suites, but it is apparently
- impossible to obtain 100% detection on all possible MtE mutations
- (i.e. even when the underlying virus is unknown) in those cases in
- which an MtE encryption is not performed.
-
- Y. Radai
- Hebrew Univ. of Jerusalem, Israel
- RADAI@HUJIVMS.BITNET
- RADAI@VMS.HUJI.AC.IL
-
