1993 Polymorphics and Engines

Early in 1993, XTREE announced that they were quitting the antivirus business. This was the first time that a major company had given up the struggle.

Early in 1993, a new virus writing group appeared, in Holland, called Trident. The main Trident author, Masouf Khafir, wrote a polymorphic engine called the Trident Polymorphic Engine, and released a virus that used it, called GIRAFE. This was followed by updated versions of the TPE. The TPE is much more difficult to detect reliably than the MtE, and very difficult to avoid false alarming on.

Khafir also released the first virus that worked according to a principle first described by Fred Cohen. The Cruncher virus was a data compression virus, that automatically added itself to files in order to auto-install on as many computers as possible.

Meanwhile, Nowhere Man, of the Nuke group, had been busy. Early in 1993, he released the Nuke Encryption Device (NED). This was another mutator that was more tricky than MtE. A virus called Itshard soon followed.

Phalcon/Skism was not to be left out. Dark Angel released DAME (Dark Angel’s Multiple Encyptor) in an issue of 40hex; a virus called Trigger uses this. Trident released version 1.4 of TPE (again, this is more complex and difficult than previous versions) and released a virus called Bosnia that uses it.

Soon after that, Lucifer Messiah, of Anarkick Systems had taken version 1.4 of the TPE and written a virus POETCODE, using a modified version of this engine (1.4b).

Early in 1993, another highly polymorphic virus appeared, called Tremor. This rocketed to stardom when it got included in a TV broadcast of software (received via a decoder).

In the middle of 1993, Trident got a boost when Dark Ray and John Tardy joined the group. Tardy released a fully polymorphic virus in 444 bytes, and we can expect more difficult things from Trident.

The main events of 1993, were the emergence of an increasing number of polymorphic engines, which will make it easier and easier to write viruses that scanners find difficult to detect.

The information in this section was provided by and used with permission of Dr. Solomon Software. Please do not further use the material without obtaining your own permission to use it.

