Dark Avenger Mutation Engine | |
---|---|
Type | Polymorphic mutation engine |
Creator | Dark Avenger |
Date Completed | 1991.08.17 |
Place of Origin | Sofia, Bulgaria |
Source Language | Assembly |
Platform | DOS |
The Dark Avenger Mutation Engine (sometimes abbreviated as DAME) is an engine that makes virus code linked to it polymorphic. It is not a virus itself, but a module that can be linked to a virus.
When a virus using the engine writes itself to a file, the encryptor makes the virus code look like random garbage. When the file is executed, the decryptor ungarbles it. The decryptor is the one part of the virus thaty remains unencrypted.
The main body of the virus code uses the engine by calling parameters for the following variables:
- Work segment
- Pointer for the code for it to encrypt
- Infection length of the virus
- Base of the decryptor
- Entry-point address of the host
- Target location of the encrypted code
- Size of the decryptor
- Bitfield of registers not in use
While the mutation engine itself does not include a random number generator, an archive Dark Avenger distributed it in did contain one as a separate module.
Antivirus researchers noted that it was not a simple task to link the engine to an existing one, but it could still make the creation of polymorphic viruses much easier than coding them from scratch.
The engine was capable of producing many different mutations of the same virus. Norton antivirus claimed to have detected around 900,000 different mutations by late 1992. Virus coders at the Crypt Newsletter claim to have created viruses that produce the "900,001st, 900,002nd and 900,003rd MtE mutations".
When the engine was first used in viruses, it gave antivirus researchers a very difficult time to create detections for them. Peter Szor says that it took him five days before he could come up with a reliable detector for the virus.
A partial list of viruses using the engine:
Influence on Other Engines
The Dark Avenger Mutation Engine was the first engine that made it easier for coders to introduce polymorphism into their viruses. A coder going by the name Masud Khafir who wrote Pogue using Dark Avenger's engine, wrote his own TridenT Polymorphic Engine and even directly credited Dark Avenger's engine as the inspiration for it. It may have had some influence on Black Baron's SMEG engine, which he used with the Pathogen virus that got him sent to prison.
Sources
Tarkan Yetiser. Mutation Engine Report. 1992.06
CRYPT NEWSLETTER #6 (or something like that). 1992.10
Peter Szor. The Art of Computer Virus Research and Defense, Chapter 7: Advanced Code Evolution Techniques and Computer Virus Generator Kits, pp. 262-264. Addison Wesley, Symantec Press, 2005.
Howard Fuhs. Fuhs.de, Encryption Generators Used in Computer Viruses Part 1. 1995.05