Dark Avenger Mutation Engine
Dark Avenger Mutation Engine
Type Polymorphic mutation engine
Creator Dark Avenger
Date Completed 1991.08.17
Place of Origin Sofia, Bulgaria
Source Language Assembly
Platform DOS

The Dark Avenger Mutation Engine (sometimes abbreviated as DAME) is an engine that makes virus code linked to it polymorphic. It is not a virus itself, but a module that can be linked to a virus.

When a virus using the engine writes itself to a file, the encryptor makes the virus code look like random garbage. When the file is executed, the decryptor ungarbles it. The decryptor is the one part of the virus thaty remains unencrypted.

The main body of the virus code uses the engine by calling parameters for the following variables:

  • Work segment
  • Pointer for the code for it to encrypt
  • Infection length of the virus
  • Base of the decryptor
  • Entry-point address of the host
  • Target location of the encrypted code
  • Size of the decryptor
  • Bitfield of registers not in use

While the mutation engine itself does not include a random number generator, an archive Dark Avenger distributed it in did contain one as a separate module.

Antivirus researchers noted that it was not a simple task to link the engine to an existing one, but it could still make the creation of polymorphic viruses much easier than coding them from scratch.

The engine was capable of producing many different mutations of the same virus. Norton antivirus claimed to have detected around 900,000 different mutations by late 1992. Virus coders at the Crypt Newsletter claim to have created viruses that produce the "900,001st, 900,002nd and 900,003rd MtE mutations".

When the engine was first used in viruses, it gave antivirus researchers a very difficult time to create detections for them. Peter Szor says that it took him five days before he could come up with a reliable detector for the virus.

A partial list of viruses using the engine:

Influence on Other Engines

The Dark Avenger Mutation Engine was the first engine that made it easier for coders to introduce polymorphism into their viruses. A coder going by the name Masud Khafir who wrote Pogue using Dark Avenger's engine, wrote his own TridenT Polymorphic Engine and even directly credited Dark Avenger's engine as the inspiration for it. It may have had some influence on Black Baron's SMEG engine, which he used with the Pathogen virus that got him sent to prison.

Sources

Tarkan Yetiser. Mutation Engine Report. 1992.06

CRYPT NEWSLETTER #6 (or something like that). 1992.10

Peter Szor. The Art of Computer Virus Research and Defense, Chapter 7: Advanced Code Evolution Techniques and Computer Virus Generator Kits, pp. 262-264. Addison Wesley, Symantec Press, 2005.

Howard Fuhs. Fuhs.de, Encryption Generators Used in Computer Viruses Part 1. 1995.05

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License