The TridenT Polymorphic Engine or TPE is a Polymorphic engine written by Masud Khafir of the TridenT virus group. There were four major versions released and by the fourth version, Khafir was satisfied with the engine and stopped work on it. It was the most advanced polymorphic engine of its time.
Use and Function
The TridenT Polymorphic Engine comes as an OBJ file that must be linked to the code using it. It decrypts the code in a different way each time it is called. It also has a decryption routine, which will also be different each time, placed before the code.
The engine consists of three main subroutines. rnd_init, rnd_get, and crypt. Subroutine rnd_init initializes a random number generator and should be called before anything else or the engine will not work properly. The subroutine rnd_get returns a random number in register AX. There are two others, tpe_bottom and tpe_top which get the beginning and end addresses of the engine.
Versions
The first version contained bugs on certain processors that the second and third versions fixed. The first two could only encrypt viruses that stayed in the same location in memory, and the ability to encrypt viruses that can be resident in multiple locations was added in the third version. The fourth version introduced an improved, highly complex encryption method, which makes TPE-hidden viruses difficult to identify by using decryption-based detection methods. Masud Khafir rel
Viruses Using TPE
- Beethoven
- Bosnia
- Coffeeshop aka TPE.1_0.Girafe.A
- Civilwar (two versions)
Other Facts
Mark Ludwig is known to have based his own Darwinian Genetic Mutation Engine, which appeared in his book Computer Viruses, Artificial Life and Evolution, partly on TPE. TPE itself was inspired in part by the Dark Avenger Mutation Engine.
Sources
VX Heaven, TridenT Polymorphic Engine.
F-Secure, TridenT Polymorphic Engine.
Patricia Hoffman. Online VSUM, TPE Virus.