VIP Engine

VIP (VLAD Infinite Polymorphy) 1.0 was a 16-bit stand-alone polymorphic engine written by Qark, and was used in his Gilgamesh virus. VIP 1.0 was a 'slow-polymorphic' engine, initialising its random number generator with the current days date and a 16-bit word from the ROM BIOS. This made it more difficult for the anti-virus companies to create large sets of samples to test their scanners.

Behavior

VIP 1.0 used four standard loop types: 'Standard' which was a classic decrypter loop, 'Call 1' in which the decrypter recursively called itself each iteration, 'Call 2' in which the decrypter called the loop after setting up registers and 'Stack' which set SP to the end of the virus, popped it, decrypted it and pushed it back. The
'Stack' methods were less flexible then other methods: the pointer register was always 'SP', the decryption operation was always an 'XOR' with no change made to the decryption key register.

Beside 'Stack' method, other decrypter types used random registers: one or two pointer registers depending on addressing mode chosen, and a random key register. Besides 'Stack' methods other decrypter types any addressing modes (besides 06h immediate) were used: [bx+si], [bx+di], [bp+si], [bp+di], [bx], [bp], [si] and [di]. In the case of dual register addressing modes both registers were initialised, but only the first register was incremented/decremented and compared for the loop.

The loop method was always a compare of the pointer register with the offset of the last word to be decrypted. The loop branch could be a 'JNZ' or a 'JB'. Apart from 'Stack' method encryption was always an XOR/ADD/SUB of the word pointed to with the key register and then and XOR/ADD/SUB of the key register with an immediate constant. The 'Stack' method was only used in .COM infections, the other 3 methods were used in both .COM and .EXE infections. Apart from the 'Stack' method, decryption was always forward and on 16-bit words.

Qark took some care to avoid heuristic detection of the decrypter loops: VIP 1.0 always used correct encoding, for example in instructions addressing AX or AL. Certain junk instructions were not emitted for the first 'n' bytes, for example no INC/DEC instructions were emitted in the first 15 bytes of the decrypter. Junk instructions created included: INC/DEC reg16, ADD/OR/AND/ADC/SBB/SUB/XOR/CMP <reg8/reg16> mem/immediate, MOV reg8/re16 immediate, XCHG reg8/16 reg8/16.

According to the source code, Qark says VIP 1.0 decrypters in about 1 in 300 cases due to a 16-bit memory access at 0FFFFh. Some of the comments in the VIP 1.0 source code seem incorrect, for example: INC/DEC is not emitted in the first 15 bytes although the source code comments say 20.

VIP included the text string:

VIP V1.0 by Qark/VLAD

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License