The first known polymorphic virus, 1260, was written in the US by Mark Washburn in 1990. This virus has many interesting techniques that were previously predicted by Fred Cohen. The virus uses 2 sliding keys to decrypt its body, but more importantly, it inserts junk instructions into its decryptor. These instructions are garbage in the code. They have no fuction other than altering the appearance of the decryptor. Virus scanners were challenged by 1260 because simple search strings could no longer be extracted from the code. Although 1260’s decryptor is very simple, it can become shorter or longer according to the number of inserted junk instructions and random padding after the decryptor for up to 39 bytes of junk instructions. In addition, each group of instructions (prolog, decryption, and increments) within the decryptor can be permutated in any order. Thus the “skeleton” of the decryptor can change as well.
; Group 1 – Prolog Instructions
inc si ; optional, variable junk mov ax,0E9B ; set key 1 clc ; optional, variable junk mov di,012A ; offset of Start nop ; optional, variable junk mov cx,0571 ; this many bytes - key 2 ; Group 2 – Decryption Instructions Decrypt: xor [di],cx ; decrypt first word with key 2 sub bx,dx ; optional, variable junk xor bx,cx ; optional, variable junk sub bx,ax ; optional, variable junk sub bx,cx ; optional, variable junk nop ; non-optional junk xor dx,cx ; optional, variable junk xor [di],ax ; decrypt first word with key 1 ; Group 3 – Decryption Instructions inc di ; next byte nop ; non-optional junk clc ; optional, variable junk inc ax ; slide key 1 ; loop loop Decrypt ; until all bytes are decrypted – slide key 2 ; random padding up to 39 bytes Start:
; Encrypted/decrypted virus body