The first known polymorphic virus, 1260, was written in the US by Mark Washburn in 1990. This virus has many interesting techniques that were previously predicted by Fred Cohen. The virus uses 2 sliding keys to decrypt its body, but more importantly, it inserts junk instructions into its decryptor. These instructions are garbage in the code. They have no fuction other than altering the appearance of the decryptor. Virus scanners were challenged by 1260 because simple search strings could no longer be extracted from the code. Although 1260’s decryptor is very simple, it can become shorter or longer according to the number of inserted junk instructions and random padding after the decryptor for up to 39 bytes of junk instructions. In addition, each group of instructions (prolog, decryption, and increments) within the decryptor can be permutated in any order. Thus the “skeleton” of the decryptor can change as well.

An Example Decryptor of 1260

; Group 1 – Prolog Instructions

inc     si	; optional, variable junk
mov     ax,0E9B	; set key 1
clc	; optional, variable junk
mov     di,012A	; offset of Start
nop	; optional, variable junk
mov     cx,0571	; this many bytes - key 2

; Group 2 – Decryption Instructions
xor     [di],cx	; decrypt first word with key 2
sub     bx,dx	; optional, variable junk
xor     bx,cx	; optional, variable junk
sub     bx,ax	; optional, variable junk
sub     bx,cx	; optional, variable junk
nop	; non-optional junk
xor     dx,cx	; optional, variable junk
xor     [di],ax	; decrypt first word with key 1
; Group 3 – Decryption Instructions
inc     di	; next byte
nop	; non-optional junk
clc	; optional, variable junk
inc     ax	; slide key 1
; loop
loop    Decrypt	; until all bytes are decrypted – slide key 2
; random padding up to 39 bytes

;     Encrypted/decrypted virus body