Results 1 to 5 of 5

Thread: virii ... warning:question???

  1. #1
    Senior Member
    Join Date
    Jul 2003
    Posts
    106

    virii ... warning:question???

    can anyone explain to me what is 'encrypted' virus... i read in many books and txt's that .. at some point virus writers started to encrypt thir viruses to avoid AV ... but how exactly is that done... i mean... if something is encrypted how can it be executed...

    i also read that they make polymorphic encryption engines... if a encyption key is random how can the virus decrypt... again...
    i\'m the guy who bitched out a girl about writting poems in General Chat... Now everyone thinks I hate women and that I\'m gay ... live and learn ... hehe

  2. #2
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Originally posted here by etruscan
    can anyone explain to me what is 'encrypted' virus... i read in many books and txt's that .. at some point virus writers started to encrypt thir viruses to avoid AV ... but how exactly is that done... i mean... if something is encrypted how can it be executed...

    i also read that they make polymorphic encryption engines... if a encyption key is random how can the virus decrypt... again...
    What your talking about is mostly popular in scripts (IE) macro worms. In the macro virii like the ones which I've seen that have encryption all mostly works like this...

    First it sets a cypher at the begining of the code so the rest of the encrypted script will make sense, then it sets itself up to run at the startup, after that they'll setup a mailer or just copy itself to FTP shareing directories and wait for peaple to download it, and sometimes it'll run a payload (IE) stupid messages, drops & runs other scripts, screws with the boot.ini in a box with like XP, deletes files, and blah... blah... blah... and near the end of the script it runs the encryption.

    So basicly it cyphers through its own code & runs the rest of the just before re-encrypting itself.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    **Thread moved from Web Security to Anti Virus Security**
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Very interesting subject!!!

    found this:
    At the same time, virus writers developed methods to hide their viral code in plain view by altering its appearance. Polymorphic viruses encrypt their code using a variety of encryption schemes with varying decryption routines. However, the viral code can be readily identified once decrypted, thanks to the unchanging portions of their code, such as a data area filled with string constants. Polymorphic viruses must have a "head" or decryptor that exists to decrypt the encoded virus and allow it to run. Polymorphic viruses may alter their appearance by changing the order of subroutines, and injecting random junk code like NOP (null operation) instructions. Examples of polymorphic viruses include SMEG.Pathogen (whose U.K. writer was caught and sentenced to 18 months) and Elkern, the companion virus to the Klez worm.

    from security focus

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    106
    ok... so if there's a head or decryptor present then why not just scan for it's string instead of looking for encrypted part of the virus
    i\'m the guy who bitched out a girl about writting poems in General Chat... Now everyone thinks I hate women and that I\'m gay ... live and learn ... hehe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •