
 MistFall.Z0MBiE-10.d (uses: MISTFALL, RPME, CODEGEN, LDE32, ETG)

 action:

 1. when infected PE file started, check (by means of Atoms) if dropper is
    alredy running, then exit; otherwise re-execute current program,
    leaving current process as main viral process.
 2. when main viral process is executed, build new permutating copy
    (slow-permutating) by means of RPME,
    then search for PE EXE files, and infect'em.

 infection method: (MISTFALL engine)

 1. disassemble file (fixups required)
 2. integrate with viral body
 3. assemble file

 infection details:

 - with probability of  1/20, insert bad word after each instruction
 - with probability of  1/20, infect without decryptor, just plain virus
 - with probability of 18/20, use polymorhic decryptor, see INFECT.INC

 version .a (ZMist)
 ~~~~~~~~~~

 - ~97% detections (anyway, good enough, for Peter Szor)

 version .b
 ~~~~~~~~~~

 - removed RSA-signing feature
 - removed 'Z'-sign from MZ header... (multi-infections available, max 2-4 times)
 - UEP prob changed from 1/10 to 1/5
 - decryptor scheme changed

 version .c
 ~~~~~~~~~~

 - MISTFALL updated to 1.02: randomly remove PE fixups
 - RPME's mutator changed: more trash is generated within permutated body
 - encryption scheme improved

 version .d
 ~~~~~~~~~~

 - decryptor a bit modified, some infection parameters changed
 - random CALLs from decryptor to RETNs within program's code
 - CODEGEN updated to 2.50 (mov_r_offsv improved)
 - atom checking bugfixed (now ok in w2k)
