
 

 MistFall.Z0MBiE-10.a (engine demo. also used: RPME, CODEGEN, LDE32, ETG)

 special thanx to S.S.R.
 greetz goes to Vecna, Mr.Sandman

 action:

 1. when infected PE file started, check (by means of Atoms) if dropper is
    alredy running, then exit; otherwise re-execute current program,
    leaving current process as main viral process.
 2. when main viral process is executed, build new permutating copy
    (slow-permutating) by means of RPME,
    then search for PE EXE files, and infect'em.

 infection method: (MISTFALL engine)

 1. disassemble file (fixups required)
 2. integrate with viral body
 3. assemble file

 infection details:

 - with probability of 1/10, insert bad word after each instruction
 - with probability of 1/10, infect without decryptor, just plain virus
 - with probability of 8/10, use polymorhic decryptor, see INFECT.INC

 So, poly-encrypted permutated viral body is completely integrated with
 target file. Hmm.. checkmate?

 
