MtE
Analysis
- Detection by FortiGate units is a generic one,
thus when your FortiGate unit displays "MTE_Family",
it is refering to any one in a group of viruses within
the Mutation Engine family
- A mutation engine such as MtE or TPE is not a virus.
It is a method. It enables a virus author to make
an otherwise static & unchanging virus in to a
virus that is polymorphic -- or ever-changing.
- The act of linking the object file of a mutation
engine to the code of an otherwise static virus is
commonly referred to as giving a virus the characteristic
of polymorphism.
- Viral body is a variable number of bytes from infection
to infection, and is usually appended, prepended or
inserted (also referred to as a cavity virus) on or
in to its host files
- Virus runs memory resident and is often both polymorphic
and encrypted
- Target files can be .COM and .EXE for the known
DOS polymorphic viruses.
- There are several known families of polymorphic
viruses, including:
Mutation
Engine NameVirus
FamilyMtE Dedicated TPE Girafe NED Ishtard
- Other known DOS polymorphic viruses include Cruncher,
Starship & Tremor