Peter Ferrie, Frédéric Perriot, Péter Ször
Virus Bulletin, May 2002, pp. 4-6
ISSN 0956-9979
May 2002
W32/Simile is the latest ‘product’ of the developments in metamorphic virus code. The virus was released in the most recent 29A #6 issue in early March 2002.
The virus was written by the virus writer who calls himself ‘The Mental Driller’. Some of his previous viruses, such as W95/Drill (which used the Tuareg polymorphic engine), have proved very challenging to detect.
W32/Simile moves yet another step up the scale of complexity. The source code of the virus is approximately 14,000 lines of assembly code. About 90% of the virus code is taken up by the metamorphic engine itself, which is extremely powerful.
The virus was named ‘MetaPHOR’ by its author, which stands for ‘Metamorphic Permutating High-Obfuscating Reassembler’.
The first generation virus code is about 32 KB and there are three known variants of the virus in circulation. Samples of the original variant which was released in the 29A issue have been received by certain anti-virus companies from some major corporations in Spain, indicating a minor outbreak.
W32/Simile is highly obfuscated and challenging to understand. The virus attacks disassembling, debugging and emulation techniques, as well as standard evaluation-based techniques for virus analysis. In common with many other complex viruses, Simile uses EPO techniques.