1260 (computer virus)

From ArticleWorld

1260 was the first polymorphic computer virus. A polymorphic virus is one that has the ability to change its byte pattern as it replicates, thereby attempting to hide its signature from anti-virus software.

Other names for this virus include Camouflage, Chameleon, Stealth, Variable, V2P1 and V2PX.

Description

1260 is an encrypting, file infecting virus that affects .COM files but does not stay resident in memory. The 1260 virus is distantly related to the original Vienna virus.

The infected file size increases by 1260 bytes (hence the name), and the resulting file is encrypted. The virus is careful to use a different encryption key for each encryption.

Register replacement, which is present in more sophisticated polymorphic viruses, is absent in the 1260.

U.S. based Mark Washburn developed the 1260 in 1989 as a research virus to demonstrate to the anti-virus community why identification string scanners fail to work in all cases.

Method of infection

The only way the virus can become active is when a user executes an already infected file. The virus works only on MS-DOS and Windows Operating Systems.

The virus replaces the first 3 bytes of each .COM file in the current directory with a jump to the virus.

The virus uses two sliding keys to decrypt its body and it also inserts junk instructions into its decryptor. These garbage instructions are used only to alter the appearance of the decryptor and have no other function.

Challenge to anti-virus software

Due to the stealth technique used by the 1260 virus, it is not possible to extract any search string from the virus code. Although its decryptor itself is not complicated, it can increase or decrease in size depending on the number of junk instructions inserted. Also, the groups of instructions within the decryptor can be scrambled in any order, so that the skeleton of the decryptor changes as well.