This is a strongly polymorphic, stealth, COM and EXE parasitic infector. It increases the length of files by 4870 bytes. In memory it occupies about 5 kB in the last MCB. It does not attack SCAN, VSHIELD, CLEAN, FINVIRU, GUARD, VIVERIFY, TB*, -V (high quality Russian antivirus), VIRSTOP, NOD, HIEW (Hackers View), NETENVI and F-PROT. These are programs that cause problems at the infection, and AV programs. This virus has rather exceptional abilities - it can deactivate residential anti-virus programs, as drivers TBAV, CPAV/MSAV, and also utilities NOHARD and NOFLOPPY. The virus is designed in a way giving it the highest possible chance not to be detected. One of its sophisticated measures helping to prevent its detection is the fact that at about 4 % probability it does not mark some of the infected files. The most interesting part the virus uses is the mutational technology. System of polymorphic coding, marked “* EMM 1.0 *”, is used in two variants. The difference between them is in one of the registers used in decryptor of the 2nd phase. It generates a two-phase decrypting routine and that makes it unique. The first phase contains a lot of various jumps and instructions. Some of them decode the instructions of the second phase of the decryptor. EMM emulates a code that is generated. If an instruction of a conditional jump is generated EMM knows whether there will be a jump or not. The range of used instructions is very wide: conditional and unconditional jumps, calling of subprograms, operations with container, logical operations, rotations, transfer instructions etc. Almost each of these instructions is necessary for correct decryptor function. After the first phase the second one is run. The second phase is a classical cyclic decryptor using decryptor XOR with a variable. The author probably uses a computer with a 386 processor, as on INTEL 486 processors because of „pipelining“ non-functional decryptors are produced (it seems not to be the case on AMD). The virus contains the following text:

Welcome to the Explosion's Mutation Machine!

and also, almost obligatory, recognition of the line of development:

Dis is level 3.

EMM:Level_3 represents the peak of the Explosion, One_Half and Level_ 3 line of development. The author calls himself “Vývojár” (Developer).

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.