

                 Rajaat's Tiny Flexible Mutator [RTFM] 
                 Version 1.0                           
                 (C) 1994 Rajaat                       
                  


What is it? 
 

        RTFM is an object module that can be linked to your virus to make
        it impossible for a scanner to use a simple string. It will encrypt
        your virus and generates a random decryptor using random registers
        and random instructions. Therefore, an algorithmic approach will be
        needed to detect viruses using this object module.

How to use it 
 

        RTFM is very easy to use, and regular assembler users will have no
        problem using this routine. RTFM needs some input registers and will
        give some return values after processing.

Input 
 

        DS:SI   = piece of code to encrypt
        ES:SI   = place of decryptor+encrypted code
        CX      = length of code (include the mutator (mut_len))
        BX      = offset of decryptor in file
        AX      = flag bits
                        0 = 1 do not use junk code

Output 
 

        DS:DX   = place of decryptor+encrypted code
        CX      = length of encrypted code+decryptor
        BP      = preserved
        Other registers might be trashed

Put this at the start of your virus code 
 

                extrn mut_top:near, mut_bottom:near, mut_len:abs
                extrn rnd_init:near, rnd_get:near
                extrn mutate:near

Before writing the virus to a file, call the engine with these parameters 
 

                mov si,offset virusstart        ; with non-resident virii
                                                ; you will need a delta offset

                mov di,offset workspace         ; make sure you point this to
                                                ; an area that has enough space
                                                ; virus the virus (including
                                                ; the mutation engine) and the
                                                ; decryptor

                mov cx,viruslength+mut_len      ; the length of the virus (and
                                                ; the length of the mutation
                                                ; engine)

                mov bx,absstart                 ; absolute start of the
                                                ; decryptor

                xor ax,ax                       ; no flags set

                call mutate                     ; and mutate!

Linking the module 
 

        To link RTFM to your virus, use TLINK from Borland. Use the following
        syntax :

                TLINK /T MYVIRUS+RME10

Notes 
 

        RTFM was not meant to make an unscannable virus, it's only purpose is
        to make string scanning impossible. The code generated by RTFM is by
        no means extremely polymorphic and it will not be very difficult to
        devise an algorithm to detect viruses using RTFM. The size of RTFM is
        smaller than 650 bytes. This is not too big.

History 
 

        1.0     initial version

Greetings 
 

        Omega [AD], NuKE, Phalcon/Skism, Immortal Riot, TridenT, VLAD, YAM,
        Trinity, Zerial, DNA and all other virus writers I forgot!

