MistFall.Z0MBiE-10.c (uses: MISTFALL, RPME, CODEGEN, LDE32, ETG)

 action:

 1. when infected PE file started, check (by means of Atoms) if dropper is
    alredy running, then exit; otherwise re-execute current program,
    leaving current process as main viral process.
 2. when main viral process is executed, build new permutating copy
    (slow-permutating) by means of RPME,
    then search for PE EXE files, and infect'em.

 infection method: (MISTFALL engine)

 1. disassemble file (fixups required)
 2. integrate with viral body
 3. assemble file

 infection details:

 - with probability of 1/10, insert bad word after each instruction
 - with probability of 1/10, infect without decryptor, just plain virus
 - with probability of 8/10, use polymorhic decryptor, see INFECT.INC

 version .a (ZMist)
 ~~~~~~~~~~

 - ~97% detections (anyway, good enough, for Peter Szor)

 version .b
 ~~~~~~~~~~  
 - removed RSA-signing feature
 - removed 'Z'-sign from MZ header...
 - UEP prob changed from 1/10 to 1/5
 - decryptor scheme changed

 version .c
 ~~~~~~~~~~

 - MISTFALL updated to 1.02: randomly remove PE fixups
 - RPME's mutator changed: more trash is generated within permutated body
 - encryption scheme improved


  source in binaries dirz