Editing Simile (computer virus)

{{infobox computer virus
| Fullname       = Win32/Simile
| Image          = 
| Common name    = 
| Technical name = 
| Aliases        = Etap, MetaPHOR
| Family         = 
| Classification = 
| Type           = [[Computer virus]]
| Subtype        = 
| IsolationDate  = {{Start date and age|2002|03}}
| Origin         = 
| Author         = 
| Ports used     =
| OSes           = [[Microsoft Windows]]
| Filesize       =
| Language       =
}}
'''Win32/Simile''' (also known as Etap and MetaPHOR) is a [[Metamorphic code|metamorphic]] [[computer virus]] written in [[assembly language]] for [[Microsoft Windows]].<ref>{{cite web|title=W32/Etap-A|url=http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Etap-A.aspx|publisher=Sophos|accessdate=17 February 2013}}</ref>  The virus was released in its most recent version in early March 2002. It was written by the virus writer "Mental Driller". Some of his previous viruses, such as Win95/Drill (which used the TUAREG [[polymorphic engine]]), have proved very challenging to detect.

When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the file User32.dll, then on 17 March, June, September, or December, a message is displayed. Depending on the version of the virus, the case of each letter in the text is altered randomly. On 14 May (the anniversary of [[Yom Ha'atzmaut|Israeli independence day]]), a message saying "Free [[Palestine]]!" will be displayed if the system locale is set to [[Hebrew (language)|Hebrew]].<ref>{{cite web|title=Virus.Wind32.Etap|url=http://www.securelist.com/en/descriptions/old20525|publisher=SecureList|accessdate=17 February 2013}}</ref>

The virus then rebuilds itself. This metamorphic process is very complex and accounts for around 90% of the virus' code. After the rebuild, the virus searches for executable files in folders on all fixed and remote drives. Files will not be infected if they are located in a [[subfolder]] more than three levels deep, or if the folder name begins with the letter W. For each file that is found, there is a 50 percent chance that it will be ignored. Files will not be infected if they begin with F, PA, SC, DR, NO, or if the letter V appears anywhere in the file name. Due to the way in which the name matching is done, file names that contain certain other characters are also not infected, although this part is not deliberate. The virus contains checks to avoid infecting "goat" or "bait" files (files that are created by [[anti-virus program]]s). The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor.

==See also==
* [[Metamorphic code]]
* [[ZMist (computer virus)|ZMist]]
* [[Self-modifying code]]
* [[Strange loop]]
* [[Polymorphic code]]
* [[Timeline of computer viruses and worms]]

==References==
{{reflist}}

==External links==
* [https://web.archive.org/web/20021002231531/http://securityresponse.symantec.com/avcenter/venc/data/w32.simile.html Analysis by Symantec Security Response] ([https://web.archive.org/web/20080821081632/http://securityresponse.symantec.com/avcenter/venc/data/w32.simile.html archive])
* [https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSimile.gen&ThreatID=-2147394793      /virus:Win32/Simile.gen]

{{Hacking in the 2000s}}

[[Category:Windows file viruses]]
[[Category:Assembly language software]]
[[Category:Hacking in the 2000s]]
[[Category:Anti-Zionism]]

{{malware-stub}}