Polymorphic Viruses

The most common method of detecting viruses is to scan a suspect file for a hexadecimal string which is unique to the virus. The theory is that each virus will have a collection of hex bytes which is unique to that virus and does not occur in any other program. This is actually very easy to do since each virus is unique. The trick is to find a string which is shorter than the complete virus.

It did not take long for the virus writers to workout that if the virus changed each time it copied itself, scanning for a fixed string would not work. Since there are a number of ways of doing the same thing, espically in assembler, the first attempt at changing the virus was to use different sets of commands for each copy.

The next step was to encrypt the virus with a random key. Which would make it impossible to detect. Or so the virus writers thought. The trouble with that approach is that the virus must be able to decrypt itself or it could not run. This makes it rather easy for the scanner writers to detect it.

Viruses which change on each infection are known as polymorphic.