Polymorphic Viruses

Polymorphic viruses are viruses that change all or part of their code each time they replicate.  This allows them to avoid detection by scanning software.  Scanning is used by anti-virus programs to check for specific sequences of code.  Since the software can't keep track of every version of the virus, the virus may go unrecognized. 

Viruses that change their byte code entirely are considered 100% polymorphic.  In order to detect these a scanner must be able to imitate the virus' executable code.  In other words it has to predict how the virus will change each time.  Some polymorphic viruses leave some bytes unchanged.  Usually this is a small length of the code and so detection still requires a lot of analysis of the virus code. 

People who create polymorphic viruses have even built programs that can change regular viruses into polymorphic ones.  Most of these programs are recognized by major scanning anti-virus software.  One of the most sophisticated programs created so far is the "Mutation Engine" (MtE). MtE comes in a form that is easy to add to existing viruses.  With the Mutation Engine any virus can be made polymorphic.

These can be difficult to detect.  Polymorphic viruses have made the job of a scanner extremely difficult.  The programming that needs added to these once simple scanners is not efficient for what they are meant to do.  Because of this, scanners are becoming less widely used.

Examples of polymorphic viruses:  CivilWar, Silly, Crusher, Ginger, Predator, Satanbug, Tremor, Invisible, Trigger, Uruguay, Basilisk, Scoundrel, and Simulation.