Metamorphic Viruses

Some viruses completely rewrite themselves on each infection in order to attempt to avoid detection.

Some viruses rewrite themselves completely each time they infect. These viruses are said to be metamorphic. As you might expect, the programming necessary to do this is quite complex and a metamorphic engine attached to a virus may make it large and complex.

To put it another way, metamorphic code is code that can reprogram itself.

A program can metamorph by translating its own code into a temporary representation, edit the temporary representation of itself, and then write itself back to normal code again. As this process is done on the entire virus the engine also undergoes changes and the whole virus changes with it. The change is made, of course, to attempt to avoid scanners.

Don’t confuse metamorphic and polymorphic viruses. A polymorphic virus encrypts its original code to avoid pattern recognition; the metamorphic virus changes its code to an equal form.

The easiest modification would be to insert NOP instructions at various locations. One can also change the flow of the code, change the registers used, or even reorder instructions; the variations are many. Anti-virus software generally needs to use emulation to analyze the behavior of the code as it changes.

It’s possible that metamorphic code can allow a virus to infect files on multiple operating systems or computer architectures. This is rare however and difficult to do.


  • A metamorphic virus can change itself in many ways in order to avoid detection or infect multiple hosts.
Up Arrow How Viruses Infect Up Arrow
Prior Page Next Page
Camouflage Viruses NTFS ADS Viruses