Some viruses completely rewrite themselves on each infection in order to attempt to avoid detection.
To put it another way, metamorphic code is code that can reprogram itself.
A program can metamorph by translating its own code into a temporary representation, edit the temporary representation of itself, and then write itself back to normal code again. As this process is done on the entire virus the engine also undergoes changes and the whole virus changes with it. The change is made, of course, to attempt to avoid scanners.
Don’t confuse metamorphic and polymorphic viruses. A polymorphic virus encrypts its original code to avoid pattern recognition; the metamorphic virus changes its code to an equal form.
The easiest modification would be to insert NOP instructions at various locations. One can also change the flow of the code, change the registers used, or even reorder instructions; the variations are many. Anti-virus software generally needs to use emulation to analyze the behavior of the code as it changes.
It’s possible that metamorphic code can allow a virus to infect files on multiple operating systems or computer architectures. This is rare however and difficult to do.
- A metamorphic virus can change itself in many ways in order to avoid detection or infect multiple hosts.
|How Viruses Infect|
|Camouflage Viruses||NTFS ADS Viruses|