To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. Basically, polymorphic code mutates while keeping the original algorithm intact.

Code encryption is a common method of achieving polymorphism. But, you can't encrypt everything as some code has to be left to do the decryption in order to run the rest. It is this small piece of code that anti-virus software can target (along with other techinques to counter changes in that small piece of code).

The first known polymorphic virus (1260) was written by Mark Washburn in 1990.

One virus author even created a tool kit called the "Dark Avenger's Mutation Engine" (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn't totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by existing scanners.

Virus Tool Kits

Besides the mutation engine, there are also now several tool kits available to help people create viruses. Several of these programs allow someone who has no knowledge of viruses to create their own "brand new" virus. One of these tool kits even has a very slick user interface with pull down menus and on-line help. You just pick your choices from the various menus and in a flash you've created your very own virus. While this sounds like a pretty ominous development for scanning technology, it's not as bad as it sounds. All the existing tool kits (such as VCS, VCL and MPC) create viruses that can be detected easily with existing scanner technology. The danger with these tool kits lies in the fact it's possible to create such a tool kit that could create viruses that really are unique. Fortunately, this hasn't been done yet, but it's only a matter of time before such a tool kit will be created. The conflict between virus writers and anti-virus researchers continues.

Summary

• Polymorphic viruses change with each infection. They do this in an attempt to defeat scanners.
• Virus writing tool kits have been created to "simplify" creation of new viruses.

How Viruses Infect
How Viruses Infect	Stealth Viruses and Rootkits