Polymorphic Viruses

Polymorphic viruses change themselves with each infection. There are even virus-writing toolkits available to help make these viruses.

To confound virus scanning programs, virus writers created polymorphic viruses. These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. Basically, polymorphic code mutates while keeping the original algorithm intact.

Code encryption is a common method of achieving polymorphism. But, you can’t encrypt everything as some code has to be left to do the decryption in order to run the rest. It is this small piece of code that anti-virus software can target (along with other techinques to counter changes in that small piece of code).

The first known polymorphic virus (1260) was written by Mark Washburn in 1990.

One virus author even created a tool kit called the “Dark Avenger’s Mutation Engine” (also known as MTE or DAME) for other virus writers to use. This allows someone who has a normal virus to use the mutation engine with their virus code. If they use the mutation engine, each file infected by their virus will have what appears to be totally different virus code attached to it. Fortunately, the code isn’t totally different and now anyone foolish enough to use the mutation engine with their virus will be creating a virus that will be immediately detected by existing scanners.

Virus Tool Kits

Besides the mutation engine, there are also now several tool kits available to help people create viruses. Several of these programs allow someone who has no knowledge of viruses to create their own “brand new” virus. One of these tool kits even has a very slick user interface with pull down menus and on-line help. You just pick your choices from the various menus and in a flash you’ve created your very own virus. While this sounds like a pretty ominous development for scanning technology, it’s not as bad as it sounds. All the existing tool kits (such as VCS, VCL and MPC) create viruses that can be detected easily with existing scanner technology. The danger with these tool kits lies in the fact it’s possible to create such a tool kit that could create viruses that really are unique. Fortunately, this hasn’t been done yet, but it’s only a matter of time before such a tool kit will be created. The conflict between virus writers and anti-virus researchers continues.


  • Polymorphic viruses change with each infection. They do this in an attempt to defeat scanners.
  • Virus writing tool kits have been created to “simplify” creation of new viruses.
Up Arrow How Viruses Infect Up Arrow
Prior Page Next Page
How Viruses Infect Stealth Viruses and Rootkits

Comments from Original Post:

Said this on 2010-04-19 At 02:29 pm
i need info about polymorphic viruses

[Perhaps re-reading the page above would help. 🙂 But, if you need to know enough to be able to program one, that won’t happen here. Got too many of the beasts roaming around now. –DaBoss]

Said this on 2011-02-03 At 05:21 pm
How well can todays anti-virus programmes deal with these kind of viruses?

[Quite well I’d say as, in general, polymorphic viruses are no longer much of a threat in the wild (still a threat but they have not been actively circulating for some time now in the form described here). Most malware today is some form of Trojan transmitted by social engineering that then steals data for taking over identities or cheating you into buying stuff you don’t need. -DaBoss]

Said this on 2011-08-05 At 08:16 am
plz also tell how it affects the system…..

[A virus type is just a classification method; the virus itself can do just about anything it wants to. Depends entirely on what the programmer told it to do. –DaBoss]