Differences between current version and predecessor to the previous major change of PolyMorphicVirusses.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 6 | Last edited on Thursday, June 3, 2004 8:22:56 pm | by AristotlePagaltzis | |
Older page: | version 4 | Last edited on Thursday, June 3, 2004 8:12:44 am | by RuudSchramp | Revert |
@@ -1,16 +1 @@
-A polymorphic virus is a virus that can dynamically change it's binary code. As it changes its binary code, it also doesn't have a fixed patern of bytes that can be scanned for.
-
-Virusses clearly are programs. they can have a significant size that make them easy to scan for.
-Step one to make a virus polymorphic is to encrypt the most of the program using some form of encryption. However the decrypter would probably still be the same, making a virus scanner scan for that.
-
-However for a certain decryption e.g. a fix XOR of all bytes of the code, several different implementations are possible e.g. by:
-1) permutation of registers
-2) replacing register moves by Push Pop operations
-3) using jmp instructions to alter the order of instructions
-4) inserting NOP operations
-5) inserting dummy operations that have no effect on the normal flow
-etc. etc.
-
-polymorphic virusses include a mutation engine that can create millions of different implementations of the same algorithm. this makes these virusses very difficult to detect by antivirus programs
[ClamAV
].
-
-[http://en.wikipedia.org/wiki/Computer_virus]
+Describe
[PolyMorphicVirusses
] here
.