Revision as of 22:34, 25 February 2004 edit Noone~enwiki (talk \| contribs) 131 edits m ever -> even ← Previous edit		Revision as of 03:05, 11 April 2004 edit undo Wik (talk \| contribs) 21,748 edits mNo edit summary Next edit →
Line 9: Most often, a virus/worm that makes any attempt to hide its presence will do that by encrypting itself. However, before being executed at a remote computer, it obviously first needs to decrypt itself. In order to decrypt the virus or worm, some part of the code has to be deliverd unencrypted. Thus, while not being able to detect the actual virus or worm, the anti virus-software/intrusion detection system will still be able to detect the virus decryption engine! However, if the decryption engine is rewritten each time before it is ~~transfered~~transferred into a new computer (in the case of a worm/shellcode) or computer file (in the case of a virus), it becomes nearly impossible for any security software to detect the presence of the malicious program. == How it works == Line 62: The code inside "Encrypted" ("lots of encrypted code!!!") could then search the code between Decryption_Code and [[CryptoKey]] and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary codes that alters C, or even exchange the code in the algorithm into new code that does the same thing. ~~see~~See also: [[self-modifying code]], [[alphanumeric code]], [[shellcode]], [[software cracking]], [[security cracking]]

Polymorphic code: Difference between revisions