Polymorphic Macro Viruses, Part One

    Date17 Oct 2002
    3516
    Posted ByAnthony Pell
    Polymorphic viruses change their code in fundamental ways with each replication in order to avoid detection by anti-virus scanners. This may mean changing the encryption routine, the sequence of instructions, or other such changes in the behaviour of the virus. This . . . Polymorphic viruses change their code in fundamental ways with each replication in order to avoid detection by anti-virus scanners. This may mean changing the encryption routine, the sequence of instructions, or other such changes in the behaviour of the virus. This article is the first of a two-part series that will offer a brief overview of the use of polymorphic strategies in macro viruses. This installment will focus on some early examples of polymorphic techniques.

    The first question to answer when it comes to macro viruses is whether there are any of them that can be qualified as polymorphic. Most macro viruses are very simple and would not be polymorphic, even if VBA were a compiled language. However, there are several, more complicated, encrypted viruses, some of which even have polymorphic encryptors.

    The first baby-step to polymorphism was Outlaw. Actually, it should not be called a polymorph at all. The virus code itself did not change a bit, only the name of the macro carrying it changed. The only reason Outlaw was considered to be a polymorph (not that deserved to be) was that in the early months right after the appearance of Concept there were several (mostly WordBasic-based) macro virus protection products that based their detection only on macro names. As these products were surpassed by OLE2 parsing scanning routines, this group of viruses sank back to non-morphism.

    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"1","type":"x","order":"2","pct":50,"resources":[]},{"id":"67","title":"HOWTOs","votes":"1","type":"x","order":"3","pct":50,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.