Viruses, like Woody Allen in ‘Zelig’ have the ability to change their identity and look and feel. One method of doing this is called ‘Self-Modification.’

Understanding self-modification requires understanding the dominant way anti-virus software identifies evil code. The process is called scanning for virus signatures. This is less sophisticated than the term implies. Anti-virus software scans files on your computer, takes samples of code in files and compares them to a database of known virus snippets. It’s not unlike taking a section of one’s DNA and comparing it to the same section of the same DNA. You would see a perfect match.

That’s how it works in theory but in the world of anti-virus software this is not failsafe. To do it with 100% accuracy the anti-virus software would have to compare the entire virus code base against the entire code base of the computer it’s trying to protect. This would be physically impossible. It would shut down the machine. Instead antivirus companies use snippets of viruses – more like search strings.

Here’s where self-modification enters the picture. Some classes of viruses hide themselves by tracking the code snippets used to identify them and altering them every time the virus is injected into a new machine. In effect they change their signature so that it is unique on every infected machine. The anti-virus program is none the wiser. It doesn’t get any positive matches and therefore believes no virus is present.

Next up: Virus Self-Encryption