McAfee DR SOLOMON S ANTI-VIRUS 8.5 User Manual page 17

Preface
Particularly clever viruses can even subvert attempts to clear them from
memory by trapping the CTRL+ALT+DEL keyboard sequence for a warm
reboot, then faking a restart. Sometimes the only outward indication that
anything on your system is amiss—before any payload detonates, that
is—might be a small change in the file size of infected legitimate software.
Stealth, mutation, encryption, and polymorphic techniques
Unobtrusive as they might be, changes in file size and other scant evidence of
a virus infection usually gives most anti-virus software enough of a scent to
locate and remove the offending code. One of the virus writer's principal
challenges, therefore, is to find ways to hide his or her handiwork. The earliest
disguises were a mixture of innovative programming and obvious giveaways.
The Brain virus, for instance, redirected requests to see a disk's boot sector
away from the actual location of the infected sector to the new location of the
boot files, which the virus had moved. This "stealth" capability enabled this
and other viruses to hide from conventional search techniques.
Because viruses needed to avoid continuously reinfecting host systems—
doing so would quickly balloon an infected file's size to easily detectable
proportions or would consume enough system resources to point to an
obvious culprit—their authors also needed to tell them to leave certain files
alone. They addressed this problem by having the virus write a characteristic
byte sequence or, in 32-bit Windows operating systems, create a particular
registry key that would flag infected files with the software equivalent of a "do
not disturb" sign. Although that kept the virus from giving itself away
immediately, it opened the way for anti-virus software to use the "do not
disturb" sequence itself, along with other characteristic patterns that the virus
wrote into files it infected, to spot its "code signature." Most anti-virus
vendors now compile and regularly update a database of virus "definitions"
that their products use to recognize those code signatures in the files they scan.
In response, virus writers found ways to conceal the code signatures. Some
viruses would "mutate" or transform their code signatures with each new
infection. Others encrypted themselves and, as a result, their code signatures,
leaving only a couple of bytes to use as a key for decryption. The most
sophisticated new viruses employed stealth, mutation and encryption to
appear in an almost undetectable variety of new forms. Finding these
"polymorphic" viruses required software engineers to develop very elaborate
programming techniques for anti-virus software.
User's Guide xvii