The Protective Shield For Polymorphic Viruses Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Viruses and malware are serious threats to the system security. There are so many different viruses nowadays that it has become difficult to provide a precise definition. Polymorphic and Metamorphic viruses are two commonly known kinds of viruses. A Polymorphic virus has the ability to change its signature every time by slightly modifying itself when it replicates, thus avoiding detection.

Research on this topic reveals that the first Polymorphic virus was developed in the year 1990, and later many generator kits were developed that simplified the work of the computer virus writer's. These kits helped people with no knowledge to develop their brand new viruses. There are also many packers and wrappers available that can be used in addition to the viruses.

In this project, we analyze different Polymorphic viruses and try to develop a clever application that will encrypt, mutate, and protect any Polymorphic virus, thus making it strong.


The attack of viruses started in the early 70s. Since then, there have been many virus writers who try to create new type of viruses. Virus-like programs first appeared on microcomputers in the 1970s. As time passed, viruses multiplied. Modern technology has changed the way we learn, work, play, and live, but it does not offer luxury of high availability and accessibility without endangering the security and privacy of information. No matter how secure data is stored and accessed, information still gets stolen. Every second of every day, somebody in the world has his/her identity and money seized. Viruses attack our systems without our knowledge. The complexity of the virus code has been increasing with the advancement of technology. There is a noticeable difference in the implementation of viruses nowadays. To challenge virus-scanning products, virus writers constantly develop new obfuscation techniques to make viruses more difficult to detect. To escape generic scanning, a virus can modify its code and alter its appearance at each infection. The techniques that have been employed to achieve this end range from encryption and polymorphism to modern metamorphic techniques.

There are different kinds of viruses, namely Polymorphic viruses, Metamorphic viruses, worms, Trojan horses and malware. Virus writers developed numerous polymorphic engines, and as a result, virus scanners became stronger in order to handle them. Virus construction kits are readily available on the Internet. These kits allow people with limited technical knowledge to develop potentially devastating malware. Developers of virus construction kit often use encryption or metamorphism as a way to avoid signature-based detection.


History of viruses

Viruses have been in implementation for a long time. Viruses are malicious programs that have threatened the world of computers for about forty years, and will be more challenging than ever before. Virus writers work hard to create viruses that are disastrous and undetectable. At the same time, antivirus developers strike hard to find solutions to detect viruses. A Group of college students created the first virus during the 1970s. Those viruses were harmless. Generally, a computer virus will try to modify the host program to replicate itself. The host is modified to contain a copy of the malicious code. When the infected host is executed, it in turn starts infecting other objects in the system. Generally, a computer virus is said to have the following modules:

Figure 1: simple virus pseudo code [3]

Figure 1 shows a sample pseudo code of a simple virus. In this, infect () will decide the way the virus will spread. The trigger () will decide how to deliver the payload, and payload () will define the damage performed by the virus [3].

Figure 2: pseudo code of infect module [3]

Figure 2 explains the infect module which selects the target in the system to infect. Normally, K number of targets are selected everytime the program runs. 'Select the target()' will define the set of rules by which a target will be selected. Care should be taken everytime a new target is selected. Selecting the same target may disclose the existence of the virus. Infect code will insert the actual virus code to the target [3].

Until 1992, viruses were developed only to infect DOS systems; the first virus for Windows was developed during the end of the year 1992. Before the expansion of computer networks, viruses used removable media to spread. Now viruses spread more easily through any shared network. Previously to create a virus, a writer would have to extensively know assembly language. Now it is not necessary as even a novice person can create strains of previously available viruses with the help of mutation engines and virus creation kits. Viruses have unique characteristics that make them distinct from others.

Types of viruses

There are different types of computer viruses. Few are standalone and few use internet to mitigate. Most viruses are harmful whereas few are not harmful. Harmful viruses will infect the overall system and viruses that are harmless will just display few messages on the screen. Viruses can be categorized as follows:

2.2.1 Boot Sector Viruses

Boot sector viruses have been popular since the 1980s. A Boot sector virus named Brain was the first ever PC virus. A boot sector virus infects the boot sector of any bootable media, such as a hard disk or a floppy disk [2]. Normally, a boot sector virus replaces the master boot sector in the hard drive with its own code. Since the boot sector is infected, the virus takes over the control whenever the system is booted. Boot sector viruses hide themselves in the memory during runtime and perform their malicious activities. A Boot sector virus infects another system only through an infected floppy disk and these are the only type of viruses, which can infect any system irrespective of what operating system is used. These viruses are seen rarely today, as the usage of floppy disk is no more common [2].

2.2.2 Encrypted viruses

Encryption is one of the simplest ways to make a virus look different. An encrypted virus is said to have two parts. One is the decryptor module and the other is the encrypted body. The decryptor executes when an infected program runs, and decrypts the virus body. The encryption key changes each time the virus mutates. Hence, the encrypted structure of the virus body will look different, but the decrypted body will be the same. Since the decrypted body will be the same in every generation, it is possible to detect encrypted viruses. Normally virus writers for the following reasons use encryption: to prevent static code analysis, tampering, detection and to prolong the dissection process.

Cascade was the first DOS virus that used encryption. Its algorithm was a little more sophisticated than the simple substitution algorithm. It consists of XOR-ing each byte twice with variable values, one of which depends on the length of the program. The following is the decryptor of the Cascade virus [4]:

ea si, Start ; position to decrypt (dynamically set)

mov sp, 0682 ; length of encrypted body (1666 bytes)


xor [si],si ; decryption key/counter 1

xor [si],sp ; decryption key/counter 2

inc si ; increment one counter

dec sp ; decrement the other

jnz Decrypt ; loop until all bytes are decrypted

Start: ; Encrypted/Decrypted Virus Body

Figure 3: Decryptor of cascade virus [4]

Although such encryption is now considered cryptographically weak, early antivirus programs could detect them only by detecting the decryptor using search strings. The problem here was that detecting a virus based on its decryptor alone will not help finding the variants of the virus which may implement the same decryptor but with a different functionality. However, now virus writers do not write such viruses because virus scanners are capable enough to detect the decryptor code [21].

2.2.3 Stealth viruses

Generally, a virus modifies something to become active. A stealth virus has the capacity to hide the modifications that it makes. They reside in systems memory and take control over the system functions, which read files. When any file from the infected area is accessed, the virus reports the original file instead of the infected one. The main reason why any antivirus operates the best when the system is booted is to prevent the stealth virus (or any virus of such kind) from taking over the system.

2.2.4 Polymorphic viruses

Another known type of virus is the Polymorphic virus. They overcome the drawbacks of encrypted viruses. The term polymorphic came from the Greek word "poly" which means many and "morphi" means form. Polymorphic viruses were the first viruses that were an actual threat to computer systems [6]. Generally, Polymorphic viruses contain a mutated decryptor. This means that each copy of a Polymorphic virus will contain a different copy of the decryptor. They are a kind of virus which takes many forms. They can generate large numbers of unlike decryptors a number as high as millions. The signature of the Polymorphic virus is generally encrypted by the generated code. This makes the Polymorphic viruses difficult to detect by the virus scanners. In few cases, Polymorphic viruses carry a constant encrypted virus body, and hence those viruses are easily detectable [6]. In a Polymorphic virus, 90% of the code is the malicious code and the remaining 10% is the encryption, decryption key or the polymorphic engine. The following is the execution cycle of a Polymorphic virus:

Generate new key to morph the variant

Execute Malware

Decrypt malicious code

Extract key information

Figure 4: Polymorphic Virus Execution Cycle [12]

An efficient Polymorphic virus can be developed by using different encryption schemes that will require different decryption methods every time. In this case, only one decryption scheme will be visible in all instances of infection [12]. Figure 4 explains that for the virus to infect the system its key information is extracted and the malicious code is decrypted. Once the decryption is performed, the virus is executed (the system is infected) and a new key is generated to morph the variant. This process is performed repeatedly.

Figure 5 shows different variants of a Polymorphic virus. Though different encryption is used every time, the decryption engine is the same. To bypass the AV scanners, multiple decryption schemes should be used every time by the decryption engine [12]. Anti-virus software normally detects a Polymorphic virus by incorporating a code emulator, which emulates the decryption process and dynamically decrypts the encrypted virus body. Because all instances of a Polymorphic virus carry a constant but encrypted virus body, detection is still possible based on a putative decrypted virus body [12].

Figure 5: Generation of a polymorphic virus [12]

Few ways of making Encryption and Decryption more complicated are discussed below[6]:

By changing the direction of the loop that is instead of writing a standard format for execution of loop, the program should support both forward and backward loops.

By using random decryption algorithm, such that the encryption key is not stored in the virus body.

By using different way to generate an encryption, key every time (such as a random but fixed shift). One of the main factors, which all viruses should follow, is their randomness in encryption key.

Other way can be to decrypt the code every time at a different location. However, this technique has its own disadvantage of allocating memory for the non-encrypted code before decrypting [6].

2.2.5 Metamorphic viruses

Metamorphic viruses are the most dangerous as they are extremely difficult to detect, and a user will not even know the presence of the virus in his or her system. The main goal of a Metamorphic virus is to change it structure while keeping its functionality. They are good enough to avoid detection by the emulators in Antivirus [19]. The virus is successful becoming undetectable as it changes its structure each time it mutates and hence each copy of a Metamorphic virus is different from the parent virus. To achieve the metamorphism, these viruses use few properties called code obfuscation techniques such as junk code insertions, register renaming, permutation, code shrinking, code expansion and unconditional jumps. Like Polymorphic viruses, Metamorphic viruses do not have a decryptor. They do not use a data area filled with string constants but instead they carry a single code body that will carry data as a code [12].

As told earlier, since the Metamorphic virus changes its shape, the different versions of a Metamorphic virus look like the one in Figure 6. Though the shape changes in Figure 6, functionality remains the same in each generation. It is believed that 80% of the metamorphic virus code contains the metamorphic engine and the remaining 20% is the actual virus code [19]. The metamorphic engine has to be best to produce the best virus. Here the term best refers to the ability to be undetectable. To code a best Metamorphic virus is really hard but every good metamorphic engine should have an internal diaassembler, opcode shrinker, opcode expander, opcode swapper, recalculator, garbage and cleaner [12].

Figure 6: Different forms of metamorphic virus [12]


Several code obfuscation techniques that are used in metamorphic viruses are also used in Polymorphic and other viruses. These obfuscation techniques make a Metamorphic virus undetectable. Few of the obfuscation techniques used are as follows:

Garbage code insertion

Garbage code (also called as junk code or do nothing code) insertion is a simple technique used by many Metamorphic and Polymorphic viruses to evolve their code. The idea behind this technique is to make their code look different so that no usable hexadecimal search string can be extracted. The instructions inserted into the code are called 'garbage' because they have no impact on the functionality of the code. They are part of the physical code and not part of its logic. For example, use of 'NOP', 'Mov bx,bx' , ect makes a virus look different [19].

Nowadays, however, scanners are so powerful that when they come across too many junk codes in any file, then they mark it as a virus because the probability of having too many junk codes in any non-virus program is unlikely [21].

Insertion of Jump Instruction

Another method used by some Metamorphic viruses to create new generations is inserting jump instructions within its code. This leads to the code's reordering .Though the control jumps, the logic of the program is maintained [19]. This method is used often to bypass the signature detection technique. The Win95/Zperm virus is a very good example of this technique. The virus inserts and removes jump instructions within its code and each jump instruction will point to a new instruction of the virus. An example of code reordering using jump instruction is shown below [13]:

Figure 7: Illustration of Jump Instruction [13]

Instruction Replacement

Some Metamorphic viruses are able to replace some of their instructions with other equivalent instructions. This method can also be called as the equivalent code substitution method. In addition to jump insertions, Win95/Zperm had the ability to perform instruction replacement. For example, the virus could replace the instruction "xor eax, eax" with the instruction "sub eax, eax." Both instructions perform the same function (zeroing the content of the eax register) but have a different opcode [6].

There are many more techniques like register renaming, register swapping, and sub routine reordering which can be used to change the structure of any virus. For a virus to remain undetectable, it has to modify its structure on each infection [6].

Permutation Technique

This technique is achieved by dividing the code into frames, then positioning those frames randomly, and connecting them by branch instructions to maintain the flow of the process [6]. The branch instructions that are used to connect the different frames can be as simple as a jump statement or as complex as 'push val32; ret' instruction. Few known viruses, which used this technique, were win 32/Ghost, BadBoy [6].


Types of Polymorphic Viruses:

4.1.1 Encrypted with variable decryptors

The largest group of Polymorphic viruses currently available comes under this category. Normally they will posses different schemes for encryption and different routines for decryption. Such viruses will look completely different on different files. Thus these viruses are difficult to detect [5].

Block swapping viruses

These types of Polymorphic viruses are not encrypted. They normally vary the multiple blocks of code in any order thus making the use of the normal search string impossible. These multiple blocks of code are small instructions that can be swapped in any order [5].

Self modifying virus

This type of virus can be attained by changing the instructions in the code. The virus may change its structure by replacing a few instructions with its functionally equivalent instructions during mutation. This category of virus classification is only theoretically possible as no such virus has been developed yet [5].

The success of any virus programmer not only depends on the way he implements a virus, but it also depends mainly on the detection techniques used by the antivirus.

4.2 Polymorphic Virus Detection Techniques:

The evolution of complex Polymorphic viruses' results in the development of advanced detection methods and this in turn results in the development of more complex viruses. There are two ways to fool a virus scanner, either by selecting and infecting an object in the system that is not scanned or by making the virus detection so complex that a scanner will not be able to cope with it. Normally, Polymorphic viruses make use of the latter technique [5].

Generally, antiviruses analyze the decryption loop instead of decrypting the actual code to determine a particular virus. Just analyzing the decryption loop may result in a few problems like: generating false positive, creating difficulty in identifying which decrytor was generated by which virus. This also means that detecting one virus will not lead to detecting another. The most common detection methods are explained below [5].

Search string that contains a simple wildcard

This method is normally used for Polymorphic viruses that are not very polymorphic in nature and which use a very simple decryption loop with not many variable instructions. Inserting random junk instructions at different places in the code will by pass this type of detection [5].

Search string that contain variable length of wildcards

If the decryptor contains junk instructions then this method can be used. Few scanners cannot support variable length wildcards. However, this technique is also quite easy to bypass. The solution is to make the decryptor a little more variable so that no single search string will match any instance of the decryptor. This can be achieved by changing the register usage, by changing the order of instructions, or by changing the encryption methods [5].

Multiple search strings

This technique is now outdated, but many anti viruses used it during the year 1990 when a virus named Whale existed. The virus was detected through a large set of search strings. This method can be bypassed by increasing the variability of the decryptor past the point where the number of search strings required becomes unreasonably large [5].

4.2.4 Instruction Usage Recognition

According to this method, we assume that all the files are infected and we start tracing through the decryptors one at a time. If we find any instruction that might have been generated by the decryptor of the virus, then conclude that the virus is not infected. In addition, if the end of the decryptor is reached, assuming that the file is infected, then it is reported as infected. This technique can also be bypassed by increasing the number of instructions. It was developed to deal with the Dark Avenger Mutation engine, which is explained in the next section [5].

X-raying technique

This technique is now said to be outdated and was used only in two products. This technique was based on an assumption that a particular part of the code has been encrypted using an unknown algorithm and then working on finding the encryption method and keys from the results of the comparison between the original and the encrypted code. This technique can be bypassed easily, and it worked only for simple schemes [5].

Generic decryption

This method did not have any limitations, and it was successful in handling decryptors of any complexity. This method was implemented as follows: Insert the target program into a limited virtual machine, emulate the program so that the decryptor of the virus will decrypt itself, search for the signature of the virus as the emulation modifies the memory, and report the infection if signature of the virus is found [5].

There are also a few other ways in which you can make a polymorphic virus difficult to detect, like Slow Polymorphic viruses and normal looking polymorphic code [5].

4.2.7 Slow Polymorphic virus

Slow Polymorphic viruses are the ones in which all copies of the virus will look similar in the same system or file, that is they will have the same decryptor. In such cases, an antivirus cannot detect it based on a single search string [5].

4.2.8 Normal looking polymorphic code

Inserting a large volume of junk code or do nothing code may sometimes look suspicious to an intelligent scanner. Hence, the usage of harmless function calls is the best technique, as it will make the virus code look very normal [8].

4.3 Infection diagram of Polymorphic and Metamorphic virus

Figure 8: Polymorphic virus infection [8]

Figure 8 shows the structure of the first family of Polymorphic viruses named Chameleon. They mutated the code of their decryption method. Such structures cannot be detected by signature detection.

Figure 9: Metamorphic virus infection on ith generation [8]

Figure 9 shows a very basic example of the ith generation infection caused by a Metamorphic virus. In this case, the code is encrypted often and the decryptor is scattered amongst the host code [8].

4.4 Dark Avenger Mutation Engine

One of the most important milestones in the history of Polymorphic viruses is the mutation engine named Dark Avenger Mutation Engine, which was released in the year 1991. For a novice user, it is difficult to write a disastrous Polymorphic virus from scratch. This was when the trend of mutation engines started. The Dark Avenger Mutation Engine can be passed as a function call in any simple virus. The engine is said to have the following parameters [19]:

A work segment

A pointer to the code to encrypt

Length of the virus body

Base of the decryptor

Entry point address of the host

Target location of encrypted code

Size of decryptor and

Bit field of the registers to use

The result of the mutation engine will be an encrypted virus with a polymorphic decryption routine in the supplied buffer [7]. This engine was capable of producing millions of different variants for a single virus. In the very beginning, when this mutation engine was used, it was difficult for the antivirus researches to find a detection technique for it. Followed by this, the Trident Polymorphic Engine was released in the year 1993. Now, there are hundreds of polymorphic engines that create a couple of viruses. Though they say that a mutation engine creates different looking viruses each time, there is no true randomness and a reliable signature can be obtained even from this randomly looking code [19].


5.1 Goal of the project

Our implementation is geared towards achieving these following goals:

Find out all popular Polymorphic viruses and scan their executables against Anti viruses to know the least and most detectable virus.

Implement an application whose primary function is to simply protect its guest, which is an executable file of the virus, and then run this contained executable.

Scan the newly obtained executable and compare it with the previous scan result concluding that our application makes any existing Polymorphic virus more undetectable.

5.2 Implementation

We started our implementation by listing out the most popular Polymorphic viruses. A Few of the known 100% Polymorphic viruses during 1990's that was used in my experiment are Chameleon, Avalanche, Civil War, Grog, Moctezuma, MVF, Nuke, Phantom1, Predator, SatanBug, Tremor, and Trigger. Appendix B contains the list of almost all the famous Polymorphic Virus during 1990s [14]. These viruses were scanned against the top 43 anti viruses (available at and there results were noted. The scan results of the viruses are listed in Table 1.

List of Viruses

Scan result of the original Exe out of 43 Antivirus



Civil War




















Satan Bug


Table 1: Scan results of original Host Virus.exe

5.3 Experiment setup

The following table illustrates the experimental setup for my project.


Windows XP, Virtual Machine




Borland turbo C++ 5.02

Input Viruses

Grog, Civil War, Nuke, Trigger, Moctezuma, Phantom1, Chameleon, Tremor, Avalanche, Predator, MVF, Satan Bug

Anti Virus Scanners

43 AV scanners from

Table 2: Experimental Setup

5.4 Introduction about the Protective Shield

This is a specification of a clever application that encrypts, mutates and protects data inside it. Its primary function is simply to protect its guest, which is another executable file, and then run this contained executable.

The methods used in this application are:

Polymorphism ( Encryption and Decryption)

Metamorphism ( Junk code insertion, Register renaming)

5.4.1 Overall Operation

The protective shield's operation is somewhat simple but relies on a specific feature of the C language which is 'All functions in C code are kept in the same order as declared in the output assembler code segment'. The same happens with global data items. They are kept in the same order on the output data segment. Using this feature, we are able to say that if we have functions defined in the order: A, B and C, the condition &A < &B < &C will always be true, where the "&" denotes the C language's "Address Of" operator which returns the offset of the given operand inside its implied segment.

Hence, if we are able to locate the functions in the memory physically, then we can create two bound functions at the extremes of the contents we wish to encrypt. By the above example, if B is the function to be protected, then "A" and "C" will be delimiters that will tell us the offsets of the beginning and end of the B function. These delimiters will be taken to encrypt the data that is between them, obtaining an encrypted block of data that is located between the offset of the A function and the offset of the C function, effectively protecting the "B" function.

5.4.2 Implementation method

First, I started implementing a virus that will convert all the .Exe in a folder to its respective .Com files. It is shown diagrammatically in Figure 10.

Figure 10: Project Implementation

The program is written in C and starts with the main () function which is the entry point for the program. The main () will initialize all the necessary parameters and will set the random seed used for the random number generation. The main () will load the original generation of the virus in the generation variable and will verify if the file is protected or not. If the file is not protected then the Virus () function is run and the execution is ended (that is, all the .Exe are converted into .Com files). If the file is protected, then the decryption is done and the payload is executed.

5.4.3 The Encryption and Decryption Phase

The Generate () function in the implementation is basically the heart of the protective shield, as its primary function is to encrypt the virus code and generate a decryptor for that block of data. To do this, it will generate a random 32-bit keyword that will be used in the encryption and a rotation factor in the range 1-8. This rotation factor will be used to rotate each byte before encrypting it. Once those two constants are calculated, the input buffer is traversed byte by byte with the purpose of transforming each byte into something else. That is the sole purpose of this phase.

After encryption, the decryption is the next phase. The decryptor is generated by writing its instructions one at the time, and in between each instruction some garbage code is written using the insertgarbage () function. The purpose of the decryptor is to generate ASM code in binary form that will decrypt the just encrypted buffer. This is achieved by writing the inverse of the encryption algorithm. The algorithm was created with the purpose in mind of being symmetrical; this means the algorithm is its own inverse. All we need to do is to re-run the same algorithm with the same initial keyword and rotation parameters, and the buffer will be successfully decrypted.

Insertgarbage () will insert some garbage on the output buffer. It selects random garbage from 9 possible options that do not modify the behavior of the decryptor and writes it to the output buffer.

5.4.4 The Payload () of the virus

The virus Payload is the disaster part of the virus. The purpose of this function is simply to obtain the guest virus executable file and execute it. The shell protects the guest Exe, so using this function, we will execute it and make a possible mess.

Method used to embed any virus Exe:

Figure 11 shows the normal way which most of the virus writers use to embed an exe in to the virus generator code. In our project, instead of just giving a function call to an exe, we use a "Pack-host" utility, which will embed any virus code in the protective shell. This gets any file and converts it to a C header file (.h), which will be later included in the virus.c code to compile both executables.

Figure 11: Normal way of inserting an Exe

The virus.c code is our "protective shell", and it will hold one host virus and will execute it as a payload after the usual infection procedure. Figure 13 explains the complete implementation of the project.

Figure 12: Inserting Host virus as .h

The 'HostVirus.Exe' can be an executable of any Polymorphic virus. In this project, it is the executables of the twelve viruses that are listed in Table 1. The executable is then converted into a C Header file with the help of the Pack Host utility. This is shown in Figure 12. Embedding the virus as a header file is better than just embedding the virus file because if we just embed it, it may be detected by some AVs faster. The header file is then included in 'My Program' code and executed. The resulting .Com files will have the host virus embedded in them.

The .h is implemented in two ways. In one case, the Header file is pseudo encrypted by XOR-ing each byte by a random number. This ensures slightly more protection on the .h file. In the other case, No XOR-ing is done. Each of the twelve viruses is implemented with both .H files, and the scan results of the new generated .Exe are noted.

Figure 13: Design of the protective shield

6.0 Testing against the commercial scanners

We performed the following steps to measure the effectiveness of the tool to generate a stronger version of the virus. The generated output was tested against a list of 43 Anti viruses available in Appendix A shows the top 15 Antivirus against which the scanning was performed at

Steps to follow:

Step 1: Get the exe of any popular Polymorphic virus from online web source and convert it into an .h file without encryption.

Step 2: Embed the .h file in the C source code and compile it to get the output Exe.

Step 3: Scan the generated exe against and note down the results.

Step 4: Now convert the original exe into an .h file with encryption and repeat step 2 and step 3.

Step 5: Repeat the above steps for all the listed Polymorphic Viruses.

The exe of the Polymorphic virus were downloaded from Appendix B shows the list of top polymorphic viruses during 1990. The next section shows the experimental results.

Experimental Results

Each of the twelve virus exe was embedded into the protective shield and the output executable was scanned against the 43 anti viruses in The scan results are recorded down in Table 3.

List of Viruses

Scan result of original Exe out of 43 AV

Scan result of the Exe after embedding with the protective shield


38 /43

6 /43

Civil War

36 /43

8 /43


35 /43

8 /43


35 /43

8 /43


34 /43

9 /43


34 /43

8 /43


32 /43

8 /43


29 /43

7 /43


29 /43

8 /43


28 /43

7 /43


28 /43

8 /43

Satan Bug

24 /43

7 /43

Table 3: Scan Results comparison

Table 3 shows the comparison between the scan result of each of the virus Exe before and after embedding it with protective shield. The huge difference in the scan results can be noticed. Inserting the original virus exe as a header file (.h) along with encryption, and junk code insertion has made this result possible. Each host virus was embedded into the protective shield in two ways:

As a normal header file without encryption

As a header file encrypted with random numbers

Each generated output executable was later scanned through, and the results were noted down. Table 4 shows the scan results of both the cases.

As seen in Table 4, there is no big difference between the two cases. The extra encryption does not seem to have given any extra protection to the embedded host virus. However, there is a huge difference in the scan results between the exe in Table 3. 'My Program' in Figure 11 acts as a tool which will embed any polymorphic virus executable and will make the executable stronger (thus making less number of Anti viruses detecting them).

List of Viruses

Scan result after including header file without encryption

Scan result after including header file with encryption




Civil War






























Satan Bug



Table 4: Scan Results comparison

Figure 12, 13 and 14 are the example screen shots of a host executable named Avalanche. The difference that is shown in the scan results in Table 3 can be noticed in the following screen shots.

Figure 14: Original scan result of the host virus (Avalanche) [20]

Figure 15: Scan result without Encryption (has the embedded host virus) [20]

Figure 16: Scan result with Encryption (has the embedded host virus) [20]

8.0 Conclusions and Future Work

The main goal of the project was to develop an application that will make exe of any Polymorphic virus much stronger. This was achieved by adding polymorphic and metamorphic techniques to the tool, which acted as a shield over the original Polymorphic virus. The original Polymorphic virus was embedded into the tool as a header file rather than as an exe, which is a normal way of embedding followed.

The encryption-decryption algorithm used in the tool will use a different keyword each time in order to make each encryption different. While this encryption proved to be efficient, the encryption that was used while converting an .exe to an .h file did not prove to be very efficient. A normal random number generation encryption was used in the later case. A much more known efficient encryption algorithm can be used in the future to make the results much better.

Few metamorphic techniques like junk code insertion, register renaming and instruction synonyms are used to generate a metamorphic decryptor. As a future work, more metamorphic techniques can be used. The tool is efficient only with Polymorphic virus, adding these techniques can make them more efficient to be used as a protective shield for even Metamorphic viruses. The implementation can be strengthened by improving the code obfuscation techniques.