In this era of spywares, file infectors have little exposure left. But nevertheless, they are still a challenge to antimalware engineers. Years ago, the names Nimda and CIH were famous in both the malware and antimalware industry. These past few years, the spotlight is on Virut.
Last year we saw an influx of Virus.Virut infected samples. Virus.Virut is, in my opinion, one of the best viruses in a while. Despite the fact that viruses are harmful, I cannot help but admire the work done to create such a virus.
Virut is a polymorphic file infector. What makes Virut different is the fact that it employs all known infection routines: Entry-Point Obscuring, appending, prepending, cavity. Not only does it employ all these techniques, it can combine them (e.g. EPO appending, EPO + cavity + appending, cavity + appending). It also has decryption layers, the algorithm of which can change from ADD/ SUB/ XOR, etc. Both detection and analysis pose as a challenge, but is one that the antimalware industry has met head-on.