Oligomorphic code

Oligomorphic code, also known as semi-polymorphic code, is a method used by a computer virus to obfuscate its decryptor by generating different versions of it, in order to evade detection by antivirus software. It is similar to, but less sophisticated than, polymorphic code.

Oligomorphic code works by randomly selecting each piece of the decryptor from several predefined alternatives. At run time, these components can be combined in various ways to create new, distinct versions of the decryptor.

Having multiple possible decryptors makes it more difficult for a virus to be detected with anti-malware signatures. However, most oligomorphic viruses are only able to generate a limited amount of decryptors, around a few hundred, so detecting them with simple signatures is still possible. Another method to detect an oligomorphic decryptor is to make a signature for each possible piece of code, group pieces that can substitute each other together and scan the file for a chain of decryptor pieces from alternating groups. Emulation may be used to detect the virus, but it can take more resources than necessary.

History
The first known virus using oligomorphic code was the Whale DOS virus, identified in 1990, which chose from a few dozen distinct decryptors. The first Windows 95 virus using oligomorphic code was the Memorial virus, which could generate 96 distinct decryptor patterns. Another example is the Russian virus family WordSwap.