Viruses can survive only if they remain undetected long enough to spread to other computers. Virus programmers have used a variety of tactics to increase a virus's longevity.
Antivirus programs can spot a virus in one of two ways. First, an antivirus program may recognize a particular virus's signature, which is nothing more than the specific instructions embedded in the virus program that tell it how to behave and act. A virus's signature is like a criminal's fingerprint—each one is unique and distinct.
A second way an antivirus program can detect a virus is by its behavior. Antivirus programs can often detect the presence of a previously unknown virus by noticing when it tries to infect another file or disk, which is called heuristic analysis or detection.
To sneak past an antivirus program, viruses may employ a variety of proliferation methods:
The virus infects a disk or additional files each time the user runs the infected program or opens the infected document. If the user doesn't do either of those things, the virus can't spread. This is the simplest but also the most noticeable way of infecting a computer and can be detected by antivirus programs fairly easily.
The virus infects any file accessed by an infected program. For example, if a virus infects your antivirus program, watch out! Each time an infected antivirus program examines a file, it can actually infect that file immediately after certifying that it is virus-free.
The virus only infects newly created files or files modified by a legitimate program. By doing this, viruses attempt to mask their presence more thoroughly from antivirus programs. For example, antivirus programs often watch for a program trying to modify a file it typically should not be accessing. If you run Windows Explorer and click a file to rename it, your antivirus program won't raise an alarm, since Windows Explorer is allowed to modify files. But if a virus infects Windows Explorer, renaming a file could cause it to become infected at the same time.
This type of virus takes its time infecting files and does so arbitrarily. By spreading slowly and unpredictably, these viruses reduce the odds that their activities (but not necessarily their existence) will be detected.
This type of virus buries itself in your computer's working memory (RAM), and each time you run a program or insert a floppy disk, the virus infects that program or disk. RAM-resident infection is the only way that boot-sector viruses can spread, since the victim must physically insert an infected floppy disk into his computer.
Viruses normally reveal their presence during infection by changing the size, time, and date stamps of the files that they infect. However, file-infecting viruses that use stealth techniques may accomplish their dirty work without causing any of those modifications, thus remaining hidden and undetected.
Boot-sector viruses always use stealth techniques. When the computer reads a disk's boot sector, the virus quickly loads a copy of the real boot sector (which it has safely stashed away in another location on the disk). This is like using call forwarding to answer the phone from the neighborhood pool hall when your parents call you at home to make sure you're behaving yourself. As far as your parents are concerned, they called your home number and you answered. All's well at home, or so they think. Boot-sector viruses use similar stealth techniques to hide their presence from the computer. But that doesn't always fool good antivirus programs. To slip past them, viruses may use polymorphism.
If criminals could modify their fingerprints each time they committed a crime, they would be harder to catch. That's the idea behind polymorphism. A polymorphic virus changes its signature—the set of instructions that makes up that virus—each time it infects a file. Theoretically, this means that an antivirus program can never find it.
However, because viruses need to make sure they don't infect the same file over and over again, and thus reveal themselves by consuming disk space, a polymorphic virus must still leave a small, stable, and distinct signature that it (or an antivirus program) can find. Of course, once the virus has been caught and examined—by an antivirus software vendor, for example—antivirus programs can find these same signatures. That's why antivirus programs need constant and frequent updates to recognize the latest viruses.
The best defense is a good offense. Rather than passively hiding from antivirus programs, many viruses actively search them out and attack them. These retaliating viruses either modify the antivirus program so that it can't detect the virus, or they infect the antivirus program itself and make it complicit in spreading the virus. In both cases, the attacked antivirus program cheerfully displays a "Your computer is virus-free" message while the virus is happily spreading throughout your computer.