# Oligomorphic code

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Oligomorphic_code
> Markdown URL: https://mediated.wiki/source/Oligomorphic_code.md
> Source: https://en.wikipedia.org/wiki/Oligomorphic_code
> Source revision: 1244644992
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Mechanism used by computer virus to generate a decryptor

**Oligomorphic code**, also known as **semi-polymorphic code**, is a method used by a [computer virus](/source/Computer_virus) to [obfuscate](/source/Obfuscated_code) its decryptor by generating different versions of it, in order to evade detection by antivirus software. It is similar to, but less sophisticated than, [polymorphic code](/source/Polymorphic_code).[1]

Oligomorphic code works by randomly selecting each piece of the decryptor from several predefined alternatives. At [run time](/source/Runtime_(program_lifecycle_phase)), these components can be combined in various ways to create new, distinct versions of the decryptor.[2]

Having multiple possible decryptors makes it more difficult for a virus to be detected with anti-malware signatures. However, most oligomorphic viruses are only able to generate a limited amount of decryptors,[2] around a few hundred,[*[citation needed](https://en.wikipedia.org/wiki/Wikipedia:Citation_needed)*] so detecting them with simple signatures is still possible. Another method to detect an oligomorphic decryptor is to make a signature for each possible piece of code, group pieces that can substitute each other together and scan the file for a chain of decryptor pieces from alternating groups. Emulation may be used to detect the virus, but it can take more resources than necessary.[*[citation needed](https://en.wikipedia.org/wiki/Wikipedia:Citation_needed)*]

## History

The first known virus using oligomorphic code was the [Whale DOS virus](/source/Whale_(computer_virus)), identified in 1990, which chose from a few dozen distinct decryptors. The first [Windows 95](/source/Windows_95) virus using oligomorphic code was the [Memorial virus](https://en.wikipedia.org/w/index.php?title=Memorial_(computer_virus)&action=edit&redlink=1), which could generate 96 distinct decryptor patterns. Another example is the Russian virus family [WordSwap](https://en.wikipedia.org/w/index.php?title=WordSwap&action=edit&redlink=1).[1]

## See also

- [Timeline of notable computer viruses and worms](/source/Timeline_of_notable_computer_viruses_and_worms)

- [Metamorphic code](/source/Metamorphic_code)

- [Self-modifying code](/source/Self-modifying_code)

- [Alphanumeric shellcode](/source/Alphanumeric_shellcode)

- [Shellcode](/source/Shellcode)

- [Software cracking](/source/Software_cracking)

- [Security cracking](/source/Security_cracking)

- [Obfuscated code](/source/Obfuscated_code)

## References

1. ^ [***a***](#cite_ref-szor_1-0) [***b***](#cite_ref-szor_1-1) Szor, Peter (2005). [*The Art of Computer Virus Research and Defense*](https://books.google.com/books?id=rahQAAAAMAAJ). Addison-Wesley. [ISBN](/source/ISBN_(identifier)) [9780321304544](https://en.wikipedia.org/wiki/Special:BookSources/9780321304544). Retrieved 27 March 2023.

1. ^ [***a***](#cite_ref-blunden_2-0) [***b***](#cite_ref-blunden_2-1) Blunden, Bill (4 May 2009). [*The Rootkit Arsenal: Escape and Evasion*](https://books.google.com/books?id=ifQPC86G66sC). Jones & Bartlett Learning, LLC. p. 570. [ISBN](/source/ISBN_(identifier)) [9780763782849](https://en.wikipedia.org/wiki/Special:BookSources/9780763782849). Retrieved 27 March 2023.

This malware-related article is a stub. You can help Wikipedia by adding missing information.

- [v](https://en.wikipedia.org/wiki/Template:Malware-stub)
- [t](/source/Template_talk%3AMalware-stub)
- [e](https://en.wikipedia.org/wiki/Special:EditPage/Template:Malware-stub)

---
Adapted from the Wikipedia article [Oligomorphic code](https://en.wikipedia.org/wiki/Oligomorphic_code) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Oligomorphic_code?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
