One can give a simplest answer: "Know your enemy!". However it is not so simple.
Well, I have taken control on one of our big tours aimed to antiviruses, so
I have to answer. Who else can?
How you can write an virus without understanding antiviruses? With a very poor effeciency. The bad but common atribute of virus writers is that they do not know, how does avirs works. Most of writers call themselfs researchers, but in many cases they are not researching anything. Just writing some virii simmilar one to another. Think a bit - it slightly simplyfies work for antivirus guys. They have no aditional effort to cover new viruses. It is, in other words, schematic. New viruses can be covered within a minutes (or even seconds! depends how wise they are and tools they wrote to do so) - it of course depends when they will do it and it may takes them up to days or month(s) if they are overloaded with new samples. But no extra work to catch all the samples in In-the-Wild set and get Virus Bulletin's 100% award. And i think you will not be happy to be caught so easily.
This tour is oriented to explain you how antiviruses works, lists basic principles and theory of scanning (and cleaning as well) methods, partially appoint how some best antiviruses works (and some our comments to they hit-rates). We will also try to put some valid tests we made on real samples to show you this theories. We are not going you to tell exact methods how to fool each antivirus, but to show you what way you must think, and how to find newer and newer methods how to fool them. As if we list ten methods for example, if all of them will be used there is no other method available. Of course, we will try to show some basic directions, but you have to think! As writing virii is not for lamers. Not any more. Only best can survive. Think as it is YOU, for a while.
Virus is as good as long it can survive. Some virus writers are writing
their work for "research reasons" just putting it into some collections,
spreading between avers, but no more. Well, one may guess it is ethical.
At first I have to say - the most unethical thing associated with viruses
is destruction. Never do that. You don't have any reasons
to do so. The else what left - is the virii principle itself - to spread
and be spreaded. There is nothing inbetween.
I can illustrate it on Uruguay virus family. Don't you know 'em? They are pretty known: originally, whole family (as far as I know the latest is number 11) was written as some research virus to illustrate technologies. Polymorphic technologies, of course. Their author, named Brueiurere didn't (as far as it is known) supposed them for real spreading - only for avers and to complicate their life a bit. Samples were available for av-researchers, later on only for some selected avers - they obtain samples with important note not to spread them. As the avers a biggest virus-exchangers in the world soon most of them has those samples. Someone of them even put uruguay#6 into real enviroment and this virus (only avers had it!) was detected in the wild. This is classical example that also avers can spread viruses - even if they are saying they are a good guys. But world is never black and white. Later on, uruguay's author was producing some newer versions: up version #8 almost every aver have. Version #10 and #11 were given only to two peoples in the world Ilja Gulfakov (dr.web) and xaefer (avp?). Are uruguays ethical? I don't think so - they are same viruses as other ones, but it complicates life to avers and they don't want to spread them as they can hardly detect them.
I return back to the original idea - how long virus can survive. Sooner or
later any virus can be detected (and removed as well) unless we can change
the current virii principle - but it is a another long discussion. For avers
easily detectable virus that fits to their scanning schemes makes no problem
to detect and remove if it appears in the wild. It only depends on how
soon the unknown virus (up to that time) infects someone's computer who can find
out there is a virus and can see some changes and send sample to some av
company. The usual way (just think) is to put it to some directory to analyze
it. It depends how much people familiar with viruses they have to process
all the samples they have. As many times there is a lot of rubbish in such
incoming files, damaged files, and viruses of course.
Some minutes, hours or days later virus is roughly checked (usualy not analyzed as complex analyzis tooks lots of time) and a scan-string (or whatever they use) is selected. If it is as easy as mentioned, it doesn't take lots of time. The more it is complicated the more work it takes. If it takes so much work, or they do not understand it at first look, one puts it into some group for later processing (if they will have some free time but they usualy have not if there is too many new viruses). If it is more important - for example it was reported in the wild, or customer have this virus, it must be processed immediately (or sooner, let's say).
I will show another example here - well known Slovak virus One_Half (it has several variants, but forget about them for now): it appears in Slovakia and local anti-viruses had to fight him, even as it was a bit complicated (the better is to say non-standard) to detect it. But there were no need for big foreign companies (like Dr.Solomon's Toolkit) to add this virus to scanning as it was non-standard - it was not so easy to add it, so they don't. Even dr.solomon was sold in Slovakia, but it wasn't able to detect One_Half for a months (only some selected samples that were in virus collections, but no others ;-). When this virus gets out of Slovakia and infects other countries, it becomes a problem for av companies and they have to solve it - if it is standard or not - customers are requesting it. It takes up to weeks or months for some to do so (also because One_Half appears in In-the-Wild test set of VB). This ignorancy helps One_Half to spread a lot until they were able to detect it successfuly.
Was One_Half so amazing and great? In fact, it wasn't. It has only two unusual things that made him famouse - the rest of it is rather simple and uninteresing. The first one (more important for detection) is something what I call distributed decryptor. It is rather easy but it beats the principle of scanners - that's why it was too hard for them to detect: decryptor consist of 10 instructions (all fixed) but they are not at the same place (or chunk). Each instruction surrounded with couple of rubbish instructions (choosed from 10 one-byte instructions like clc, stc, sti, and some other simplest ones) with jump is placed at random place in host file. Jumps connects them in order to keep execution loop. Very simple, isn't it? One can very easily detect this virus. But avers weren't able to. As it doesn't fit their scanning schemes - they weren't able to detect it without writing special aditional routines. And they are busy and lazy, of course (as everyone is).
Another unusual thing in One_Half was slow encryption of disc. Each time you reboot, it encrypts two tracks of hard-disc starting from the end (don't think about some strong encryption! it is simplest xor with constant word value) but as long as you have virus you can't notice anything because it (same as if you have a stealth) on fly encrypts-decrypts data in encrypted area. But if one remove the virus, there is no more on-fly decrypting and part of disk is left encrypted (xored, in other words) and user can't access files, etc. This was also untraditional and simple removing leads to reinstaling of disk - and avers have to prepare special routines that decrypts disk as well (some of them doesn't even up to now, but One_Half is over in these days). But this is not what I want to appoint, as it indirectly leads to destruction.
What you should take from this story? No matter how your virus is complicated or bombastic, it is only valuable if it can complicate life to avers. Thats it.