Author Options:

How does a signature of a virus work? Answered

Say "123456" was a virus signature, will it and any other ones be in an EXE, seprate file, Registry or is it a system code


A virus 'signature' is any sequence of bytes which an anti-virus program has been programmed to look for.  These are usually held in a signature database file supplied by the AV writer and updated regularly to detect new viruses or improve detection on existing ones..
Polymorphic viruses will change their code each generation to make them harder to generate a signature for.   Occasionally an anti-virus program will detect a signature string within a valid program and flag it as a virus.  This is called a 'false positive'.

.  Many anti-malware apps will also use actions (eg, writing to certain parts of the Registry) as part of the signature.

True.- I was talking about the disc scanning phase of detection, but any decent AV will also scan the registry and active memory for any trace of a viral intruder.

Viruses do not intentionally have signatures. 'Signature' is a name given to a consistent string of bytes in the virus code by the AV people. The ultimate virus would change every byte of its code each generation so it couldn't be detected by checking against a list code pieces i.e. the signature database.  AV programs use a method called heuristic analysis here, looking for bits of code which would be capable of doing the kind of things viruses do,

Still trying to backhandedly get advise on writing viruses, are you?

It's a bit like psychological-profiling.
If you profile a person: over 40, lives with mum, never "known" a woman, interested in bus timetables and Satan.... you can form an opinion of risk.
Virus signatures are similar in that the AV either knows who they are, or recognises their behaviour.