Heruristic virus scan

I was interested in the heruristic virus scan. I just come cross an article talk about this. Here is the summary:

• Weight based (old way) vs. Rule based
• vb5 example:

    Options.VirusProtection = 0 

 Obfuscation:
     Options.VirusProtection = 1 AND 0

• Encrypted virus
• initialize the pointer with a valid memory address
• initialize a counter
• memory read operation depends on the pointer
• logical operation on the memory read result
• memory write operation with the result from the logical operation
• manipulation of the counter
• branching depends on the counter

• Emulate and decode the data 

            word7 vbscript example:

1. Line 1: Private Sub Document_Open(): Application.EnableCancelKey = wdCancelDisabled

   The definition of the private document handler Document_Open() (often
   inaccurately referred to as a macro) is not typical for common
   applications, so it should be flagged with a low priority. The next operation disables 

   the ‘ESC’ key and has the same security
   risk level as the definition of the private document handler and,
   therefore, should be flagged accordingly.

   Line 2: For d = 6 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: C$ = ""

    This line simply initializes a ‘For’ loop, depending on the number of
   lines. Such strings should be flagged by heuristic engines, as a
   request to count the lines of the existing macro code is suspicious.
   Additionally a heuristic engine should remember that ‘d’ is an integer
   variable, the maximum value of which depends on the number of lines of
   code.

   Line 3:  I = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1))  

   A line of code, depending on the counter, will be read from the macro
   code. The range from the counter is chosen that way, so that every line
   of the malicious code can be accessed. Again, this can be seen as a
   memory-read operation as described above and should be flagged.
   Furthermore, the variable ‘I’ should be stored as a string variable
   containing line information.

   Line 4: f = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) - f: C$ = C$ & Chr(B$): Next X: A = C$ 

    A set of operations will be done with the read content from the
   previous line. Actually, for the heuristic, the type of encryption that
   is occurring here is not really important; the existence of such a
   routine is suspicious enough and should be flagged. For emulation
   issues, the analysis of encryption functionality has to go deeper.

   Line 5: ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d: End Sub 

   This line replaces existing code (the parameter ‘d’ defines the line
   number and ‘A’ defines the actual content) and is another critical
   operation (equivalent to the memory-write operation mentioned above),
   which has to be flagged with a high security risk level. This line also
   contains the end of the outer ‘for’ loop, which is responsible for
   accessing all lines within a certain range of the document. 

   Line 6: '6Vxo|gzk&Y{h&Jui{sktzeIruyk./@&Uvzouty4Yg|kTuxsgrVxusvz&C&6 

   This line (as well as all of the following 13 lines) contains this kind of comment with encrypted code:

   * the string is quite long (i.e., consists of more than forty characters) and contains no spaces; 

   * it is not typical to start a comment with a number; and, 

   * the string contains suspicious mixture of numbers, special characters and ordinary alphabet characters. 

• Components of a Heuristic Engine 
• variable/memory emulator;  
• parser; 
• flow analyzer; 
• analyzer; 
• disassembler/emulator; and, 
• weight-based system and/or rule based system.     
• A rule-based system simply compares found functionality with a set of rules. If a predefined rule is found within the code, the rule-based system returns with a positive result.