New server-side polymorphic viruses threats like the recent Storm worm, however, contain a staggering number of distinct, low-volume and short-lived variants and are impossible to stop with a single signature, Lev said. Typically, such viruses are distributed in successive waves of attacks in which each variant tries to infect as many systems as possible and stops spreading before antivirus vendors have a chance to write a signature for it.

Storm had more than 40,000 distinct variants and was distributed in short, rapid-fire bursts of activity in an effort to overwhelm signature- and behavior-based antivirus engines, Lev said.

By the time a signature is released for one variant, it has often already stopped circulating and has been replaced by several other variants, he said. As a result, such viruses can infect a network and remain undetected by signature-based systems, he said. Examples of polymorphic, server-side viruses include Stration/Warezov and the Happy New Year virus.

Hackers have begun employing the same techniques with self-mutating Trojan programs, said Eugene Kaspersky, founder of security vendor Kaspersky Lab Inc. Such Trojans are planted on malicious Web sites and can mutate with every download, making them very hard to detect. The result: Each user who visits a Web site infected with such a Trojan can be infected with a different version of the same program.

Increasingly, hackers are using "special mutating technology" that allows them to inject random "junk" into Trojan program code before compiling and compressing it to create separate variants, each of which requires a separate signature to block it, Kaspersky said.