Computers can be protected against a specific malware threat by identifying the threat through analysis, and generating an identifying signature. The signature can then be used to detect instances of the malware attempting to infect computer systems.
Modern malware typically runs in several stages. The first stage is generally an obfuscation layer that changes from sample to sample through the use of garbage code, which makes detection difficult. The second stage is usually a preparation layer, which makes preparation for the third and final stage, the payload. Although the first stage changes between instances and is designed to obfuscate the actual activities of the malware, the second stage does not change much, providing a good basis for generating a signature for detection. However, modern malware often specifically attempts to evade analysis of the preparation (second) stage and the generation of such a detection signature by wiping out the code and data of this stage, regardless of the whether the payload was executed or not.
It would be desirable to address these issues.