Rok,

Muts over at Offensive Security has released a video of a presentation at Shmoo-con where he demos exactly this practice. Taking a well known piece of malware and in a matter of minutes (scared the bejesus out of me when I saw it) created something with the exact same functionalilty that AV missed.

http://www.offensive-security.com/cons/shmoo2008/muts_at_shmoo.html

Hopefully this will answer your questions and give you plenty more to go exploring from there. Happy Hunting

Basically he is encrypting part of the code of the malware in order to hide it from the AV. He uses a decoding stub to reference the source that needs to be encoded so it can function under the radar. This is similar to the way a packer/crypter works. He does it manually, which is a better way but more tedious.  Crypters will do it for you automatically, but you will have less control. The better known crypters will be spotted by many AVs, but the more obscure ones still can fool a number of them. Usually small hacker groups have their own specially written crypter that is passed among its members, that is if they happen to have a decent coder in their ranks. This way of defeating AV is well known amongst hackers but really only works against simple AVs.  I wrote something about this on this forum a while back when I playing around with them in my lab:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,821.0/

The best solution is to write your own and its not hard. If you cant then find someone that can do it for you.

Thanks RoleReversal. Its getting harder to fool an enterprise level AV with a cyrpter, but simple home versions are still easy target. Email AVs that are used by Yahoo,etc are  the easiest to slip through. They are almost a joke so please no one reading this rely on them. When I refer to home versions, I am referring to AVs like AVG free,etc... Enterprise level requires writing a complete new signature that is nothing at all like what might be found in the AV's signature base, so you better be on top of your programming skills or have a friend that is. If it is even slightly  similar, it will trigger the AV and thats why we are seeing more and more false positives popping up today. This is due to their so called "heuristic" function, which can work well on some versions and very poorly on others.  Attacking an enterprise level AV with a simple encoding stub is a waste of time, at least thats my humble experience.

I have seen all the posts but I want little help to build crypters and another thing cryptovirology that technique  can't help in this case?