Which type of malicious code changes its internal form or code each time it is installed in order to avoid detection by antivirus software?

Introduction / Context:
Computer security involves understanding different kinds of malicious software and how they behave. Some malware authors try to bypass antivirus signatures by changing the visible form of their code while keeping its harmful behaviour the same. This question focuses on a specific type of virus that deliberately alters its appearance each time it infects or is installed, making it harder for signature based scanners to recognise it.

Given Data / Assumptions:

• The code changes each time it is installed.
• The purpose of the change is to avoid detection by antivirus software.
• The options include several common categories of malware.

Concept / Approach:
A polymorphic virus is a virus that can change its code or encryption pattern every time it replicates or infects a new system. Although its core behaviour remains the same, the binary pattern looks different, defeating simple signature based detection. Worms are self replicating programs that spread through networks, logic bombs trigger on specific conditions, and Trojan horses disguise themselves as legitimate programs, but none of these terms by itself guarantees continuous code mutation in the way a polymorphic virus does.

Step-by-Step Solution:
Step 1: Focus on the phrase changes each time it is installed to avoid detection, which hints at code mutation or encryption. Step 2: Recall that polymorphic viruses use mutation engines or encryption routines that vary their code structure while keeping the payload functional. Step 3: Consider worms, which primarily focus on self propagation across networks but may or may not be polymorphic. Step 4: Consider logic bombs, which are dormant code segments that activate when certain conditions are met, not primarily designed around code mutation. Step 5: Consider Trojan horses, which hide malicious code inside apparently useful software, again not defined by changing form on each installation. Step 6: Conclude that polymorphic virus is the only option whose defining characteristic matches the description in the question.

Verification / Alternative check:
Security literature explains that polymorphic viruses use techniques such as encryption with variable keys, instruction substitution, or code reordering so that no two copies of the virus look identical in memory or on disk. Antivirus engines respond by using heuristic analysis and behaviour based detection. By contrast, worms, logic bombs, and Trojans are defined by how they spread or execute, not by whether they change code form every time. This confirms that polymorphic virus fits the given description.

Why Other Options Are Wrong:
Worm: This is wrong because a worm is defined mainly by its ability to self replicate across networks. Although a worm could be polymorphic, the term worm does not specifically mean that it changes its code form for detection avoidance.
Logic bomb: This is wrong because a logic bomb is code that activates when certain conditions are met, such as a specific date. Its behaviour is defined by the trigger, not by mutations in its code structure.
Trojan horse: This is wrong because a Trojan pretends to be a legitimate program while hiding malicious functions. Its key property is deception in appearance, not code mutation on each installation.

Common Pitfalls:
Many students see the word virus and quickly choose any malware type they recognise without reading the detailed behaviour described. Another pitfall is thinking that any worm or Trojan is automatically polymorphic, which is not correct. Polymorphism describes how the code changes form, not how the malware spreads or hides. Always match the behaviour in the question to the technical definition of the malware type.

Final Answer:
The malicious code that changes its form each time it is installed to avoid detection is a Polymorphic virus.