Comment Re:Hmm (Score 1) 61
You have one little problem, the program has to know, which instructions cancel out. So you probably have a list of pairs in there somewhere. As soon as that is known, the program can be normalized back to the "core code". The other problem is, that you would have to be very careful to remove the canceling instructions in the virus before you rescramble it or the size would quickly get prohibitively large.
The randomly chosen registry keys won't help you, you have to get the thing to be executed, so you have to write something in a fixed number of keys. That should be enough to detect it.
The "scrambled" server key is a tactic Conficker is using. It generates and queries a large number of domains, but obviously the sequence has to be in the code somewhere so a server can be setup which has the right name at the time the thing tries to connect to it. Just scrambling the address in the "client" is useless, if there is no server.