[mdisraeli]

Polymorphism typically referred to worms and viruses that changed their own code base as they spread. Most infections, however, happen from phishing emails either with attachments or linking to the payload. Changing the files produced so as to no longer be caught by antivirus signatures is trivial, and you can even create a unique variant for each phish.

Many legitimate programs will seem to act similarly - opening files and overwriting contents with something else. ID3 tag writers for MP3s, file type converters, batch image processing, etc. This means you can't match easily against the types of actions being taken.

Let's imagine, however, that the antivirus was still able to detect that something odd was happening. If it prompts the user, they will inevitably click 'yes run this file', because that's what they have always done. If it quarantines the file... well, you just add another few lines to the phishing email saying that the attachment is perfectly safe ("scanned by symantec" apparently...) and to go ahead and bring it back out from quarantine