- The first ever virus which uses virtual code.
- Entry-Point-Obscured, parasitic, resident PE infector.
- Infects PE files in the current directory and all subdirectories.
- Linked-list directory traversal.
- Appends to the relocation section.
- Uses CRCs instead of API names.
- Uses SEH for common code exit.
- Does not infects PE files protected by SFC and with data outside of image (eg SFX).
- Infected files are padded by random amount to confuse tail scanners.
- Uses SEH-walker to find the kernel address.

Related article: Virtual Code

- The first ever virus which uses FSAVE for instructions reordering.
- Entry-Point-Obscured, parasitic, resident PE infector.
- Infects PE files in the current directory and all subdirectories.
- Linked-list directory traversal.
- Appends to the relocation section.
- Uses CRCs instead of API names.
- Uses SEH for common code exit.
- Does not infects PE files protected by SFC and with data outside of image (eg SFX).
- Infected files are padded by random amount to confuse tail scanners.
- Uses SEH-walker to find the kernel address.

Mimix.a inside (related article: New Uses for FSAVE)
Mimix.b inside (related article: New uses for FSAVE: Extended FSAVE)
 Mimix.c inside (related article:  New Uses for FSAVE: FXSAVE)

- Direct-action, Entry-Point-Obscured, Per-process resident, Polymorphic PE appender.
- Uses Expressway To My Skool Poly engine by b0z0/iKx.
- Targets PE EXE, SCR and CPL files.
- Gets APIs by using CRC32 with SEH protection.
- Finds targets through shortcut files in the current directory and desktop.
- Detects & does not infects SFC protected files and installation kits.
- Uses size padding to avoid reinfections.
- If 31th of month, paints BioHazard symbol on the screen.

- Polymorphic PE appender.
- Uses Kpasm-generated Poly engine.
- Uses crypto APIs for decryption.
- In order to complicate AV emulator's work even more, the virus uses encryption via   relocations and decryptor fragmentation techniques.
- Generates fake API calls with random arguments.
- Does not infects SFC protected files.

Related article: Stealth api-based decryptor

- PE appender with some anti-heuristic techniques.
- Spreads through removable USB drives.

- PE appender.
- The virus rebuilds host's import table with needed functions.

- PE appender.
- The virus injects code at the entry point, which will redirect virtual address of ExitProcess to the virus code.

- The very first virus coded in C for Win64 platform.
- PE32+ memory resident mid-infector.
- Does not alters host's size and section's headers.
- Injects into csrss.exe process.
- Anti-heuristic (because of unique infection method).
- Anti-debugging using BeingDebugged byte-flag checking in PEB.
- Disables Windows System File Checker by using Ratter's method.
- Uses Cyclic Redundancy Code instead of API names.
- Uses undocumented APIs for compression.

- PE appender written in C.
- Injects into winlogon.exe process.
- Disables Windows File Protection on the fly.
- Crypted through relocation section.
- Does not alters host's imports section and does not depends on host's export section.

- PE appender with basic polymorphic engine and simple XOR cipher.
- Searches and infects all PE files in the current and 5 parent directories.
- Seeks for the executables and folders paths in the clipboard.
- Replicates through removable USB drives.

- PE resource infector.
- Appends to resource section.

- PE resource infector with simple XOR cipher.
- Spreads through some peer-to-peer networks.

- PE prepender with simple XOR cipher.

- PE prepender with simple XOR cipher.

- Very basic PE appender.

- PE prepender written in C.
- Infects PE files in the current directory, desktop and personal folder.

- Metamorphic ELF infector.
- Host and virus code are fully disassembled using YAD engine.
- Codes are mutated, integrated and assembled back into one piece.
- Functions needed by the virus are added to Import Table.
- Only files containing .plt, .got, got.plt, rel.plt, rel.dyn, .data and .init sections are infected.
- Infects all ELFs in the current directory and subdirectories.

Related article: Code integration on Linux: Cooking the PIE

- ELF cavity infector, removing Procedure Linkage Table (PLT) and restoring it.
- Resolving and using libc functions.

Related article: INT 0x80? No, thank you!

- The virus appends to the end of text segement.
- Gains control via .dtors without overriding ELF file entry point.

Related article: Reverse of a coin: A short note on segment alignment

- ELF appender.
- Replaces PT_PHDR, PT_GNU_STACK, PT_NOTE in Program Header Table (PHT) with   loader which allocates the memory for the main virus body, loads and executes it.

Related article: Caveat virus

- ELF cavity infector.
- Replaces .hash section.
- File size will not be increased.
- No delta.
- Address of the virus saved in the body upon infection.

  Hasher.b inside (removes .hash section)
  Hasher.c inside (shrinks .hash section)
  Hasher.d inside (shrinks .hash section and adds new segment)

Related article: Hashin' the elves

- ELF infector for the FreeBSD.
- Appends new segment to the end of file by replacing PT_PHDR entry.

- Basic ELF overwriter.

- MSIL PE prepender.

- MSIL PE overwriter.

- Cross-infector macro virus which is able to infect StarOffice and MSWord text documents.

- The first Ferite script viruses.
- Overwrites all ferite script (*.fe) files in the current directory.

  Kr00l.b inside (prepender)
  Kr00l.c inside (+ polymorphic)
  Kr00l.d inside (+ EPO)

Related article: Ferite virus writing guide

- Polymorphic, encrypted Python prepender.

- Oligomorphic Python worm.

- Entry-Point-Obscured, mixed with appending WordMacro virus.
- Uses two different polymorphic engines: a garbage-code/comment generator and a   slightly modified version of NPE to change its variable names (thanks, Necro).

- The first ever virus for Hex editor (WinHex).

- Mass mailing worm.

- The worm monitors clipboard and adds itself as a packed copy of the last file in
  the clipboard structure.

- Simple USB worm.

- Simple SMTP worm.

- The first SkypeIM worm.

- The first PowerShell worm.

- The first polymorphic PowerShell worm.

- Worm written in Ruby which spreads by using Sylpheed e-mail client.

- The first worm for Firefox's Greasemonkey extension.

- Example of an SSH worm using brute force to gain access to systems and replicate.

- This is a tool to prevent dumping of a process.

Related article : Brutal Address Space Layout Randomization

- The tool binds Windows Command Prompt to a specified port.
- Controlling through telnet client.
- Password protection ability.

- Dictionary based Base64 Encoder.

- Simple network sniffer.

- The tool for Unices, that does low level search of a single string in all sectors of disk using   the gtk functions.

- eXperimental/eXtended/eXecutable Trash Generator
- Generates x86 general-purpose instructions
- Generates FPU/MMX/SSE instructions
- Instructions generation by mask
- Position-independent code
- Can be used with any other engines (the engine can be compiled as stand-alone module)
- Does not use WinAPIs

- Flying mutatIoN Engine
- Generates random registers
- Generates random keys for encryption
- Size of decryptor is always diffirent
- Decryptor's code reordering
- Use of RNG and TRASHGEN
- Multiple encryption algorithms (ADD/SUB/XOR)
- Multiple decryptors generation
- Position-independent code
- Can be used with any other engines (the engine can be compiled as stand-alone module)
- Does not use WinAPIs
- Does not use data and delta-offset

- RAndom Numbers Generator
- Position-independent code
- Easy to use
- Does not use WinAPIs

- Compact length-disassembler engine.

- Low metamorphic (permutation) engine with ability to implement your own plugins.

- The engine is designed to help coders to inject their DLL functions to the executable files.

- YAD is the IA-32 instruction parser.
- The engine might be also called "Less eXtended Disassembler Engine", because it's   primarily based on XDE v. 1.02 by Z0mbie, the stuff related to operands parsing was   omitted, but the table was regenerated to reflect the changes in IA-32 since the last   release of XDE. There were also minor clean-ups in the code.

  Note: Latest version of the engine can be found here.

- Intel x86 disassembler.

- It is a fully-fledged bot malware that works entirely within ring0.
- It connects back to a C&C server via the TDI.
- Uses APCs for DL&EXEC.
- Hides itself with NTFS-level IRP hooks.

- Process controlling application.

Related article: Controlling the process execution

- Linux Kernel Module which intercepts the ptrace syscall.

- Demonstration of ransomware. It ecnrypts documents and images on all fixed & remote   drives with Blowfish cipher. User can get data back by sending an e-mail to the author of   ransomware and requesting a decryptor.

- The program synchronizes two processes (producer and consumer) in a shared buffer   memory using "wait" and "signal" semaphore commands.

- IRC-bot with many commands.

- Small in size backdoor with download and upload functions.

- This trojan is able to sniff all the traffic of the system and send it to an ftp server.
- Requires WinPcap lib.

- Windows shortcut file (.lnk) infector.