- The first ever virus which uses virtual code.
- Entry-Point-Obscured, parasitic, resident PE infector.
- Infects PE files in the current directory and all subdirectories.
- Linked-list directory traversal.
- Appends to the relocation section.
- Uses CRCs instead of API names.
- Uses SEH for common code exit.
- Does not infects PE files protected by SFC and with data outside of image (eg SFX).
- Infected files are padded by random amount to confuse tail scanners.
- Uses SEH-walker to find the kernel address.

Related article: Virtual Code

- The first ever virus which uses FSAVE for instructions reordering.
- Entry-Point-Obscured, parasitic, resident PE infector.
- Infects PE files in the current directory and all subdirectories.
- Linked-list directory traversal.
- Appends to the relocation section.
- Uses CRCs instead of API names.
- Uses SEH for common code exit.
- Does not infects PE files protected by SFC and with data outside of image (eg SFX).
- Infected files are padded by random amount to confuse tail scanners.
- Uses SEH-walker to find the kernel address.

Mimix.a inside (related article: New Uses for FSAVE)
Mimix.b inside (related article: New uses for FSAVE: Extended FSAVE)
 Mimix.c inside (related article:  New Uses for FSAVE: FXSAVE)

- Direct-action, Entry-Point-Obscured, Per-process resident, Polymorphic PE appender.
- Uses Expressway To My Skool Poly engine by b0z0/iKx.
- Targets PE EXE, SCR and CPL files.
- Gets APIs by using CRC32 with SEH protection.
- Finds targets through shortcut files in the current directory and desktop.
- Detects & does not infects SFC protected files and installation kits.
- Uses size padding to avoid reinfections.
- If 31th of month, paints BioHazard symbol on the screen.

- Polymorphic PE appender.
- Uses Kpasm-generated Poly engine.
- Uses crypto APIs for decryption.
- In order to complicate AV emulator's work even more, the virus uses encryption via   relocations and decryptor fragmentation techniques.
- Generates fake API calls with random arguments.
- Does not infects SFC protected files.

Related article: Stealth api-based decryptor

- PE appender with some anti-heuristic techniques.
- Spreads through removable USB drives.

- PE appender.
- The virus rebuilds host's import table with needed functions.

- PE appender.
- The virus injects code at the entry point, which will redirect virtual address of ExitProcess to the virus code.

- The very first virus coded in C for Win64 platform.
- PE32+ memory resident mid-infector.
- Does not alters host's size and section's headers.
- Injects into csrss.exe process.
- Anti-heuristic (because of unique infection method).
- Anti-debugging using BeingDebugged byte-flag checking in PEB.
- Disables Windows System File Checker by using Ratter's method.
- Uses Cyclic Redundancy Code instead of API names.
- Uses undocumented APIs for compression.

- PE appender written in C.
- Injects into winlogon.exe process.
- Disables Windows File Protection on the fly.
- Crypted through relocation section.
- Does not alters host's imports section and does not depends on host's export section.

- PE appender with basic polymorphic engine and simple XOR cipher.
- Searches and infects all PE files in the current and 5 parent directories.
- Seeks for the executables and folders paths in the clipboard.
- Replicates through removable USB drives.

- PE resource infector.
- Appends to resource section.

- PE resource infector with simple XOR cipher.
- Spreads through some peer-to-peer networks.

- PE prepender with simple XOR cipher.

- PE prepender with simple XOR cipher.

- Very basic PE appender.

- PE prepender written in C.
- Infects PE files in the current directory, desktop and personal folder.