|Place of Origin|
|Infection Length||5,175 Bytes|
Ply is a rare example of a non-encrypted polymorphic virus. It is the first of its kind, and uses a very advanced polymorphic routine.
Ply searches for .exe files in the current directory, and infects all that it finds, appending itself to the file. Before infecting the files, it checks if it has one of the names of about 30 known antivirus program executables, and avoids infecting them. The virus's polymorphic engine is very complex and contains a few bugs, which may corrupt some executables so they are unusable.
The virus is divided into three sections, Main Code, Data and Redirected Calls. All instructions in the main code section of the virus are 3 bytes long, never longer. There are a few two-byte instructions and the extra byte is filled with a NOP instruction. The Data section contains 6-byte blocks to copy the instructions to Redirected Calls and replace them with CALL or JMP commands. The instructions are shifted in the 3-bytes blocks and copied to random selected address in the virus and then replaced with CALL or JMP command. Existing CALLs and JMPs redirectors are replaced with original code. This ensures that there are no constants in the virus that would make it easy to identify it.
There were several functionally similar variants of Ply, the only differences being the antivirus executable it avoids, as well as the size, ranging from around 3,000 to 5,000 bytes. The virus origin is uncertain, and even the exact date or even month of its creation seem to be lost. It was featured in issue 2 of 29A magazine, with notes by Darkman.
Darkman. 29A, Issue 2, Ply.5175 disassembled.