Type File virus
Date Discovered 1996
Place of Origin
Source Language Assembly
Platform DOS
File Type(s) .exe
Infection Length 5,175 Bytes
Reported Costs

Ply is a rare example of a non-encrypted metamorphic virus. It is the first of its kind, and uses a very advanced routine, one that would not be seen again until the appearance of Zperm and Zmorph.


Ply searches for .exe files in the current directory, and infects all that it finds, appending itself to the file. Before infecting the files, it checks if it has one of the names of about 30 known antivirus program executables, and avoids infecting them. The virus's metamorphic engine is very complex and contains a few bugs, which may corrupt some executables so they are unusable.

The virus is divided into three sections, Main Code, Data and Redirected Calls. All instructions in the main code section of the virus are 3 bytes long, never longer. There are a few two-byte instructions and the extra byte is filled with a NOP instruction. The Data section contains 6-byte blocks to copy the instructions to Redirected Calls and replace them with CALL or JMP commands. The instructions are shifted in the 3-bytes blocks and copied to random selected address in the virus and then replaced with CALL or JMP command. Existing CALLs and JMPs redirectors are replaced with original code. This ensures that there are no constants in the virus that would make it easy to identify it.

Other Facts

There were several functionally similar variants of Ply, the only differences being the antivirus executable it avoids, as well as the size, ranging from around 3,000 to 5,000 bytes. The virus origin is uncertain, and even the exact date or even month of its creation seem to be lost. It was featured in issue 2 of 29A magazine, with notes by Darkman.


Darkman. 29A, Issue 2, Ply.5175 disassembled.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License