Inspired by Armadillo nanomites, I've decided to write virus which uses Nanomites to foobar heuristics as much as possible. This virus also has abbility to inline patch some commonly used packers such as ASPack, UPX, FSG and some more.
Blacky.w32 uses Trap flag encryption/decryption during whole execution, and in such way stays crypted all the way during it's execution. Using TF for runtime decryption/encryption will slowdown system, so only a few files are infected druing one run.
prcko.XP is virus which will use sysenter to directly talk with kernel, it is simple example of virus which will avoid lame sandboxes where their authors hook kernel32 APIs to monitor execution of certain binary.
Blackhand.w32 (named as DeadCode because of it's signature in PE header) was virus used to test how fast AVs will react when new virus is "in the wild", actually copy was sent to them only, and noone else. F-Secure and KAV were the fastest to make signature for it. After that some stupid company (Sophos I think it was) started talking about some political message in virus, even if it took them 16 days more to make signature. Even if they want to write shit like that it is much better to know stuff that you are talking about, talking nonsense makes you look funny. They suck, as AV company and as historians. Long Live Great Serbia...