Name: Zombie.ZCME.1638 Category: Viruses Description: Details Zombie.ZCME.16384 This is a harmless non memory-resident parasitic polymorphic virus. It searches for COM files in the current directory, then writes itself to the beginning of the file. Before infecting the virus creates in the memory (by writing byte-by-byte) the text string, and then immediately erases it: ZCME 0.01 Z0MBiE`s Code Mutation Engine (c) 1997 The main feature of this virus is its polymorphic engine - the virus is not encrypted, but it has no any constant part of code. The virus does that by "mixing" its code while infecting files: by using its internal disassembler the virus disassembles itself and copies its Assembler instruction to 16K buffer at random selected addresses. If sequential instruction are copied to different blocks of buffer, to "link" them the virus uses Assembler instruction JMP. The virus then fixes addresses of Jump-by-condition (Jcc) instructions and subroutine CALLs. The virus also randomly inserts "do-nothing" NOP instruction in its code. As a result, 1346 bytes of actual virus code are randomly placed within 16K buffer. See also Ply and TMC viruses.