It's not often that we get a proof-of-concept (PoC) virus, but to receive four in two weeks is completely unprecedented. The first one, which we call MEL.Odorous is a virus for the Maya 3D scripting language. It searches in the current directory for uninfected files, and prepends itself to them. After infecting files, it runs the host as usual.

The second virus, which we call WHS.Vred is a virus for the WinHex scripting language. Like MEL.Odorous, Vred searches in the current directory for uninfected files, and prepends itself to them. Unlike MEL.Odorous, however, Vred does not run the host code after infecting files.

The third and fourth viruses, which we named W32.Piffle and W32.Weakling respectively, are viruses for Windows. They are so named because the virus author likes to play with the language—he called them W32.Spiffy and W32.WeakLNK (that is, "weak link")—so we did, too.

W32.Piffle searches in the current directory for uninfected files, and randomly chooses a single one of them. Once a file is selected, the virus creates a PIF (program information file) to replace the host file, but this PIF has an unusual characteristic: it is a kind of archive, that holds the virus code and the host file.

When the PIF is executed, the command-line inside executes the command-processor, and passes "debug.exe" and the name of the PIF as parameters. The command-processor then runs debug.exe, and the PIF is used as a script to drive it. The script constructs a Windows executable in memory, writes it to disk, and then executes it. The created file then opens the PIF, extracts and runs the host file, then searches for another file to infect.

W32.Weakling is functionally identical to W32.Piffle, with the difference that the LNK (aka shortcut) format is used instead of the PIF format.

These viruses present no danger to users, they are just something to occupy the time of virus writers. There are, of course, more worthy pursuits.