ZMorph.Bistro
This is improved virus version that was found on the Internet(?) in October 2000. This virus uses more complex infection and polymorphic routines, as well as has more bugs and often causes standard Windows message about an 
error in application.
When run the virus infects: the EXPLORER.EXE file in Windows directory; then randomly selects and infects one of files in Windows directory (SCANREGW.EXE, CDPLAYER.EXE, NOTEPADE.EXE, MPLAYER.EXE, RUNDLL32.EXE); then 
.EXE and .SCR files in Windows directory with subdirectories; then .EXE and .SCR in PATH directories; then looks for .EXE and .SCR files on local and 
remote drives and infects them too.
The infection goes in background, so the virus does not slow down the machine. Each of infection routines is activated randomly, so the virus infection routines listed above may be activated in different sequence.
The virus also fills gaps between its routines (blocks of code, see generic description above). The virus fills these gaps with a random selected byte, or with "still trying to disasm me?" text, or with similar text in Russian.
The virus also is able to change entry routines in files that are affected.  The virus follows assembler instruction at entry and replaces some of them with their synonyms (for example, "MOV Reg1,Reg2" instruction can be 
replaces with two instructions: "PUSH Reg2; POP Reg1").
To infect EXPLORER.EXE (that is locked for writing by Windows) the virus creates copy of that file with EXPLORER.AB name, infects it and adds an instruction to WININIT.INI file that will force Windows to replace 
EXPLORER.EXE with infected copy on next Windows startup.
The virus pays attention to ZIP and RAR archives and looks for EXE files in them. If a file is found, the virus renames it in archive with ".EX_" extension (the result looks like "filename.EX_"), and creates its copy in 
archive with "filename.EXE" name.
The virus pays attention to anti-virus programs, utilities: NOD, DRWEB, AVP, ADINF, SPIDER, F-PROT, VIRSTOP, HIEW and anti-virus data files:  data files .AVC, .VDB. In case one of such files found, the virus corrupts the file, it writes several text strings to the middle of the file:
[RSA encrypted. (c) V.Bogdanov//KasperskyLab]


When a .DOC, .MP3, .JPG, .XLS the virus in one case of 100 also corrupts them in the same way.
The virus also uses anti-debugging tricks and patches ant-virus memory resident monitors: AVP95, AVPG, GK95, SPIDER.