...jOkR... Dark Avenger Virus Name: Dark Avenger Aliases: Black Avenger, Boroda, Eddie, Diana, Rabid Avenger, VAN Soft, Dark Avenger 1801, Dark Avenger-C, Dark Avenger-D, PS!KO, Evil Men, Dark Avenger.1E V Status: Common Discovery: September, 1989 Symptoms: TSR; .COM, .EXE, .SYS file growth; file/disk corruption Origin: Bulgaria Isolated: Davis, California, United States Eff Length: 1,800 bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, F-Prot, IBM Scan, AVTK, NAV, Novi, Sweep, CPAV, UTScan, VirexPC, Gobbler2, VBuster, AllSafe, ViruSafe, Trend, Iris, VNet, Panda Removal Instructions: CleanUp, F-Prot, NAV or delete infected files General Comments: Dark Avenger was first isolated in the United States at the University of California at Davis. It infects .COM, .EXE, and overlay files, including COMMAND.COM. The virus will install itself into system memory, becoming resident, and is extremely prolific at infecting any executable files that are opened for any reason. This includes using the DOS COPY and XCOPY commands to copy uninfected files, both the source and the target files will end up being infected. Infected files will have their lengths increased by 1,800 bytes. The Dark Avenger virus does perform malicious damage. The virus maintains a counter in the disk's boot sector. After each sixteenth file is infected, the virus will randomly overwrite a sector on the disk with a portion of the Dark Avenger virus code. If the randomly selected sector is a portion of a program or data file, the program or data file will be corrupted. Programs and data files which have been corrupted by a sector being overwritten are permanently damaged and cannot be repaired since the original sector is lost. If you are infected with Dark Avenger, shutdown your computer and reboot from a Write Protected boot diskette for the system, then carefully use a disinfector, following all instructions. Be sure to re-scan the system for infection once you have finished disinfecting it. The Dark Avenger virus contains the words: "The Dark Avenger, copyright 1988, 1989", as well as the message: "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". This virus bears no resemblance or similarity to the Jerusalem viruses, even though they are similar in size. Known variant(s) of Dark Avenger are: Boroda: Similar to Dark Avenger-D, this variant contains only one text string: "B O R O D A". It adds 1,800 bytes to the .COM files it infects, and 1,800 to 1,814 bytes to the .EXE files it infects. Decrease in total system and available free memory, as indicated by the DOS CHKDSK Dark Avenger ...continued program, will be 3,696 bytes. Interrupts 21 and 27 will be hooked. As with the original Dark Avenger, it will modify the disk boot sector, and occassionally overwrite a sector of the disk with a copy of itself, thus damaging files. Origin: Unknown January, 1992. Dark Avenger.1E: Similar to Dark Avenger-D, this variant adds 1,800 bytes to the .COM programs it infects, and 1,800 to 1,814 bytes to the infected .EXE programs. In both cases, the virus is located at the end of the infected program. The text strings in this variant are: "Eddie lives...somewhere in time!" "Diana P." "This program was written in the city of Sofia" "(C) 1988-89 Dark Avenger" Systems infected with Dark Avenger.1E will notice that boot sectors will be slightly altered, and programs and files may become slowly corrupted. Once the system is booted from an infected COMMAND.COM, the system date's format may be changed from "mm/dd/yy" to "yyyy#mm#dd", and the ":" character in the system time changed to "". Origin: Bulgaria June, 1992. Dark Avenger-B: Very similar to the Dark Avenger virus, the major difference is that .COM files will be reinfected, adding 1,800 bytes to the file length with each infection. This variant also becomes memory resident in high system memory instead of being a low system memory TSR. Text strings found in the virus's code include: "Eddie lives...somewhere in time!" "Diana P." "This program was written in the city of Sofia" "(C)1988-1989 Dark Avenger" Dark Avenger-C: Very similar to the Dark Avenger virus, this variant adds 1,800 to 1,814 bytes to infected files. The copyright notice is also different, having been changed to: "(C) 1988-89 Dark Avenger". Dark Avenger-D: This variant is very similar to Dark Avenger-C, adding 1,800 to 1,814 bytes to infected files. It has the same copyright notice as Dark Avenger-C. Dark Avenger 1801: Similar to the Dark Avenger virus, the major difference is that this variant has an effective length of 1,801 bytes, one byte longer than the Dark Avenger virus. Like Dark Avenger-B, it will become memory resident at the top of system memory instead of being a low system memory TSR. It does not, however, reinfect .COM files as Dark Avenger-B does. The same text strings found in Dark Avenger and Dark Avenger-B appear in this variant. Evil Men: Similar to Dark Avenger-D, this variant contins the following text strings: "The evil that men do !" "This program was written in the city of Sofia" Dark Avenger ...continued "(C) 1988-89 Dark Avenger" "Diana P." Origin: Unknown January, 1992. PS!KO: The PS!KO variant of Dark Avenger was received in November, 1991. Its origin is unknown. It addes 1,803 to 1,817 bytes to programs which it infects. The following text strings can be found in infected programs: "The Ps!ko Virus - Version 1.0" "The Ps!ko Virus - Written in the USA," "(C)1991 by SiTT and The Viola" Symptoms of an infection by PS!KO include .COM programs failing to execute properly, and frequent system hangs. Rabid Avenger: Rabid Avenger was isolated in the United States in April 1991. This variant of Dark Avenger is based on the Dark Avenger-B variant. Its memory resident portion is located at the top of system memory but below the 640K DOS boundary, and is 3,696 bytes in length. Interrupts 21 and 27 are hooked. Infected .COM files will increase in length by 1,800 bytes. Infected .EXE files will increase in size by 1,806 to 1,823 bytes. In both cases, the virus will be located at the end of the infected file. Text strings found in the virus's code include: "<- Thanks to the Dark Avenger ->" "Eat us!" "(C) 1991 RABID International Development Corp!" "Scan String Killer Test" This variant has also been altered so as to avoid detection by anti-viral utilities which are able to detect Dark Avenger. VAN Soft: VAN Soft was received from Europe in May, 1991. This variant is from Bulgaria and is based on the original Dark Avenger virus. The major change in this variant is that the text strings have been altered so that they are now: "V.A.N. Soft & MMMM PRESENT:SOFIA" "VAN&MMMM" Infected .COM programs will increase in size by 1,800 bytes with the virus being located at the end of the infected file. Infected .EXE programs increase in size by 1,806 to 1,824 bytes with the virus also at the end of the infected file. See: 1963 Amilia CB-1530 QP3 V651 V1024 V2000