ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Dark Avenger ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Black Avenger Date of Origin: September, 1989. Place of Origin: Sofia, Bulgaria. First isolated at U.C. Davis. Host Machine: PC compatibles. Host Files: Remains resident. Infects COMMAND.COM, EXE, COM, overlay files. Increase in Size of Infected Files: 1800 bytes. Nature of Damage: Affects system run-time operation. Corrupts program or overlay files. Directly or indirectly corrupts file linkage. Detected by: Scanv36+, F-Prot, IBM Scan, Pro-Scan. Removed by: M_DAV, CleanUp, F-Prot. The Dark Avenger originated in Sofia, Bulgaria, and was probably imported to the U.S. in September, 1989 by some visiting math professors at U.C. Davis. It was first reported by Randy Dean at the U.C. Davis bookstore. It not only infects generic COM and EXE files, but will also infect COMMAND.COM. Only files larger than 1,774 bytes will be infected. Once in COMMAND.COM, the virus will even replicate through the DOS COPY and XCOPY commands, with both the source and destination files being infected in the COPY process. The virus has been named the Dark Avenger because this code appears within the virus. The virus contains the words <197> "The Dark Avenger, copyright 1988, 1989" and the message <197> "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!" The Dark Avenger increases the length of infected COM files by 1,800 bytes. EXE files are rounded up to the next "paragraph", and the virus is appended. The Dark Avenger stays resident in memory (via manipulation of memory control blocks) and infects files via many DOS functions (such as open, close, exec). For this reason, a file may become infected not only when it is executed but even when viewed with PC Tools, when located with some "FileFind" program, or when copied with COPY or XCOPY. During copy commands, both source and target files become infected. When the Dark Avenger loads into memory, it begins by destroying the resident portion of COMMAND.COM, which causes reloading of the transient portion. At this time, the virus has already hooked the necessary interrupt and COMMAND.COM is infected first. Although it stays resident, the Dark Avenger can't be detected by many programs such as MAPMEM, MI, SMAP, and others. This is because when a such a program is executed, the virus finds the program's own memory control block (MCB) and changes it in a way that it looks like the last of the chain of the MCBs (originally the MCB points to the next MCB in which virus is located). This hint is especially designed to deceive programs such as MAPMEM. In addition, in the boot sector, two variables are maintained (at offset 0x08 and 0x0A). The latter is a counter to 15 (initialized to major version of current PC/MS-DOS). It is incremented each time an infected program is executed. When the counter reaches 16, the number from the first variable is used to select a random disk sector, which is then overwritten by the virus. If this sector is used by a file, the file is destroyed. Should the directory sector be selected and overwritten, the results are most unpleasant. When the Dark Avenger installs itself, it scans the ROMs of additional controllers to find the address of the INT 0x13 handler (the virus knows how it begins and looks for its own first bytes). After that, it directly calls this address. As a result, it can't be detected by a program waiting for INT 0x13. The Dark Avenger uses INT 0x26 for this, and is detected by many antivirus programs (such as ANTI4US) with this interrupt. The virus affects functions of PC/MS-DOS such as "SetVector" and "Terminate And Stay Resident". If anti-virus software attempts to set some of the virus's vital interrupts via "SetVector", the Dark Avenger will prohibit this. If the anti-virus software directly changes the vector table, when the software terminates (via "Terminate And Stay Resident"), the virus restores its vectors. As an extremely infectious virus, treat it cautiously. Power down the system with the on/off switch. Re-boot from a write-protected system master diskette. Run SCAN or some other scanner to determine the extent of infection. The virus could conceivably be widespread. A disinfector (M_DAV), written by Morgan Schweers, is available on the National Computer Security Association's BBS that can remove this virus. Be sure to re-scan the disk after you think you are finished with disinfection. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253