Dark Avenger 3 Virus (14-Feb-1991) Entry...............: Dark Avenger 3 Virus Alias(es)...........: V2000 = Eddie 3 Virus Virus Strain........: Dark Avenger Strain Classification......: Program Virus, RAM-resident Length of Virus.....: 2000 Bytes (2076 Bytes in RAM resident mode) --------------------- Preconditions ---------------------------------- Operating System(s).: MSDOS, PCDOS Version/Release.....: 3.3 Computer model(s)...: IBM compatibles PCs --------------------- Attributes ------------------------------------- Easy Identification.: Two Strings : 1) "Copy me - I want to travel" (at beginning of virus-code) 2) "(c) 1989 by Vesselin Bontchev" (near end of virus code; but V.Bontchev is not the author!) Type of infection...: Link-Virus (postfix infection); virus infects every "COM" and "EXE" file with minimum file-length of 1959 bytes. Infection Trigger...: Programs are infected at load time (using MsDos function Load/Execute) as well as on every read attempt (viewing, copy etc.) Storage media affected: Any Drive Interrupts hooked...: INT 21h [Dos-Functions] ) hooked by resident INT 27h [TSR] ) part of virus INT 24h [Critical Error] > during infection INT 13h [BIOS-Disk Access] > during infection and damage Damage..............: On every 16's execution of an infected file, virus will overwrite a new random data sector on disk; the last overwritten sector will be stored in boot sector. System hang-up, if a program is to be executed, which contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is a Bulgarian author of anti-virus programs. Damage Trigger......: The virus uses the last byte of "MSDOS-Version"- field in the bootblock as counter; if an infected file is executed, this counter will be invremented. Particularities.....: On some 386 PCs with different BIOS version, infected programs hang-up the system during virus installation. The virus overwrites the transient part of DOS in RAM to provoke the reload of "command.com", to get a chance for an early infection of this file. The virus intercepts the "Find first" and "Find next" functions, and on "DIR" command execution, virus decreases the file length of marked files by 2000 (virus length). Similarities........: As in Eddie 2 virus, infected files are marked with "62" in the "seconds"-field of time stamp. --------------------- Agents ----------------------------------------- Countermeasures.....: The virus will be (for example) detected by : F-FCHK 1.13 (F. Skulason) Findviru 1.8 (Solomon: Virus Tools 4.25) --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: J|rg Steindecker Documentation by....: J|rg Steindecker Date................: 14-February-1991 .