Dark Avenger 3 Virus

Alias:V2000, Eddie 3 Virus
Strain:Dark Avenger Strain
detected when:
where:
Classification:Program Virus, RAM-resident
Length:2000 Bytes (2076 Bytes in RAM resident mode)

Preconditions

Operating System(s):MSDOS, PCDOS
Version/Release:3.3
Computer model(s):IBM compatibles PCs
Caroname:Dark_Avenger.2000.Traveller

Attributes

Easy identification:Two Strings : 1) "Copy me - I want to travel" (at beginning of virus-code) 2) "(c) 1989 by Vesselin Bontchev" (near end of virus code; but V.Bontchev is not the author!)

Type of Infection:

Link-Virus (postfix infection); virus infects every "COM" and "EXE" file with minimum file-length of 1959 bytes.

Infection Technique:
Infection Trigger:Programs are infected at load time (using MsDos function Load/Execute) as well as on every read attempt (viewing, copy etc.)
Storage Media affected:Any Drive
Interrupts hooked:INT 21h [Dos-Functions] ) hooked by resident INT 27h [TSR] ) part of virus INT 24h [Critical Error] > during infection INT 13h [BIOS-Disk Access] > during infection and damage
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:On every 16's execution of an infected file, virus will overwrite a new random data sector on disk; the last overwritten sector will be stored in boot sector. System hang-up, if a program is to be executed, which contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is a Bulgarian author of anti-virus programs.
Damage Trigger:The virus uses the last byte of "MSDOS-Version"- field in the bootblock as counter; if an infected file is executed, this counter will be invremented.
Particularities:On some 386 PCs with different BIOS version, infected programs hang-up the system during virus installation. The virus overwrites the transient part of DOS in RAM to provoke the reload of "command.com", to get a chance for an early infection of this file. The virus intercepts the "Find first" and "Find next" functions, and on "DIR" command execution, virus decreases the file length of marked files by 2000 (virus length).
Similarities:As in Eddie 2 virus, infected files are marked with "62" in the "seconds"-field of time stamp.

Agents

Countermeasures:The virus will be (for example) detected by : F-FCHK 1.13 (F. Skulason) Findviru 1.8 (Solomon: Virus Tools 4.25)
Standard means:

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Jrg Steindecker
Documentation by:Jrg Steindecker
Date:14-February-1991
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg