informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/NCSA/ncsa046.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

125 lines
6.5 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ VIRUS REPORT ³
³ Dark Avenger ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Synonyms: Black Avenger
Date of Origin: September, 1989.
Place of Origin: Sofia, Bulgaria. First isolated at U.C. Davis.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COMMAND.COM, EXE, COM, overlay
files.
Increase in Size of Infected Files: 1800 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files. Directly or indirectly corrupts file linkage.
Detected by: Scanv36+, F-Prot, IBM Scan, Pro-Scan.
Removed by: M_DAV, CleanUp, F-Prot.
The Dark Avenger originated in Sofia, Bulgaria, and was probably
imported to the U.S. in September, 1989 by some visiting math professors
at U.C. Davis. It was first reported by Randy Dean at the U.C. Davis
bookstore.
It not only infects generic COM and EXE files, but will also infect
COMMAND.COM. Only files larger than 1,774 bytes will be infected<Note:
Most of the technical information in this section was provided by Daniel
Kalchev, of Bulgaria>. Once in COMMAND.COM, the virus will even
replicate through the DOS COPY and XCOPY commands, with both the source
and destination files being infected in the COPY process. The virus has
been named the Dark Avenger because this code appears within the virus.
The virus contains the words <197> "The Dark Avenger, copyright 1988,
1989" and the message <197> "This program was written in the city of
Sofia. Eddie lives.... Somewhere in Time!"
The Dark Avenger increases the length of infected COM files by 1,800
bytes. EXE files are rounded up to the next "paragraph", and the virus
is appended.
The Dark Avenger stays resident in memory (via manipulation of
memory control blocks) and infects files via many DOS functions (such as
open, close, exec). For this reason, a file may become infected not only
when it is executed but even when viewed with PC Tools, when located with
some "FileFind" program, or when copied with COPY or XCOPY. During copy
commands, both source and target files become infected.
When the Dark Avenger loads into memory, it begins by destroying the
resident portion of COMMAND.COM, which causes reloading of the transient
portion. At this time, the virus has already hooked the necessary
interrupt and COMMAND.COM is infected first.
Although it stays resident, the Dark Avenger can't be detected by
many programs such as MAPMEM, MI, SMAP, and others. This is because when
a such a program is executed, the virus finds the program's own memory
control block (MCB) and changes it in a way that it looks like the last
of the chain of the MCBs (originally the MCB points to the next MCB in
which virus is located). This hint is especially designed to deceive
programs such as MAPMEM.
In addition, in the boot sector, two variables are maintained (at
offset 0x08 and 0x0A). The latter is a counter to 15 (initialized to
major version of current PC/MS-DOS). It is incremented each time an
infected program is executed. When the counter reaches 16, the number
from the first variable is used to select a random disk sector, which is
then overwritten by the virus. If this sector is used by a file, the file
is destroyed. Should the directory sector be selected and overwritten,
the results are most unpleasant.
When the Dark Avenger installs itself, it scans the ROMs of
additional controllers to find the address of the INT 0x13 handler (the
virus knows how it begins and looks for its own first bytes). After that,
it directly calls this address. As a result, it can't be detected by a
program waiting for INT 0x13. The Dark Avenger uses INT 0x26 for this,
and is detected by many antivirus programs (such as ANTI4US) with this
interrupt. The virus affects functions of PC/MS-DOS such as "SetVector"
and "Terminate And Stay Resident".
If anti-virus software attempts to set some of the virus's vital
interrupts via "SetVector", the Dark Avenger will prohibit this. If the
anti-virus software directly changes the vector table, when the software
terminates (via "Terminate And Stay Resident"), the virus restores its
vectors.
As an extremely infectious virus, treat it cautiously. Power down
the system with the on/off switch. Re-boot from a write-protected system
master diskette. Run SCAN or some other scanner to determine the extent
of infection. The virus could conceivably be widespread. A disinfector
(M_DAV), written by Morgan Schweers, is available on the National
Computer Security Association's BBS that can remove this virus.<Note:
The board number is 202 364-1304.> Be sure to re-scan the disk after you
think you are finished with disinfection.
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º This document was adapted from the book "Computer Viruses", º
º which is copyright and distributed by the National Computer º
º Security Association. It contains information compiled from º
º many sources. To the best of our knowledge, all information º
º presented here is accurate. º
º º
º Please send any updates or corrections to the NCSA, Suite 309, º
º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º
º and upload the information: (202) 364-1304. Or call us voice at º
º (202) 364-8252. This version was produced May 22, 1990. º
º º
º The NCSA is a non-profit organization dedicated to improving º
º computer security. Membership in the association is just $45 per º
º year. Copies of the book "Computer Viruses", which provides º
º detailed information on over 145 viruses, can be obtained from º
º the NCSA. Member price: $44; non-member price: $55. º
º º
º The document is copyright (c) 1990 NCSA. º
º º
º This document may be distributed in any format, providing º
º this message is not removed or altered. º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue View Git Blame Copy Permalink