Dark Avenger 3 Virus

Antivirus
Virus Type Antivirus Products Antivirus Reviews Norton AntiVirus

Network Security
Listing of Virus Threats & Risks Virus Disinfection Instruction

Help
Buyer's Guide Symantec Feature Articles Security News

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

You are here:Home→Antivirus→Virus Type→Dark Avenger 3 Virus

Dark Avenger 3 Virus
Written by yangying
February 21, 2008 13:12
Dark Avenger 3 Virus Alias: V2000, Eddie 3 Virus Strain: Dark Avenger Strain detected when: where: Classification: Program Virus, RAM-resident Length: 2000 Bytes (2076 Bytes in RAM resident mode) Preconditions Operating System(s): MSDOS, PCDOS Version/Release: 3.3 Computer model(s): IBM compatibles PCs Caroname: Dark_Avenger.2000.Traveller Attributes Easy identification: Two Strings : 1) "Copy me - I want to travel" (at beginning of virus-code) 2) "(c) 1989 by Vesselin Bontchev" (near end of virus code; but V.Bontchev is not the author!) Type of Infection: Link-Virus (postfix infection); virus infects every "COM" and "EXE" file with minimum file-length of 1959 bytes. Infection Technique: Infection Trigger: Programs are infected at load time (using MsDos function Load/Execute) as well as on every read attempt (viewing, copy etc.) Storage Media affected: Any Drive Interrupts hooked: INT 21h [Dos-Functions] ) hooked by resident INT 27h [TSR] ) part of virus INT 24h [Critical Error] > during infection INT 13h [BIOS-Disk Access] > during infection and damage Stealth: Tunneling/Selfprot: Oligo/Polymorphism: Encoding Method: Damage: On every 16's execution of an infected file, virus will overwrite a new random data sector on disk; the last overwritten sector will be stored in boot sector. System hang-up, if a program is to be executed, which contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is a Bulgarian author of anti-virus programs. Damage Trigger: The virus uses the last byte of "MSDOS-Version"- field in the bootblock as counter; if an infected file is executed, this counter will be invremented. Particularities: On some 386 PCs with different BIOS version, infected programs hang-up the system during virus installation. The virus overwrites the transient part of DOS in RAM to provoke the reload of "command.com", to get a chance for an early infection of this file. The virus intercepts the "Find first" and "Find next" functions, and on "DIR" command execution, virus decreases the file length of marked files by 2000 (virus length). Similarities: As in Eddie 2 virus, infected files are marked with "62" in the "seconds"-field of time stamp. Agents Countermeasures: The virus will be (for example) detected by : F-FCHK 1.13 (F. Skulason) Findviru 1.8 (Solomon: Virus Tools 4.25) Standard means: Acknowledgements Location: Virus Test Center, University Hamburg, Germany Classification by: J"rg Steindecker Documentation by: J"rg Steindecker Date: 14-February-1991 Information Source:
German : Dark Avenger 3 Virus
Spanish : Oscuro Avenger 3 virus
French : Dark Avenger 3 virus
Japanese : ダークアヴェンジャー3ウイルス
Russian : Темный мститель 3 вируса