home *** CD-ROM | disk | FTP | other *** search
- 40Hex Volume 1 Issue 2 0005
-
-
-
-
-
- The Dark Avenger
- --- ---- -------
- Part I. The Dark Avenger
- -------------------------
-
- Introduction:
-
- The following text file was sent directly to Professor
- Vesselin Bontchev in a public sent to an anti-viral board
- located in Sofia, Bulgaria.
-
- Bontchev is one of the leading anti-viral researchers in
- Europe today. A producer of number of effective anti-viral
- programs in Bulgaria, his programs are widely used throughout
- Europe.
-
- The Dark Avenger is Bulgaria's most dangerous viral code
- writer and a heavy metal fanatic - as this message concerning
- himself, written by him (often referring to himself in third
- person) reveals:
-
- ----------------
-
- DARK AVENGER
- ============
-
- DARK AVENGER is the pseudonym used by a particularly prolific and
- malicious Bulgarian virus writer. It is also the name given in the
- West to some of his earlier viruses. His viruses include:
-
- DARK AVENGER V651, V1800, V2000 and V2100
-
- NUMBER OF THE BEAST aka 512 (several versions)
-
- ANTHRAX (Infects both files and boot sectors)
-
- V800 and its derivatives: 1226, PROUD, EVIL & PHOENIX
-
- Some other viruses, e.g. NOMENKLATURA & DIAMOND are in his style but
- are believed to be the work of others. MURPHY has been strongly
- influenced by him but is known to be of different authorship.
- CRAZY EDDIE may also be his.
-
- Several 'hacks' are now appearing of V1800, V2100, MURPHY and
- DIAMOND.
-
- ************* more **********
-
- Eddie is the mascot of the British heavy metal group, Iron Maiden
- (hence 'up the irons'). It is a 20 foot high skeleton that appears
- on stage with them and is featured on the sleeves of all their
- albums.
-
- Anthrax and Damage Inc are other heavy metal groups whose names have
- been featured in some Dark Avenger viruses. Iron Maiden numbers have
- also been mentioned including 'Somewhere in Time', 'Only the Good Die
- Young' and 'Number of the Beast'.
-
- ************** more **********
-
- Unusually, this virus writer has also produced a virus removal
- program together with a version log of his EDDIE series, as
- reproduced below with its original spelling and grammar.
-
- "DOCTOR QUICK! Virus Doctor for the Eddie Virus Version 2.01
- 10-31-89 Copyright (c) 1988-89 Dark Avenger. All rights reserved.
- DOCTOR /? for help
-
- It may be of interest to you to know that Eddie (also known as "Dark
- Avenger") is the most widespread virus in Bulgaria for the time
- being. However I have information that Eddie is well known in the
- USA, West Germany and USSR too.
-
- I started in writing the virus in early September 1988. In those
- times there were no any viruses in Bulgaria, so I decided to write
- the first Bulgarian virus. There were some different Eddie's
- versions:
-
- VERSION 1.1, 16-DEC-1988
-
- In December I've decided to enhance the virus. This version could
- infect files during their opening. For that reason, a read buffer
- was allocated in high end of memory, rather than using DOS function
- 48h when needed. The disk was destroyed instead of the infected
- files.
-
- VERSION 1.2, 19-DEC-1988
-
- This added a new feature that causes (for example) compiled programs
- to be infected at once if the virus is resident. Also, the "Eddie
- lives..." message was added (can you guess why exactly "Eddie"?)
-
- VERSION 1.31, 3-JAN-1989
-
- This became the most common version of Eddie. A code was added to
- find the INT 13 rom-vector on many popular XT's and AT's. Also,
- other messages were added so its length would be exactly 1800 bytes.
- There was a subsequent, 1.32 version (19-JAN-1989), which added
- self-checksum and other interesting features that was abandoned
- because it was extremely buggy.
-
- In early March 1989 version 1.31 was called into existence and
- started to live its own life to all engineers' and other suckers'
- terror. And, the last
-
- VERSION 1.4, 17-OCT-1989
-
- This was a bugfix for version 1.31, and added some interesting new
- features. Support has been added for DOS 2.x and DOS 4.x. For
- further information about this (the most terrible) version, and to
- learn how to find out a program author by its code, or why
- virus-writers are still not dead, contact Mr. Vesselin Bontchev (All
- Rights Reserved).
-
- So, never say die! Eddie lives on and on and on... Up the irons!"
-
- NOTE:
- Vesselin Bontchev, who the Dark Avenger is trying to discredit, is a
- leading virus researcher at the Bulgarian Academy of Sciences.
-
-
- Post Note:
-
- There is a rumor concerning the fact that RABID now has
- the Dark Avenger on their staff of virus writers, and that
- the new Dark Avenger variant released by them was, in fact,
- written by him. This has yet to be proven.
-
- The more acceptable belief concerning this new strain
- is that RABID simply picked up the source code for Dark Avenger,
- released last December, and modified it.
-
- Part II - Dark Avenger - Strain A
- -----------------------
-
- Vesselin Bontchev reports in May 1990:
-
- The Dark Avenger virus.
- ======================
-
- - I found two new mutations of this virus. Well, maybe
- "mutations" is not the correct word. In the first of them, the
- first 16 characters of the string "Eddie lives... somewhere in
- time!" were replaced with blanks.
-
- In the second example, all strings (the message above, the
- copyright message and the "Diana P." string) were replaced with
- blanks. - The author of the Dark Avenger virus (The bastard! I
- still cannot determine who he is.) has released the source code
- of his virus.
-
- It is full with ironic comments about me. Of course, now we have
- to expect lots of new, similar viruses to appear. At least, this
- leaded to one good thing - the source helped me very much in
- disassembling the V2000 virus. - I received a rather offensive
- anonymous letter from this person. In it he claims to be also
- the author of both the V2000 (I trust this) and the Number of the
- Beast viruses (the latter is unlikely). [See Above]
-
-
- Information About the Dark Avenger Virus, courtesy of
- "Virus Bulletin Ltd," Buckinghamshire, England.
-
- Note:
-
- This information is far more valuable than the standard
- Virus Summary by Patricia Hoffman. Her entry concerning DA
- fails to go into more depth about the Dark Avenger virus and
- apparently she has yet to receive information of the
- different versions of DA. Such information is already a year
- old, but she has yet to include it.
-
- Entry...............: Dark Avenger
- Alias(es)...........: ---
- Virus Strain........: Dark Avenger
- Virus detected when.: November 1989
- where.: USA
- Classification......: February 1990
- Length of Virus.....: about 1800 Bytes
- --------------------- Preconditions -----------------------------------
- Operating System(s).: DOS
- Version/Release.....:
- Computer model(s)...: IBM-compatible
- --------------------- Attributes --------------------------------------
- Easy Identification.: Two Texts:
- "Eddie lives...somewhere in time" at beginning
- and
- "This Program was written in the City of Sofia
- (C) 1988-89 Dark Avenger" near end of file
-
- Type of infection...: Link-virus
- COM-files: appends to the program and installs a
- short jump
- EXE-files: appends to the program at the
- beginning of the next paragraph
-
- Infection Trigger...: COM and EXE files are corrupted on any read
- attempt even when VIEWING!!!
-
- Storage media affected: Any Drive
-
- Interrupts hooked...: Int 21 DOS-services
- Int 27 Terminate and Stay Resident
-
- Damage..............: Overwrites a random sector with bootblock
-
- Damage Trigger......: each 16th infection; counter located in
- Bootblock
-
- Particularities.....: -
-
- Similarities........: -
-
-
- --------------------- Agents ------------------------------------------
-
- Countermeasures.....: NONE! All data can be destroyed !!!!
- There is no way in retrieving lost data.
- Backups will most probably be destroyed too.
-
- Countermeasures successful: install McAfee's SCANRES.
-
- Standard means......: Good luck! Hopefully the virus did not destroy
- too many of your programs and data.
-
- --------------------- Acknowledgement ---------------------------------
- Location............: VTC Uni Hamburg
- Classification by...: Matthias Jaenichen
- Documentation by....: Matthias Jaenichen
- Date................: 31.01.1990
-
- Part III - DARK AVENGER 2000
- =================
-
- Date: 02 Feb 90 10:49:00 +0700
- From: Vesselin Bontchev
-
- This virus is also "made in Bulgaria" and again I am indirectly the
- cause of its creation. I am a well known "virus-buster" in Bulgaria
- and my antivirus programs are very widely used. Of course, virus
- designers didn't like it. So their next creation... causes trouble
- to my antivirus programs.
-
- This virus is exactly 2000 bytes long and I think that it was
- created by the author of the Eddie (Dark Avenger) virus. The
- programming style is the same and there are even pieces of code
- which are the same.
-
- The virus acts much like the Eddie one --- it installs resident in
- memory by manipulating the memory control blocks; infects
- COMMAND.COM at the first run; infects both .COM- and .EXE-files;
- infects files when one executes them as well as when one copies
- them.
-
- However, there are some extras added. First, the virus is able to
- fetch the original INT 13h vector just like the V512 one (by using
- the same undocumented function --- tricks spread fast between virus
- programmers).
-
- Second, it intercepts the find-first (FCB) and find-next (FCB)
- functions --- just like V651 (aka EDDIE II) (and contains the same
- bugs), so you won't see the increased file lengths in the listing
- displayed by the DIR command.
-
- Third, it contains the string "Copyright (C) 1989 by Vesselin
- Bontchev", so people may think that I am the author of this virus.
- In fact, the virus searches every program being executed for this
- string (the case of the letters does not matter) and if found,
- hangs the system. It is not necessary to tell you that all my
- antivirus programs contain this string. Of course, now I will have
- to use some kind of encryption, just to prevent such tricks.
-
- Vesselin Bontchev reported in May 1990:
-
- The V2000 virus (DARK AVENGER 2000)
- ===================================
-
- - It turned out that the example of this virus I sent to some of
- the antivirus researchers was not the original version. The
- original contains the string "Only the Good die young..."
- instead of the "Copy me - I want to travel" message. Also a
- small piece of code in the original version was patched to
- contain the "666" string. (That is, the version you have contains
- this string, the original does not.)
-
- - There exists also a small mutation of the version you have.
- The only difference is that the `C' character in the word "Copy"
- was changed to `Z'.
-
- - When describing the V2000 virus, I stated that it halts the
- computer if you run a program which contains the string
- "Copyright (c) 1989 by Vesselin Bontchev". This is not quite
- correct. In fact, the programs are only checked for the "Vesselin
- Bontchev" part of the string.
-
- - I obtained John McAfee's program Clean, version 60. In the
- accompanying documentation he states about the V2000 virus that
- "The virus is very virulent and has caused system crashes and
- lost data, as well as causing some systems to become non-bootable
- after infection". This is not very correct, or at least, there
- is much more to be said. The virus is exactly as virulent as the
- Dark Avenger virus, and for the same reason. It infects files
- not only when one executes them, but also when one reads or
- copies them. This is achieved exactly in the same manner as in
- the Dark Avenger. The systems become non-bootable when the virus
- infects the two hidden files of the operating system - it cannot
- distinguish them from the regular .COM files. By the way, the
- Dark Avenger virus often causes the same effect. And at last,
- but not least (:-)), the virus is highly destructive - just as
- the Dark Avenger is. It destroys the information on a randomly
- selected sector on the disk once in every 16 runs of an infected
- program. The random function is exactly the same, and the
- counters (0 to 15 and for the last attacked sector) are exactly
- the same and on the same offsets in the boot sector as with the
- Dark Avenger virus. The main difference is that the destroyed
- sector is overwritten not with a part of the virus body, but with
- the boot sector instead. This makes a bit more difficult to
- discover which files are destroyed - the boot sector is contained
- in many "good" programs, such as FORMAT, SYS, NDD. Also, the
- nastiest thing - the damage function is not performed via INT 26h
- (which can be intercepted). The virus determines the address of
- the device driver for the respective disk unit (using an
- undocumented DOS function call, of course. I begin to wonder if
- Ralf Brown did any good when he made the information in the
- INTERxyy file available :-)). Then it performs a direct call to
- that address. The device driver in DOS does its work and issues
- the appropriate INT 13h. However the virus has scanned the
- controllers' ROM space and has determined the original address of
- the interrupt handler - just as the Dark Avenger virus does.
- Then it has temporary replaced the INT 13h vector with the
- address of this handler. The result is that the damage function
- cannot be intercepted.
-
- - Also this virus (unlike Dark Avenger) supports PC-DOS version
- 4.0 and will work (and infect) under it.
-
- - The bytes 84 A8 A0 AD A0 20 8F 2E in the virus body are the
- name "Diana P.", this time written in cyrillics.
-
- Unknown Source
-
-
- �
