Legends of virus engineering: The Dark Avenger

In April 1988, an article on computer viruses and some methods of writing them was published in a computer magazine in Bulgaria, and shortly after that, “guest performers” appeared on the computer spaces of this country: Vienna, Ping Pong and Cascade .

   The interest generated by the topic touched upon in the magazine, in conjunction with the actions of the "guest artists" was huge among enthusiasts, and soon the Bulgarian programmers were captured by the ideas of creating their own malware.

   One of the first Bulgarian Wirmmasters was Dark Avenger. Already in early 1989, his first virus appeared, which received the same name as its creator - The Dark Avenger (Dark Avenger). He owes his name to the line contained in the code

«This program was written in the city of Sofia © 1988-89 Dark Avenger»

   Not to be lost in the obscurity of Dark Avenger allowed him, so to speak, innovativeness, many mechanisms built into the body of the virus by its creator at that time had no analogues in the world.

   DA is the first virus detected on the territory of the USSR, the reproduction strategy of which provides for the infection of programs not only during their execution, but also during other operations of access to the corresponding files (COM, EXE). He bred much faster than his contemporaries. In addition to infection when programs are launched, files become infected when they are created, renamed, opened, and closed.

   Such a breeding strategy made this virus very dangerous, because if you run a program in the infected system that systematically looks at files in all subdirectories (for example, an antivirus without the corresponding signature in the database :), then most of the COM and EXE files will be infected as a result . In addition, the virus destroyed data by overwriting random sectors of the disk, every sixteenth launch of the program, with files containing the line:

«Eddie lives… somewhere in time»

In Moscow, a virus strain was spread, in which the message was

«Eddie lives… somewhere in time»

replaced by

«B O R O D A мстит во времени»

   In addition, the Dark Avenger was the first virus capable of resisting anti-virus countermeasures. I think there is no need to say that at that time there was no talk of heuristics, antiviruses used a banal signature search, and while the program checked the disks, the Avenger infected all new files. The virus took a number of measures to mask its presence in RAM.

   At the start of any program, the virus marked the program segment as the last and became invisible for this program; at the end of the program, the virus marked the program segment as the last. At the end of the program, the virus restored the initial value of interrupt 21h if it was changed by the program. The virus inserted itself first in the chain of programs receiving control by interruption 21h, and subsequently did not allow programs to get ahead of it in the specified list.

   This “ascent” method allows you to bypass the simplest resident watchmen. The virus bypassed the control of programs monitoring the 13h interrupt, determining the value of this vector during installation and subsequently directly contacting the corresponding address.

   Due to its "high toxicity" Dark Avenger has spread throughout the world, it was often talked about in computer circles, it was mentioned in such publications as the New York Times and the Washington Post. Due to the special risk of infection with this virus, many organizations switched to continuous incoming control of incoming software.

   Over the years, more and more new varieties of this beast have appeared, all of them are widely known as the RCE-1800 family , Dark Avenger (by the name of the creator) or Eddie (by the phrase contained in the rewritten files). With each new iteration, the virus was modernized and often became an order of magnitude more dangerous than previous versions. The virus code of this group testified to a deep knowledge of MS DOS, and with a pathological addiction to detail.

PS

   Such a beast used to be in computer open spaces before. At the moment, of course, there is nothing to be afraid of, since the virus is only functional on versions 3.x and 4.x of MS DOS . Verification of the version number in the body of the virus was not performed. On computers with an 80386 processor, the virus is completely inoperative. So the Dark Avenger disappeared from the radars of anti-virus laboratories for quite some time, although at one time it brought fear.

   Topic

→ Some technical details on securelist.com
→   Wikipedia article [in English]