Legends of virus construction: The Dark Avenger

In April 1988, an article about computer viruses and some methods of writing them was published in one of the computer magazines in Bulgaria, and soon after that, guest performers appeared on the computer spaces of this country: Vienna, Ping Pong and Cascade .

The interest generated by the topic touched upon in the journal, in conjunction with the actions of the guest performers, was immense among enthusiasts, and soon Bulgarian programmers were overwhelmed with the ideas of creating their own malware.

One of the first Bulgarian virmasters was Dark Avenger. Already in early 1989, his first virus appeared, which received the same name as its creator - The Dark Avenger (Dark Avenger). It is obliged by its name to the string contained in the code.
')
«This program was written in the city of Sofia © 1988-89 Dark Avenger»

Not to disappear into Dark Avenger's obscurity, it allowed him, so to speak, innovation, many of the mechanisms built into the body of the virus by its creator had no analogues in the world at that time.

DA is the first virus detected on the territory of the USSR, the reproduction strategy of which involves infecting programs not only during their execution, but also during other operations of access to the corresponding files (COM, EXE). He multiplied much faster than his contemporaries. In addition to the infection, when launching programs for execution, the files are infected when they are created, renamed, opened and closed.

This breeding strategy made this virus very dangerous, because if an infected system runs a program that systematically scans files in all subdirectories (for example, an antivirus, without a corresponding signature in the database :), then most of the COM and EXE files will be infected as a result . In addition, the virus destroyed the data, by rewriting random sectors of the disk, every sixteenth launch of the program, with files containing the line:

«Eddie lives… somewhere in time»

The strain of the virus in which the message

«Eddie lives… somewhere in time»

replaced by

«BORODA »

On top of that, the Dark Avenger was the first virus capable of resisting opposition from antiviral agents. I think it is not necessary to say that at that time there was no talk of heuristics, antiviruses used a banal signature search, and while the program was checking disks, the Avenger infected all new files. The virus took a number of measures to disguise its presence in the RAM.

At the start of any program, the virus marked the program segment as the last one and became invisible for this program; after the program finished its operation, the virus marked the program segment as not the last one. At the end of the program, the virus restored the original interrupt value 21h, if it was changed by the program. The virus inserted itself first in the chain of programs that receive control by interrupting 21h, and later did not allow programs to get up before it in the specified list.

This method of "surfacing" allows you to bypass the simplest resident guard. The virus bypassed the control of programs that monitor the interruption of 13h, determining the value of this vector during installation, and then directly calling at the appropriate address.

Due to its "highly toxic" Dark Avenger spread throughout the world, it was often talked about in computer computing circles, was mentioned in such publications as the New York Times and the Washington Post. Due to the particular danger of infection with this virus, many organizations have switched to continuous input control of incoming software.

Over the course of several years, new and new varieties of this beast have appeared, all of them are widely known as the RCE-1800 family, Dark Avenger (by the name of the creator) or Eddie (according to the phrase contained in the overwritten files). With each new iteration, the virus was upgraded and often became an order of magnitude more dangerous than previous versions. The virus code of this group testified to a thorough knowledge of MS DOS, and with a pathological addiction to detail.

PS

Such a beast was once found on computer spaces. At the moment, of course, there is nothing to be afraid of, since the virus works only on versions 3.x and 4.x MS DOS . Checking the version number in the body of the virus was not performed. On computers with an 80386 processor, the virus is completely unworkable. So the Dark Avenger has disappeared from the radar of antivirus laboratories for quite a long time, although in its time it brought fear.

To this topic

→ Some technical details on securelist.com
→ Wikipedia article [in English]