F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Dark Avenger





NAME:Dark Avenger
ALIAS:Eddie
ORIGIN:Bulgaria
SIZE:1800
TYPE:Resident COM/EXE-files
REPAIR:Yes

This virus contains two interesting text strings: 

                     "Eddie lives...somewhere in time"
and 

   "This program was written in the city of Sofia (C) 1988-89 Dark Avenger"

The "Eddie" mentioned above is probably the skeleton mascot of the heavy metal band "Iron Maiden". This was the first virus reported to have originated in Bulgaria, but it was soon followed by many other.

There is only one thing unusual about this virus. It remains resident, just as many other viruses, but it will not only infect a program when it is run, but also when the program file is read. This means that a harmless program that opened each .EXE and .COM file in turn, for example to check them for infection, could easily cause an "epidemic".

The virus will infect .EXE and .COM files, adding 1800 bytes to the length. COMMAND.COM will be one of the first programs to become infected.

When an infected program is run, there is a 1-in-16 chance that the virus will trash a random disk sector.

One 2000 byte variant is known. It is also from Bulgaria, probably written by the same author as the original one. It has been improved a bit - you won't see an increase in file length when you issue a DIR command. A third variant, also by "Dark Avenger" is 2100 bytes long. It is possible that a 1028 byte variant is the earliest version of the virus, but this is not certain, but he is probably the author of a 1801 byte version as well.

Inside the 2000 byte variant one finds the following string 

                      Copy me - I want to travel
or, in some versions 
                      Only the Good die young...

The virus author also included the following string in the virus: 

                 Copyright (C) 1989 by Vesselin Bontchev

Vesselin Bontchev, however, is a Bulgarian virus researcher and has nothing to do with the creation of the virus. The reason this message appears is that the virus searches for it in every program executed, and halts the computer when it is found, for example if one of his anti-virus programs is run.

VARIANT:Apocalypse-2, CB-1530, Milana, MIR, Outland, Ps!ko, Quest
VARIANT:Zeleng
The author of the virus - Dark Avenger - has distributed the source to the virus, and these variants are probably created by different authors.